Understanding how ransomware works makes it clear why sound policies and containment are the best defense.
Security leaders tasked with thwarting ransomware attacks must leverage containment techniques to prevent breaches from causing widespread chaos.
Containment strategies reduce the blast radius of a cyberthreat by limiting or preventing the lateral movements of an intruder who succeeds in breaking into your network, a topic covered in a recent post.
It’s a strategy that, when properly implemented, can all but eliminate the possibility of a catastrophic ransomware attack, says John Kindervag, chief evangelist at Illumio and the creator of Zero Trust.
How ransomware works
Understanding what happens during a ransomware attack and how containment works makes it clear why he can make such a claim.
Containment protects valuable network resources by permitting only connections that are explicitly allowed by a predefined policy; all others are denied. When implemented based on insights derived from artificial intelligence (AI)–based security graphs, it enables highly granular policy control throughout the network, as detailed in this previous post.
A ransomware attack requires multiple connections, Kindervag says.
First, an intruder who succeeds in infiltrating the network must drop the ransomware software on a target resource. That’s not necessarily the ultimate target but, rather, just a starting point.
Next, the software establishes an outbound connection to a command-and-control server, or C2 server. What follows is likely several back-and-forth communications with the C2 server, which sends instructions to the ransomware on lateral movements, to download additional software, or maybe to do nothing for a while to avoid detection.
Eventually, when the intruders find what looks like a sufficiently important target, the C2 server will send encryption keys along with instructions to encrypt the target data. After that, the intruders inform the target company about the attack and attempt to extract a ransom.
“So, there’s six, eight, or 10 connections that happen that you were completely unaware of,” Kindervag says. “It’s like a criminal gang is going in and out of your house while you’re sitting and watching TV, paying no attention.”
Proper policy prevents ransomware
In a properly configured Zero Trust environment, that entire scenario would be all but impossible, because there would be no policy allowing the initial connection between the ransomware and the C2 server, he says.
“It doesn’t matter how sophisticated the ransomware software is, because it still needs a policy statement to be successful,” Kindervag says. “People are saying, ‘Oh, they’re making more sophisticated attack software.’ Well, yeah, but they’re taking advantage of bad or no policy.”
Key takeaway
The Illumio Platform uses AI-driven security graphs to paint a picture of the connections within a network. It enables users to create strong policies to protect all their resources, including preventing the sort of outbound connections that ransomware relies on.
Learn how Illumio can help you win the fight against ransomware and other forms of data breaches.
