It’s common knowledge that hackers are getting more cunning and sophisticated by the day. But what many outside the information security bubble have failed to notice is that the rise in remote working has also significantly reduced our defence mechanisms. This combination makes for a perfect storm, writes Neil du Plessis, Cloud Security Architect at BUI.
In a ransomware attack, hackers will typically break into your system and steal and/or encrypt data – the more sensitive and valuable the better. They will then issue a ransom demand (usually to be paid in cryptocurrency), explaining that if their demands aren’t met, they will either delete the data or make it public, whichever is more damaging. If you do pay, you’ll get your data back – or so these hardened criminals say.
The problems
Businesses operating in today’s cyber environment are faced with two main problems.
Problem 1: Increased attacks
The unfortunate reality is that human-operated ransomware has been highly successful and lucrative for attackers. The stakes are high on both sides and there is no end in sight. Between 2019 and 2020, ransomware attacks rose by 62 percent worldwide. Not only are there more attacks than ever before, but – as the value of Bitcoin surges – hackers are also demanding higher and higher ransoms. Steve Morgan, editor-in-chief of Cybercrime Magazine does not mince his words: “Without question, we’re seeing an explosion of ransomware attacks,” he says.
Problem 2: Reduced defences
Information security professionals – the people whose job it is to guard against these attacks – have always relied on a multi-layered approach to security. But when the pandemic sent most of the global workforce home, we suddenly lost one of these layers: all of the firewalls, network intrusion prevention systems, and careful network segmentation we’d set up before the pandemic, became redundant overnight. All these people working for big, important companies via often unsecured home networks were easy pickings for cyber criminals.
The solution(s)
Given the scale and complexity of the threat, it goes without saying that the solution is multifaceted. All of the solutions detailed below do one of two things: they make it harder for people to break into your system (like burglar bars, and high fences) or they give you more chance of catching the perpetrators if someone does manage to break in (like alarms and security cameras).
Solution 1: Zero trust
In the past, we assumed that everything that happened within a company network was safe and fenced off behind a perimeter. That started to change quite a while back, but with billions of employees working from home, it’s now been completely thrown out the window. Zero Trust is built around the principle that you cannot trust any device, individual, network, or even the application being used to connect to often sensitive corporate information. Parents of teenagers will be familiar with this concept.
Zero Trust is based on three principles:
- A username and password combination simply cannot be trusted anymore. Adding multi-factor authentication (MFA) is certainly a step in the right direction, but this alone isn’t enough. All available meta-data must be explicitly verified and evaluated as part of the access control decision: user identity and location, device health, service or workload context, data classification, and anomalies must all be considered in the access control process.
- The principle of least privilege (i.e. enforcing the lowest clearance level, that allows the user to perform his/her role) has long been a security best practice. We now have several ways of implementing this, depending on your precise circumstances: Just-in-Time (JIT), Just-Enough-Administration (JEA), and risk-based adaptive policies all have their place.
- The assume breach mindset assumes that all of your other security measures have failed, and that hackers have indeed breached the system. In modern security, this mindset extends to implementing additional security controls aimed specifically at increasing attacker friction, disrupting their traditional kill chains and generally increasing attacker costs. This gives defenders more chance to recognise and respond to signs of attack.
Like a bouncer outside a nightclub, your Security and Compliance Policy Engine implements the rules determined by your information security department. Where the bouncer might be told to check for fake IDs and concealed alcohol, weapons or drugs, the Engine will check for any deviations from what are considered normal habits for the user in question.
The Engine, which is powered by Microsoft Azure Active Directory Conditional Access, works with a range of Microsoft products (Microsoft 365 Defender, Microsoft Endpoint Manager, Microsoft Cloud App Security, etc.) to do much of the heavy lifting detailed above.
Solution 2: Protect against human-operated ransomware
In addition to shoring up your own defences, you also need to understand attackers’ weaknesses. Hackers rely on two things: being able to get hold of your data and forcing you to pay to get it back. When it comes to the first of these, they generally rely on easily exploiting administrative privileges through a process called lateral movement which has nothing to do with Dale Steyn. Moving onto the second weakness, hackers won’t make any money if you can find a way to get your data back without paying the ransom, such as restoring it from backups. We find that locking down these weaknesses using the three-step blueprint below is highly effective in preventing attacks:
- Prepare and secure a recovery plan that will enable you to get your data back without paying the ransom.
- Limit the scope of damage of an attack by protecting privileged roles (i.e. don’t give the boss IT Administrator privileges).
- Make it harder for attackers to gain access into the environment by incrementally removing risks, especially on entry points.
The importance of professional advice
Hackers are getting craftier by the day, so it’s a very good idea to get someone who works with this kind of thing on a daily basis to assess your defences. Most in-house IT departments won’t have someone who fits the bill, as it’s a very specialised field.
It’s also important to remember that no matter how much you spend, it will still always be possible to break into a cybersecurity system. The real trick lies in balancing how much it costs you to implement the solution with how much it will cost hackers to break into your network.
At BUI customers often ask, for example, whether they should implement MFA or Endpoint Detection and Response. In an ideal world, both systems will be part of a comprehensive cybersecurity plan. But we are aware that cyber-attacks are just one of the risks that businesses need to guard against, and that all decisions have to be made as part of a cost/benefit analysis.
At BUI we pride ourselves on using our vast experience to be able to look at a customers’ resources and situation and advise on a course of action that will give them the most bang for their buck. And then to use our stellar relationship with Microsoft to implement and manage it in the most cost-effective manner possible.