This blog was written by an independent guest blogger.
“Ransomware has become the enemy of the day; the threat that was first feared on Pennsylvania Avenue and subsequently detested on Wall Street is now the topic of conversation on Main Street.”
Frank Dickson, Program Vice President, Cybersecurity Products at IDC
In the first installment of this blog series (Endpoint Security and Remote Work), we highlighted the need to provide comprehensive data protections to both traditional and mobile endpoints as an enabler of remote work. In this second chapter, we’ll expand on the importance of endpoint security as one of many key elements for defining an organization’s security posture as it relates to arguably the most relevant cybersecurity issue of the day.
Cue the ominous music and shadowy lighting as it is likely the mood for most cybersecurity professionals when considering the topic of ransomware. To the dismay of corporate executives, government and education leaders, and small business owners, ransomware is pervasive and evolving quickly. As evidence, a recent report indicated that roughly half of all state and local governments worldwide were victim of a ransomware attack in 2021.
However, there are important steps that can be taken along the path to digital transformation to minimize the risk associated to these attacks. As companies consider the evolution of their strategy for combating ransomware, there are five key strategies to help with reducing the risks inherent to an attack:
1. Prevent phishing attacks and access to malicious websites
Companies must be able to inspect all Internet bound traffic from every endpoint, especially mobile, and block malicious connections. This challenge is significantly more complex than simply inspecting corporate email. In fact, because bad actors are highly tuned to user behavior, most threat campaigns generally include both a traditional and mobile phishing component to the attack.
Bad actors are highly tuned to user behavior as they look to perpetuate their attacks and SMS/Messaging apps provide considerably higher response rates. To quantify, SMS has a 98% open rate and an average response time of just 90 seconds. The same stats for email usage equate to a 20% open rate and 1.5-hour response time which help explain why hackers have pivoted to mobile to initiate ransomware attacks.
As a result, Secure Web Gateways (SWG) and Mobile Endpoint Security (MES) solutions need to work in concert to secure every connection to the Internet and from any device. Both SWG and MES perform similar functions specific to inspecting web traffic but they do it from different form factors and operating systems. The data protections for SWG are primarily available on traditional endpoints (Windows, MacOS, etc.) where MTD addresses the mobile ecosystem with protections for iOS and Android. Because ransomware can be initiated in many ways including but not limited to email, SMS, QR codes, and social media, every organization must employ tools to detect and mitigate threats that target all endpoints.
2. Prevent privilege escalation and application misconfigurations
Another tell-tale sign of a possible ransomware attack is the escalation of privileges by a user within the organization. Hackers will use the compromised credentials of a user to access systems and disable security functions necessary to execute their attack. The ability of the IT organization to recognize when a user’s privileges have been altered is made possible through UEBA (User and Entity Behavior Analytics). Many times, hackers will modify or disable security functions to allow them easier access and more dwell time within an organization to identify more critical systems and data to include in their attack. The ability to identify abnormal behavior such as privilege escalation or “impossible travel” are early indicators of ransomware attacks and key aspects of any UEBA solution. For example, if a user logs into their SaaS app in Dallas and an hour later in Moscow, your security staff need to be aware, and you must have tools to automate the necessary response that starts with blocking access to the user.
3. Prevent lateral movement across applications
After the ransomware attack has been initiated, the next key aspect of the attack is to obtain access to other systems and tools with high value data that can be leveraged to increase the ransom. Therefore, businesses should enable segmentation at the application level to prevent lateral movement. Unfortunately, with traditional VPNs, access management can be very challenging. If a hacker were to compromise a credential and access company resources via the VPN, every system accessible via the VPN could now be available to expand the scope of the attack.
Current security tools such as Zero Trust Network Access prevent that lateral movement by authenticating the user and his/her privileges on an app-by-app basis. That functionality can be extended by utilizing context to manage the permissions of that user based on many factors such which device is being utilized for the request (managed vs. unmanaged), the health status of the device, time of day/location, file type, data classification such as confidential/classified, user activity such as upload/download, and many more. A real-world example would allow view only access to non-sensitive corporate content via their personal tablet to perform their job, but would require the data be accessed via a managed device if they were to take any action such as sharing or downloading that content.
4. Minimize the risk of unauthorized access to private applications
It is essential for companies to ensure that corporate/proprietary apps and servers aren’t discoverable on the Internet. Authorized users should only get access to corporate information using adaptive access policies that are based on users’ and devices’ context. Whether these applications reside in private data centers or IaaS environments (AWS, Azure, GCP, etc.), the same policies for accessing data should be consistent. Ideally, they are managed by the same policy engine to simplify administration of an organization’s data protections. One of the most difficult challenges for security teams in deploying Zero Trust is the process of creating policy. It can take months or even years to tune false positives and negatives out of a DLP policy, so a unified platform that simplifies the management of those policies across private apps, SaaS, and the Internet is absolutely critical.
5. Detect data exfiltration and alterations
A recent trend amongst ransomware attacks has included the exfiltration of data in addition to the encryption of the critical data. In these examples, the data that was stolen was then used as leverage against their victim to encourage the payment of the ransom. LockBit 2.0 and Conti are two separate ransomware gangs notorious for stealing data for the purposes of monetizing it and at the same time using it to damage the reputation of their targets.
Hence, companies must be able to leverage the context and content-aware signals of their data to help mitigate malicious downloads or modifications of their data. At the same time, it is just as important that these signals travel with the files throughout their lifecycle so that the data can be encrypted when accessed via an unauthorized user, thereby preventing them from being able to view the content. Enterprise Data Rights Management and DLP together can provide this functionality that serves as an important toolset to combat ransomware attacks by minimizing the value of the data that is exfiltrated.
It should also be noted that this functionality is just as important when considering the impact to compliance and collaboration. Historically, collaboration has been thought to increase security risk, but the ability to provide data protections based on data classification can dramatically improve a company’s ability to collaborate securely while maximizing productivity.
As stated above, there is considerably more to preventing ransomware attacks than good endpoint security hygiene. With the reality of remote work and the adoption of cloud, the task is significantly more challenging but not impossible. The adoption of Zero Trust and a data protection platform that includes critical capabilities (UEBA, EDRM, DLP, etc.) enables companies to provide contextually aware protections and understand who is accessing data and what actions are being taken…key indicators that can be used to identify and stop ransomware attacks before they occur.
For more information regarding how to protect your business from the perils of ransomware, please reach out to your assigned AT&T account manager or click here to learn more about how Lookout’s platform helps safeguard your data.
This is part two of a three-part series, written by an independent guest blogger. Please keep an eye out for the last blog in this series which will focus on the need to extend Endpoint Detection and Response capabilities to mobile.