Ransomware is one of the most prevalent threats facing organizations today; its volume, effectiveness, and potential for monetary loss is constantly increasing the pressure on IT professionals. Unfortunately, ransomware is not going away, and as organizations design their IT infrastructure to thwart attackers, adversaries are increasing the sophistication of their attacks.
This makes it a challenge for IT departments to stay ahead of threats despite an increased value placed on security overall. The 2022 Verizon Data Breach Investigations Report found ransomware attacks continued on an upward trend with an almost 13% increase in the past year — a rise as big as the last five years combined (for a total of 25% of all breaches this year).
Why is ransomware still so prominent? For starters, we have seen cybercriminals target processes that live outside of the typical IT purview, such as oil processing and food production. The goal of these campaigns is disruption rather than financial enrichment. The attackers understand that if they go after a business’s ability to make money and support their customers, that business will be more willing to pay a higher ransom.
This tactical evolution makes ransomware attacks potentially lethal for businesses, and it must be addressed by security and tech leaders.
Effective protection from ransomware attacks
In my experience, security experts tend to disagree on how to protect organizations from ransomware attacks. Should businesses roll out in-depth security awareness training courses? Implement new email and endpoint protection solutions? How about file backups? Maybe better password security?
The short answer to all these questions is, “Yes,” but those solutions only address the surface of the problem. To be effective against ransomware, and most malware in general, businesses must prioritize limiting lateral movement, a nonnegotiable step in any attack chain.
Lateral movement is critical to successful ransomware campaigns
Traditional cybersecurity methods often focus on the perimeter to keep ransomware and other attacks out of the corporate IT environment. Perimeter-based strategies are less effective against modern attacks due to infrastructure changes such as the migration to the cloud and a distributed workforce.
Many security leaders have adapted by working under the assumption that cybercriminals will find their way into their infrastructure and are taking steps to limit attackers’ ability to move around once they are inside. Acting on this assumption means preventing adversaries from being able to move laterally and cause widespread damage if initial infection occurs.
For cybercriminals to exfiltrate or encrypt data, they must move past the initial infection vector, which is often a single end-user device that is not critical enough to demand a large ransom. This requires the attackers to “move laterally” from one machine/server to another and often make parallel efforts to steal credentials, identify software vulnerabilities, or exploit misconfigurations that allow them to move successfully to their next target node.
Lateral movement techniques are difficult to detect
It can be extremely difficult for IT teams to detect when an attacker executes an effective combination of lateral movement techniques as these movements often blend in with the growing volume of legitimate traffic traveling through the network. The more cybercriminals learn about how legitimate traffic flows work, the easier it is for them to camouflage their attacks as a sanctioned activity.
This camouflage, combined with many organizations’ insufficient investment in lateral movement security, can cause security breaches to escalate quickly, as the adversary will achieve network dominance before they begin to encrypt and exfiltrate data.
Selective security through microsegmentation
The Biden administration has put considerable effort into combating ransomware and strengthening the nation’s cybersecurity defenses, most notably through last year’s Executive Order on Improving the Nation’s Cybersecurity. The importance of segmenting corporate networks as a means to defend against ransomware was a key piece of the Executive Order and highlighted the growing impact that these attacks are causing on organizations around the world.
Network segmentation not only prevents an attacker from moving laterally and reaching strategic assets and crown jewels in the network, but also helps reduce the blast radius by creating boundaries between servers in the network and limiting the network traffic among them.
Microsegmentation: example scenario
Pretend you own a bank. When setting up the bank’s defenses, you wouldn’t want to lock up every single item in the building because there’s no sense in applying the same level of protection to the pens in the lobby and the $100 bills in the vault.
Microsegmentation would allow you to identify the most critical apps and information and apply individual security policies. Even in a scenario in which an attacker obtains a specific file, they could not expand their attack beyond that file without expending a lot of effort and time.
Three important ransomware questions for CISOs
Beyond the technical components of ransomware defense, there are nontechnical questions that are important to answer when identifying and remediating ransomware attacks. Here are three quick questions every security leader should be able to answer:
- Do you have ransomware insurance?
- What are your crown jewels?
- What is your ransomware response plan?
Get ransomware insurance.
Ransomware insurance is increasingly popular because it has both financial and security benefits. Agencies offer less expensive policies to organizations with good security fundamentals, thereby incentivizing businesses to improve their security posture even before they purchase a safety net.
Implement a microsegmentation strategy
Security leaders must work closely with the C-suite and the Board of Directors to identify their organization’s critical systems, how they’re protected, and what would happen if those systems were to fail.
Implementing a microsegmentation strategy can help focus an organization’s defenses while providing a higher level of protection toof the most important systems and assets.
Enact a ransomware response plan
As they say, “Hope for the best, plan for the worst.” Security leaders must have a clear plan to remediate and eliminate ransomware if they are under attack. It’s important to know who would be involved, what tech is in place to help clean up, and when the plan was last tested.
Take away cybercriminals’ path of least resistance
Cybercriminals don’t want to work hard. They prefer to use proven tactics and exploits to target under resourced organizations that don’t keep up with patching. Businesses that prevent lateral movement make that job exponentially more difficult and take away cybercriminals’ path of least resistance.
It’s important to remember that controlling lateral movement isn’t just a ransomware preventative measure; it applies to any attack with a payload, including cryptominers, backdoors, and remote access tools.
Act today to stop attackers in their tracks
Ultimately, ransomware attacks and attempts aren’t going to stop. However, you can act today to ensure that if there is a breach, the damage is minimized. That could mean the difference between becoming a victim and stopping attackers in their tracks.