Ransomware attacks are on the rise in both volume and sophistication. Triple extortion (a ransomware attack on one business leading to extortion threats on its business partners) is raising the cost of attacks. Ransomware-as-a-Service puts the means to attack in the hands of smaller criminal entities, making the tactic a commodity and not just the tool of masterminds. It’s no surprise that ransomware attacks are now substantially more expensive to recover from than other types of data breaches.
Keeping attackers out of your systems altogether is ideal, but cyber criminals are persistent and inventive. So what can you do to stop ransomware attacks from succeeding?
Data encryption at all levels is a powerful measure and critical to implement with depth and weight. But it should be only part of a larger whole. You should consider augmenting encryption with additional controls that identify attackers at the application and process levels. This technique is known as application (or process) allowlisting.
Let’s discuss why it’s necessary, how it works and how to use it.
Common malware and ransomware tactics in a nutshell
A common cyberattack involves installing dummy applications on endpoints that look like common utilities — Word, Adobe Photoshop or Slack, for example — but which secretly encrypt and/or exfiltrate data. Phishing tactics are the most common way for these applications and trojan horses to find their way onto a system. Without realizing it, an employee may click a seemingly harmless link that installs malware on their device.
When one of these malware applications shows up on a desktop or in a directory, it avoids suspicion because the user assumes the app has always been there. However, a nefarious actor with access to the endpoint can deploy the malware, find valuable data and take it hostage. When a legitimate user tries to access the compromised data, a message appears demanding ransom and threatening to expose sensitive data online if they don’t pay.
If you are unlucky enough to see such a message, it means your data is compromised. Your company should prepare to go down a long and expensive path of assessing the damage, weighing the options, managing the crisis and possibly sourcing the funds to pay the ransom. The negative impact of these actions is evident in ransom fees and consulting costs. Even if you pay the ransom, the decrypting program from the cyber extortionist might be painfully slow and prolong the time your business is offline, your mission is put on hold and your market reputation is damaged. In the best-case scenario, you have a robust data backup and restore capability, but disaster recovery is neither instantaneous nor 100% successful.
Definitive Guide to Ransomware
Why encryption may not be enough
Encryption at every level is crucial. But if native encryption is weak, criminals can decrypt it with their own tools or ones they rent on the dark web (in the burgeoning and convenient Ransomware-as-a-Service marketplace). They can exfiltrate the data and — in addition to halting your own business operations — they can threaten to make sensitive data public and charge more for its safe return. So even if you can restore your business operations on your own, you still risk submitting to extortion to prevent public exposure of your data or stop it from being sold to the highest bidder.
What about native or in-line utilities?
In-line administrative tools, such as those native to a specific database, offer access controls. However, they generally don’t include allowlisting and are limited in system and database coverage. Application allowlisting and granular policy-based access controls delivered by an enterprise solution are configured so that only authorized users and processes can read or write data. Those policies should be applicable across platforms to eliminate inconsistencies and gaps.
How application allowlisting neutralizes malware
With mature application allowlisting capabilities, you have the power to specify which users and processes have the authority to access specific data resources. The result is that ransomware cannot read or write to protected files because the process signatures will not pass the control point that only allows authorized and known processes to access the data.
In other words, the malware will not be able to maliciously encrypt the underlying data, even if they know where it exists.
Sensitive data should, ideally, already be encrypted. That way even if malicious actors steal and exfiltrate the files, they are rendered useless as the criminals cannot decrypt them in a useful timeframe (or at all, if the encryption and key protection are strong). In other words, unreadable data has close to zero market value.
Administrative and performance considerations
Allowlisting and encryption are indeed powerful, but you might be asking about the administrative and performance overhead. Administration is ideally done through a single management console that can span heterogeneous databases and system environments. This allows trained operators to apply policy consistently across the enterprise.
A modern data encryption solution should not incur significant performance overhead to protect files at this level and will lower processing impact by only decrypting data for authorized users and processes. No changes to applications or workflows should be necessary. If your current tool can’t do this, it might be time to search for an alternative.
Detailed policies and governance
An added benefit of enforcing a high level of granularity is the improvement you’ll find in governance. Role-based access control improves your separation of duties posture, and detailed access logs will delight internal and external auditors.
A modern data security solution, such as IBM Security Guardium Data Encryption, will be able to enable policy creation based on multiple criteria — more than just user ID and process. For example, policies can also include the specific resource being accessed, the type of action being performed (read, write, delete, etc.) and the time window permitted.
How do I know what to allowlist?
A key part of modern data security is knowing where your sensitive data resides and which users and processes or applications should have access to it. A repeatable data discovery and classification competency is mandatory. Once you have this knowledge, allowlisting becomes simple: apply allowlists by knowing your approved process and systems and block everything else by default. This may create the occasional oversight, but they should be the exception. In addition, your data security and administration team will be far less burdened with triage and remediation, which makes those oversights easy to address.
Some modern data security products can also have a “learn mode” enabled during deployment that can observe all processes that access encrypted files on a regular basis. That observed data can then be used as criteria to identify the trusted processes to add to the allowlist. With that control in place, any new process requesting access can be considered an exception and go through a change control process with the proper checks and balances.
Don’t overlook links in the attack chain
A point-in-time intrusion detection or identification of a single compromised credential might just be a bump in the road for sophisticated cyber criminals, and they will not relent. The bottom line is that organizations need controls, technologies and trained personnel that address every link in the ransomware attack chain. Persistent, adaptable competencies focused on protection, like allowlisting and smart access controls, can provide the necessary defenses when other controls fail. When combined with encryption at all levels, they can provide you with defense in depth that is especially useful at the end of the attack chain.
There’s some satisfaction in knowing that if cyber criminals do penetrate defenses, the chamber holding the proverbial crown jewels will be empty.
Product Marketing Manager, IBM Security