New identity protection approach prevents critical security gaps caused by ransomware. However, almost no company is able to proactively prevent the automated spread of the ransomware payload if it has bypassed the defenses at delivery and execution. A comment from Martin Kulendik, Regional Sales Director DACH at Silverfort.
Cyber blackmail by ransomware remains one of the greatest security threats facing businesses. The common practice in cybersecurity today is to protect yourself against the delivery and execution phases of these attacks. However, almost no company is able to proactively prevent the automated spread of the ransomware payload if it has bypassed the defenses at delivery and execution. Since it makes a big difference in ransomware whether a single endpoint is infected or corporate data is encrypted en masse, the inability to prevent this is a critical vulnerability. In the following, protective measures are explained for each phase of a ransomware attack - from delivery to execution and automated distribution.
Measures to protect against ransomware delivery
In the delivery phase, attackers place the ransomware payload on the victim's computer. The most common methods used by cybercriminals include phishing emails, compromised RDP (Remote Desktop Protocol) access and watering hole attacks in which cybercriminals infect websites that are frequently visited by employees.
Protection is provided by email security gateways that scan emails to detect and remove risky content before user interaction, endpoint protection platforms that prevent the download of potential malware, and multi-factor authentication (MFA ) for RDP connections, which prevent attackers from connecting with compromised credentials.
Measures to protect against ransomware execution
In the execution phase, the ransomware payload that has been successfully delivered to the workstation or server is executed with the intention of encrypting the data files on the computer.
Companies protect themselves against this by using Endpoint Protection Platforms (EPP) on their workstations and servers. The EPP aims to stop any process identified as ransomware from running, thereby preventing malicious encryption altogether.
Protection against the automated spread of ransomware
During the proliferation phase, the ransomware payload is copied to many other computers in the corporate environment via malicious authentication with compromised credentials. One of the most vulnerable areas of attack is shared (shared) folders. In a corporate environment, every user has access to at least some folders. This paves the way for ransomware to spread.
As explained earlier, this is the phase when the greatest damage is done. However, this phase is a blind spot in corporate security defense today. There is no security solution today that can prevent the automatic spread of ransomware in real time. In practice, this means that a variant of ransomware that manages to bypass the security measures for delivery and execution - and a certain percentage of these variants always do this - can spread within the corporate environment and encrypt every computer it reaches . And even if EPPs protect better and better against new malware strains, threat actors are also developing better and better circumvention methods and less conspicuous user data (loads), so that such circumvention is a very likely scenario.
Protection challenge
To better understand the root cause of this vulnerability, let's take a look at how automatic ransomware proliferation works.
There is a patient zero endpoint where the ransomware payload originally ran. To spread to other computers in the area, the malware uses compromised credentials and performs basic authentication by providing the other computer with a valid (but compromised) username and credentials. While this activity is 100 percent malicious in its context, it is essentially the same as any legitimate authentication in the environment. There is no way for the identity provider - in this case Active Directory - to detect this malicious context. He will therefore approve the connection.
This is where the blind spot lies in protecting against ransomware: on the one hand, no security product can block real-time authentications, and on the other hand, the only product that could make this possible - the identity provider - is unable to differentiate between legitimate and malicious authentications.
Unified Identity Protection prevents the automated spread of ransomware
Unified Identity Protection is an agentless technology that integrates natively with the identity providers in the corporate environment to perform continuous monitoring, risk analysis and enforcement of access policies for every single attempt to access any on-premises and cloud resource. In this way, the Unified Identity Protection solution extends risk-based authentication and multi-factor authentication to resources and access interfaces that previously could not be protected - including Active Directory command-line remote access interfaces, on which the automatic spread of ransomware is based .
Proactively prevent attacks
This can proactively prevent attacks that misuse compromised credentials to access company resources, including the automated spread of ransomware. This is because the malware uses authentication with compromised credentials to spread in the target environment, with a particular preference for shared folders.
In order to implement real-time protection against the automated spread of ransomware, Unified Identity Protection takes the following measures:
1. Continuous monitoring
Unified Identity Protection continuously analyzes the authentication and access attempts of user accounts and creates a highly precise behavior profile of the normal activities of users and machines.
2. Risk analysis
In the case of the automated spread of ransomware, there are several simultaneous attempts to log in from a single computer and user account. The Unified Identity Protection platform's risk engine detects this abnormal behavior immediately and increases the risk assessment of both the user account and the computer.
3. Enforcement of Access Policies
Unified Identity Protection enables users to create access policies that use real-time risk assessment to trigger a protective measure: for example, reinforced authentication with MFA or even a complete block of access. The policy against the automated spread of ransomware requires MFA whenever the risk rating of a user account is either “High” or “Critical” and applies to all access interfaces - Powershell, CMD and CIFS, the special (dedicated) protocol for shared access on network folder.
With this policy enabled, any attempt by the ransomware to spread to another computer will not allow the connection unless MFA verification has taken place on the actual users whose credentials have been compromised. This means that the spread is prevented and the attack is limited to the originally infected one “patient zero” endpoint.
This special identity protection approach can prevent the most fatal component of ransomware attacks - the automated spread. With a unified identity protection solution, companies can finally cover this critical blind spot in defense and thus significantly increase their resistance to attempted attacks with ransomware.
More at Silverfort.com
About Silverfort Silverfort is the provider of the first Unified Identity Protection Platform that consolidates IAM security controls in corporate networks and cloud environments in order to ward off identity-based attacks. Through the use of innovative agent-free and proxy-free technology, Silverfort integrates seamlessly into all IAM solutions, standardizes their risk analysis and security controls and extends their coverage to assets that previously could not be protected, such as self-developed and legacy applications, IT infrastructure , File systems, command-line tools, machine-to-machine access and more.