Ransomware: Why least privilege is key for prevention

Ransomware: Why least privilege is key for prevention

Ransomware is universally recognised as one of the top risks that organisations are facing today, with attackers exploiting fears and uncertainty around COVID-19 to boost their rate of success. David Higgins, EMEA Technical Director at CyberArk, tells us which tools and solutions organisations should consider investing in to protect themselves and highlights the best practice approach for protecting against ransomware attacks.

David Higgins, EMEA Technical Director at CyberArk

Where does ransomware sit within the modern threat landscape?

Within cyber, it’s got to be up there as one of the top risks that organisations are tracking. You only have to look at the importance that the US government, for example, has recently put on ransomware through its mission statements to see how prominently it is being recognised, not just within the west but further afield globally.

What are the different types of ransomware and how do they impact organisations?

There are four categories of ransomware and all focus on impacting the ‘CIA’ triangle – confidentiality, integrity, or availability of data.

The first type is scareware, where victims get a pop-up on their screen stating there are vulnerabilities on their machine and they need to click on a link to pay for the software to fix the vulnerabilities. It scares people into paying for something they really don’t need.

But it’s the other three categories that are causing problems these days.

First is crypto, which is where the ransomware will go out and encrypt data and then hold the organisation to ransom in order to retrieve the encryption key.

Another variant, very similar in terms of its impact, is a locker variant ransomware which will lock out a system. Rather than encrypting data, it locks out a device and won’t allow access until the attacker is paid.

The fourth version – which is something we’re starting to see more and more recently and is twinned with either crypto or locker – is extortion. This is when data is stolen, exfiltrated and then held to ransom. Attackers will say ‘if you don’t pay us, we’re going to release this data on the Darknet’, as an example, and so you end up paying for the right to go and delete your own data from the attacker servers.

Can you give us some insight into how the frequency of ransomware attacks has changed and why?

There are many different attributes as to why this has happened. One of them is to do with political relationships between countries – we have to be aware that some variants out there have been linked back to nation states. But I wouldn’t say that’s the predominant driver.

Key issues are those such as the impact of pandemic and people working more remotely, in less secure environments. There’s a lot more fear, uncertainty and doubt that attackers are exploiting around things like COVID-19 and getting users to click on links and open attachments.

Most ransomware is delivered through some form of social engineering or a phishing attack, but it has become so easy for attackers to execute and get a return from that attack. There is also the increased rise of cryptocurrencies which make it easier for them to receive payment, but still remain anonymous and more difficult to track.

Why are existing tools and strategies not working against these types of threats?

Perhaps what we focus on too much is stopping the ransomware from getting in and detecting it once it’s there because that becomes an evolving process. It is a continual movement of the goalposts.

We try and detect based on signatures, so attackers then change the code and manipulate those signatures. We try and chuck it on behavioural patterns so if a process methodically goes through and encrypts files alphabetically we can see that process is something we want to block and so again the attackers will then evolve their code to do encryption on a more sporadic basis.

A lot of the focus has been on that initial intrusion point and stopping and detecting it from executing, whereas perhaps we should be taking a step back and looking at the commonality in all these different variations that we’ve discussed.

This is something more targeted that we can focus on because a lot of ransomware discussions are isolated to the endpoint but while a ransomware attack will hit one endpoint to start with, its objective is to spread. So, there’s this kind of propagation that happens within ransomware that often isn’t necessarily focused.

Which tools and solutions should organisations consider investing in to protect themselves and what’s the best practice approach for protecting against ransomware attacks?

There are the basic elements and basic hygiene which organisations should certainly be considering. For example, keeping machines patched and up to date, making sure you’ve got some form of next-gen antivirus and EDR solution is going to help filter out some of those initial intrusions.

But taking a step back, we’ve got to be cognisant that it’s becoming very profitable to execute these types of attacks and we’re seeing reports of affiliation to nation states because of the impact and the damage that’s caused. It all comes back to the fact that ransomware wants to spread. It might get onto one workstation, but it wants to spread far and wide and if it’s extortion, it’s going to want to pivot off your workstations and go after your data.

Taking a different look at this, it’s going to be things such as making sure that everyone’s running without administrative rights on their workstation, ensuring that everyone’s using strong authentication and moving away from the usage of passwords in your environment. Because propagation or lateral movement, which is something you want to stop, is going to be a lot easier if there’s a lot of weak credentials being used in environments.

Using strong authentication like multi factor authentication is going to be important, as well as managing the privileged and administrative accounts in your environment because they’re commonly targeted to allow that spread to take place.

Forcing and adopting the principle of least privilege is something that’s talked about in every kind of government best practice but striving towards least privilege is going to make the attacker’s life a lot more difficult.

It has a double reward for organisations because that best practice would be the same if we were talking about trying to prevent a data breach or stop a nation state performing espionage in their environment, or lateral movement.

It just so happens in this case we’re talking about ransomware because the end objective is some form of ransom to be held against the organisation.

How does CyberArk set itself apart from others as a ransomware prevention partner?

We look at the end-to-end process, including all the aspects that take place in a ransomware attack such as a data breach or service disruption.

We’re very cognisant of what’s happening around identities in that attack cycle and attack path. We’re really focusing on reducing removing admin rights across the entirety and, when it comes to ransomware, being aware that this is not just an endpoint piece.

Yes, we have technology and services and help organisations ensure no one’s running with local admin rights – which is really important because we’re all sitting at home on Wi-Fi networks which no one’s ever changed the router password for so we’re in an environment that’s less secure than when we’re in the office.

Helping organisations lock down permissions is important but knowing that for ransomware to take place and really impact an organisation it’s going to want to spread and move out.

It’s also stepping away from the endpoint and looking at how lateral movement and propagation happens in the wider organisation, so things such as privileged access management, forcing least privilege, delivering strong adaptive multi factor authentication. These are things that we have with our capability suite, as they tackle that endpoint problem but also that wider problem of lateral movement within the organisation.

Click below to share this article

Browse our latest issue

Intelligent CIO Middle East

View Magazine Archive