According to IBM X-Force Incident Response and Intelligence Services (IRIS) team’s Cloud Security Landscape Report 2020, ransomware is the most commonly deployed malware in infiltrated cloud environments. It accounts for three times as many cases as cryptomining and botnet malware, which are second and third place, respectively. Ransomware remains a serious threat, despite improved security capabilities coming out-of-the-box in cloud.

The article “How Zero Trust Will Change Your Security Design Approach” explains how to introduce Zero Trust at the enterprise security architecture level and how IBM’s Zero Trust governance model can be leveraged for this purpose. This piece describes how Zero Trust solutions can improve your organization’s defense against possible ransomware attacks.

Implementing Zero Trust

Applying Zero Trust as guiding principles puts a specific focus on an expected outcome during the design phase. It is by no means a way to define the relevance of security controls from controls frameworks. Applying Zero Trust principles allows focus on a specific subset of controls during design, such as controls and capabilities needed for dynamic authentication and authorization using all possible contextual information.

The IBM Zero Trust governance model ensures all criteria is identified, which is needed to achieve this goal. The IBM Zero Trust governance model and the IBM Zero Trust Acceleration services can help organizations define security initiatives and related capabilities.

IBM Zero Trust Governance model applied to Enterprise Security Architecture: This figure shows how the Zero Trust governance model provides input for the different aspects of the security architecture and how existing frameworks can be used as additional input to the design.

Mitigation of Risk

To understand which Zero Trust principles could help mitigate possible ransomware attacks, you need to know the attack vectors typical for these attacks. There are multiple sources available that elaborate on possible attack vectors used by ransomware attacks.

The IBM X-Force Threat Intelligence Index 2020 describes the three stages of a ransomware infection:

  1. MalSpam/phishing with PowerShell script.
  2. Emotet/TrickBot infection.
  3. PSExec/WMI lateral movement.

If you research phishing techniques in the MITRE ATT&CK Knowledge Base, the most relevant technique is T1566, and more specifically the sub-technique, T1566.001 Spearphishing Attachment. The latter references to a list of procedure examples, including the two commodity downloaders:

  • Emotet which has 26 documented known techniques.
  • TrickBot has 30 documented techniques.

A Zero Trust-based solution could help to address some of these attack techniques, such as the T1047 Windows Management Instrumentation (WMI) lateral movement technique. Looking further in the MITRE ATT&CK framework, two possible mitigations are listed against a WMI based attack: privileged and user account management. There is also a third option called micro-segmentation. This results in three possible mitigations to be designed and implemented.

  1.  Privileged account management (PAM), which prevents credential overlap across systems of administrator and privileged accounts.
  2. User account management only allows administrators to connect remotely using WMI. It restricts other users as those allowed to connect, or disallows all users to connect remotely to WMI.
  3. Micro-segmentation may not be in the list of mitigations in the MITRE ATT&CK knowledge base. But, it can be seen as a combination of the following mitigations: M1030 “Network Segmentation,” M1037 “Filter Network Traffic” and M1035 “Limit Access to Resource Over Network.”

Mitigation Capabilities

From a design point, one might combine these capabilities into one or more logical solution components, such as a PAM solution. PAM is composed of several components, such as a password vault, the SSH/RDP Proxy, an API layer and Admin portal. A list of required capabilities will allow an architecture team to identify common requirements and the needed capabilities and solution building blocks.

IBM Security. This is a high-level list of required capabilities.

Some architectural decisions will be made once relevant requirements are consolidated and alternatives for the implementation of capabilities are decided. For example, how would the on-premise workforce of your organization connect to the applications in the data center? Will a micro-segmentation-based implementation at the data center be sufficient? Or, will an overall software-defined-perimeter solution be better suited to achieve the same goals?

To answer these questions, incorporate Zero Trust principles where possible. And, deploying Zero Trust principles is a journey with different steps increasing the overall.

For example, one use case for the PAM component is logging onto an admin portal of the PAM solution.

First, apply micro-segmentation so the PAM portal is only visible to the privileged users and the operations team of the PAM solution. Then, enforce multifactor authentication before getting access to the portal. The authentication level should be defined by all relevant contextual information. This includes the device used by the administrator, security posture of the device, geo-location of the user, device reputation history and type of network connection. This is validated against the security policies. Based on the defined access criteria, the connection can possibly be refused.

Consider re-validating authentication at regular moments or when overrunning the original allotted time. If the privileged user interacts with very sensitive sources while within the PAM portal, a step-up authentication could be enforced too.

The PAM solution’s primary goal to avoid administrators using their privileged account for business purposes (reading email, browsing the internet). Its secondary goal is reducing the time administrators are authenticated on systems, thus reducing the possible attack surface for malware tools. .

The IBM Zero Trust governance model and existing frameworks, such as the MITRE ATT&CK, can be combined to drive solutions to improve the security posture of your organization and reduce the attack surface against ransomware.

Listen to the podcast episode, “Contextualizing Zero Trust”

More from Zero Trust

Why Zero Trust Works When Everything Else Doesn’t

The zero trust security model is proving to be one of the most effective cybersecurity approaches ever conceived. Zero trust — also called zero trust architecture (ZTA), zero trust network architecture (ZTNA) and perimeter-less security — takes a "default deny" security posture. All people and devices must prove explicit permission to use each network resource each time they use that resource. Using microsegmentation and least privileged access principles, zero trust not only prevents breaches but also stymies lateral movement should a breach…

What to Know About the Pentagon’s New Push for Zero Trust

The Pentagon is taking cybersecurity to the next level — and they’re helping organizations of all kinds do the same. Here’s how the U.S. Department of Defense is implementing zero trust and why this matters to all businesses and organizations. But first, let’s review this zero trust business. What is Zero Trust? Zero trust is the most important cybersecurity idea in a generation. But “zero trust” is itself a bit of a misnomer. It’s not about whether a person or…

Effectively Enforce a Least Privilege Strategy

Every security officer wants to minimize their attack surface. One of the best ways to do this is by implementing a least privilege strategy. One report revealed that data breaches from insiders could cost as much as 20% of annual revenue. Also, at least one in three reported data breaches involve an insider. Over 78% of insider data breaches involve unintentional data loss or exposure. Least privilege protocols can help prevent these kinds of blunders. Clearly, proper management of access…

What CISOs Want to See From NIST’s Impending Zero Trust Guidelines

Cybersecurity at U.S. federal agencies has been running behind the times for years. It took an executive order by President Joe Biden to kickstart a fix across the agencies. The government initiative also serves as a wake-up call to enterprises lagging in getting zero trust up and running. Several organizations, including the Office of Management and Budget (OMB), the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) responded to the president’s order with detailed…