How Zero Trust Can Help Defend Against Ransomware Attacks

August 7, 2020
| |
4 min read

According to IBM X-Force Incident Response and Intelligence Services (IRIS) team’s Cloud Security Landscape Report 2020, ransomware is the most commonly deployed malware in infiltrated cloud environments. It accounts for three times as many cases as cryptomining and botnet malware, which are second and third place, respectively. Ransomware remains a serious threat, despite improved security capabilities coming out-of-the-box in cloud.

The article “How Zero Trust Will Change Your Security Design Approach” explains how to introduce Zero Trust at the enterprise security architecture level and how IBM’s Zero Trust governance model can be leveraged for this purpose. This piece describes how Zero Trust solutions can improve your organization’s defense against possible ransomware attacks.

Implementing Zero Trust

Applying Zero Trust as guiding principles puts a specific focus on an expected outcome during the design phase. It is by no means a way to define the relevance of security controls from controls frameworks. Applying Zero Trust principles allows focus on a specific subset of controls during design, such as controls and capabilities needed for dynamic authentication and authorization using all possible contextual information.

The IBM Zero Trust governance model ensures all criteria is identified, which is needed to achieve this goal. The IBM Zero Trust governance model and the IBM Zero Trust Acceleration services can help organizations define security initiatives and related capabilities.

IBM Zero Trust Governance model applied to Enterprise Security Architecture: This figure shows how the Zero Trust governance model provides input for the different aspects of the security architecture and how existing frameworks can be used as additional input to the design.

Mitigation of Risk

To understand which Zero Trust principles could help mitigate possible ransomware attacks, you need to know the attack vectors typical for these attacks. There are multiple sources available that elaborate on possible attack vectors used by ransomware attacks.

The IBM X-Force Threat Intelligence Index 2020 describes the three stages of a ransomware infection:

  1. MalSpam/phishing with PowerShell script.
  2. Emotet/TrickBot infection.
  3. PSExec/WMI lateral movement.

If you research phishing techniques in the MITRE ATT&CK Knowledge Base, the most relevant technique is T1566, and more specifically the sub-technique, T1566.001 Spearphishing Attachment. The latter references to a list of procedure examples, including the two commodity downloaders:

  • Emotet which has 26 documented known techniques.
  • TrickBot has 30 documented techniques.

A Zero Trust-based solution could help to address some of these attack techniques, such as the T1047 Windows Management Instrumentation (WMI) lateral movement technique. Looking further in the MITRE ATT&CK framework, two possible mitigations are listed against a WMI based attack: privileged and user account management. There is also a third option called micro-segmentation. This results in three possible mitigations to be designed and implemented.

  1.  Privileged account management (PAM), which prevents credential overlap across systems of administrator and privileged accounts.
  2. User account management only allows administrators to connect remotely using WMI. It restricts other users as those allowed to connect, or disallows all users to connect remotely to WMI.
  3. Micro-segmentation may not be in the list of mitigations in the MITRE ATT&CK knowledge base. But, it can be seen as a combination of the following mitigations: M1030 “Network Segmentation,” M1037 “Filter Network Traffic” and M1035 “Limit Access to Resource Over Network.”

Mitigation Capabilities

From a design point, one might combine these capabilities into one or more logical solution components, such as a PAM solution. PAM is composed of several components, such as a password vault, the SSH/RDP Proxy, an API layer and Admin portal. A list of required capabilities will allow an architecture team to identify common requirements and the needed capabilities and solution building blocks.

IBM Security. This is a high-level list of required capabilities.

Some architectural decisions will be made once relevant requirements are consolidated and alternatives for the implementation of capabilities are decided. For example, how would the on-premise workforce of your organization connect to the applications in the data center? Will a micro-segmentation-based implementation at the data center be sufficient? Or, will an overall software-defined-perimeter solution be better suited to achieve the same goals?

To answer these questions, incorporate Zero Trust principles where possible. And, deploying Zero Trust principles is a journey with different steps increasing the overall.

For example, one use case for the PAM component is logging onto an admin portal of the PAM solution.

First, apply micro-segmentation so the PAM portal is only visible to the privileged users and the operations team of the PAM solution. Then, enforce multifactor authentication before getting access to the portal. The authentication level should be defined by all relevant contextual information. This includes the device used by the administrator, security posture of the device, geo-location of the user, device reputation history and type of network connection. This is validated against the security policies. Based on the defined access criteria, the connection can possibly be refused.

Consider re-validating authentication at regular moments or when overrunning the original allotted time. If the privileged user interacts with very sensitive sources while within the PAM portal, a step-up authentication could be enforced too.

The PAM solution’s primary goal to avoid administrators using their privileged account for business purposes (reading email, browsing the internet). Its secondary goal is reducing the time administrators are authenticated on systems, thus reducing the possible attack surface for malware tools. .

The IBM Zero Trust governance model and existing frameworks, such as the MITRE ATT&CK, can be combined to drive solutions to improve the security posture of your organization and reduce the attack surface against ransomware.

Listen to the podcast episode, “Contextualizing Zero Trust”
Stefaan Van daele
Executive Security Architect, IBM Security

Stefaan has 30 years of experience in IT and joined IBM in 1997. Since 2001 he is a Security Architect and, in that role, he fulfilled several positions at l...
read more