Adopting zero trust architecture can limit ransomware’s damage

The fact that a pipeline operator had to proactively shut down operations to deal with a ransomware attack highlights organizations’ lack of resiliency. But from a security perspective, technologies such as zero trust and microsegmentation could have limited the amount of damage ransomware was able to inflict.

There are many ways for ransomware to enter a network, such as exploiting a known vulnerability, launching phishing and other social engineering attacks, and trying to steal user credentials for network tools (for example, Remote Desktop Protocol, or RDP), Trend Micro Research wrote in a company blog. Once in, attackers move laterally through the networks to find valuable data and establish persistence to stay in the network.

Enterprises should move ahead with implementing zero trust architecture within their environment to mitigate the effects of this kind of malware, wrote Brian Kime, a senior analyst at research firm Forrester. Zero trust architecture limits lateral movement and contains the blast radius, Kime said.

Many networks rely on perimeter defenses to keep attackers out. Once an intruder is in, however, there is nothing to prevent them from moving anywhere within the network. Limiting lateral movement reduces potential damage since the attacker is not able to access the most sensitive parts of the network. In the case of ransomware, attackers can cause a lot of damage by locking up systems, disrupting business operations, and threatening to expose corporate data.

Ransomware attack locks up network

Colonial Pipeline, a pipeline operator responsible for transporting 45% of the fuel along the East Coast of the United States, proactively shut down operations on May 7 after a ransomware incident in its corporate network. In case of an attack, ransomware encrypts data so it can’t be accessed without purchasing a decoding tool. Colonial Pipeline shut down operations because the attack affected its billing system and there were concerns the company wouldn’t be able to properly monitor fuel flowing through the pipeline and send out invoices, sources told information security journalist Kim Zetter.

Ransomware group DarkSide was behind the attack against Colonial Pipeline. The group stole over 100GB of data and then encrypted the files. Victims like Colonial Pipeline tend to pay the ransom — news reports suggest the company paid the attack group $5 million — to speed up data recovery and in hopes that the attackers won’t leak the data or sell it.

The attack group claimed to be sitting on top of 1.9TB of data stolen from multiple victims. Trend Micro Research has identified at least 40 victims affected by DarkSide.

“We have collectively failed to appreciate how fragile these systems are and how easy it is for cybercriminals to affect business operations and potentially create unsafe conditions in industrial environments,” Trend Micro Research wrote. “Colonial Pipeline isn’t the first time ransomware or destructive malware in a corporate network has disrupted or degraded industrial operations, and sadly it will not be the last.”

Shifting to zero trust

Zero trust is relatively straightforward: Organizations shouldn’t automatically trust anything trying to connect to their network or access their data. Instead, they should verify everything before granting access. Zero trust architecture does not need to be costly or complex, as enterprises can implement it with current technology and updated policies and standards. One way is to identify automated systems in the environment and allow lists to restrict access to those systems.

“Zero Trust is not one product or platform; it’s a security framework built around the concept of ‘never trust, always verify’ and ‘assuming breach,'” Forrester analyst Steve Turner wrote earlier this year.

Chris Krebs, former head of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), said security professionals at every organization should be working to limit ransomware’s impact. Examples include running and testing backups, implementing multifactor authentication (to prevent remote attempts to access user accounts), securing privileged accounts, and giving employees privileged accounts only when requested.

“Your response plan needs to include what happens when you inevitably get infected with ransomware and what that subsequent planning is — that should include both your technology and business departments. It also needs to include who you will contact for help when you’re inevitably hit, which could be your MSSP or another incident response organization that you have on retainer,” wrote Forrester analysts Allie Mellen and Turner, echoing Krebs’ advice.

The cybersecurity executive order from U.S. President Biden and his administration states that federal agencies and private-sector partners have to implement a zero trust framework throughout the federal government. The order calls for multifactor authentication, data encryption both at rest and in transit, a zero trust security model, and improvements in endpoint protection and incident response.

“Incremental improvements will not give us the security we need; instead, the federal government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life,” the order said.