Ransomware attacks are becoming increasingly prevalent, with a growth of more than 50% in the last year alone. Traditional approaches to cybersecurity, such as castle-and-moat, may fall short of what is required to control ransomware. In order to reduce their risks more effectively, organizations should take a zero-trust approach.
Zscaler, a cloud security company, has a unique perspective on ransomware attacks due to its cloud platform, which spans end-to-end connections between users, applications and devices. In this article, we will evaluate the benefits of moving to zero trust and learn how Zscaler can help combat ransomware attacks.
The limitations of traditional cybersecurity approaches
In the lifecycle of ransomware, gaining an initial foothold is the starting point for a successful attack. This can happen through various methods, including malware, phishing or by compromising assets that are exposed to the internet. If the compromise method is malware, traditional detection methods will struggle. At least 80% of all traffic is encrypted, and Zscaler has seen 24 billion attacks come through HTTPS, a 20% increase over the previous year and 314% more than the year before that. Traditional approaches will struggle to detect this, because SSL/TLS inspection is a compute-intensive action. Therefore, a priority approach to SSL decryption is usually employed, which leaves the door open for the initial malware to pass through.
Zero-trust security: The future of ransomware prevention
A zero-trust approach dictates that everything should be scanned, especially encrypted traffic. Advanced threat protection, inline cloud sandboxing and many other AI-powered inspection technologies increase the likelihood of preventing the initial foothold. A zero-trust approach reduces the published attack surface considerably.
Zero trust aims to minimize the attack surface, which is the sum of all points in a system where an attacker could attempt to enter or extract data. This is where a complete security service edge (SSE) can help by providing secure connectivity to applications from anywhere without requiring exposure to the internet. With an inside-out connection to the SSE, your applications do not need to publish any IP addresses or allow inbound connections through firewalls, drastically reducing the attack surface. By minimizing the attack surface, you can significantly lower the risk of ransomware attacks and other cybersecurity threats.
Say goodbye to lateral movement: How zero trust disrupts ransomware’s progress
If ransomware manages to gain an initial foothold, its next goal is to spread. Traditional castle-and-moat security creates all sorts of problems here. The very nature of MPLS circuits and VPNs is to provide access to networks. A single compromised machine can easily spread to other systems through the networks it has access to, meaning that you have now moved from one compromised system to many, giving the ransomware access to the data it must encrypt for an attack to be successful.
A zero-trust approach, on the other hand, never has a one-to-many mapping. If a user wants to use an application, he or she is granted access only to that application and each connection is kept separate. Because the system is effectively abstracted from the network, ransomware cannot see anything and has nowhere to spread. This level of user-application segmentation provides one of most effective defenses against lateral threat movement.
In the following phases, ransomware will encrypt data, may even try to exfiltrate it (if it’s a double extortion attack), or it may try to download additional code. As discussed, ransomware is extremely constrained in a zero-trust environment, but even if it gets this far, the inline DLP scanning and content inspection tools we mentioned earlier will detect these actions as they happen.
Each of the ransomware objectives is addressed by the Zscaler zero-trust platform by aligning response strategies to attack techniques. Because this is a cloud-based platform, it can not only scale out to provide full inspection of all encrypted traffic, but also reduce the burden of requiring appliance-based point products for each individual part of the kill chain.
The zero-trust model in action for a school district
One of the largest school districts in the United States asked Zscaler for help with ransomware attacks, and it was paying the ransoms to regain access to its data and systems. It had problems at every point in the kill chain because it was using an outdated castle-and-moat security approach. Zscaler helped the district implement an end-to-end zero-trust platform like the one illustrated above. Once implemented, the school district found immediate improvements in several areas, including a 35% overall drop in malware-infected systems and a massive 85% reduction in malware attacks. As well as a reduction in threats, it also generated a 75% effort reduction in responding to and investigating attacks.
A list of concrete steps to take to prevent ransomware attacks
It is critical to incorporate ransomware protection controls into a comprehensive zero-trust architecture that disrupts attacks and minimizes damage at every stage. The following best practices and advanced capabilities can help you significantly reduce the risk of a ransomware attack:
- Prevent compromise with consistent security policies: Full SSL inspection at scale, browser isolation, inline sandboxing and policy-driven access controls will help prevent access to malicious websites.
- Eliminate lateral movement by removing applications from the internet and implementing a zero-trust network access (ZTNA) architecture: By connecting users directly to apps (not the network), you can limit the blast radius of an attack.
- Shut down compromised users and insider threats: By combining inline application inspection and integrated deception capabilities, you can detect, trick and stop would-be attackers.
- Stop data loss: By keeping software and training up-to-date, as well as deploying inline data loss prevention and inspection tools, you can prevent theft of data in motion and at rest by threat actors. To learn more, check out the ThreatLabZ 2022 Data Loss Report.
About the author
CISO and VP Security Research at Zscaler
As Chief Information Security Officer & VP Security Research at Zscaler, Deepen Desai is responsible for running the global security research operations as well as working with the product group to ensure that the Zscaler platform and services are secure. Deepen has been actively involved in the field of cybersecurity for the past 15 years. Prior to joining Zscaler, he held a security leadership role at Dell SonicWALL.