As ransomware attackers weaponise our trust, a new approach is needed

Almost every week another ransomware attack hits the headlines, and each week seems more concerning than the last.

The latest high-profile attack against Kaseya – an IT developer for enterprises and managed service providers – brings home how sophisticated ransomware attacks are becoming. Malicious payloads aren’t just being delivered in poorly-written spam mails, attackers are now taking a ‘hub-and-spoke’ approach to inflict the most amount of damage, against the widest number of victims, with the least amount of effort possible.

By weaponising the trust enterprises place on the service providers within their ecosystem, attackers continually thwart perimeter, endpoint, and application-layer security defences, gaining access to the data of hundreds – if not thousands – of businesses in one fell swoop.

With any inbound communication potentially posing a threat to Australian enterprises, a ‘zero-trust’ approach ensures critical data is always protected and can be rapidly recovered following an attack.

It is clear the ‘trust but verify’ approach to data protection is no longer adequate and businesses must rethink their protection and ransomware recovery plans.

Zero-trust data management

The traditional approach to cybersecurity has been to adopt a fortress mentality, focusing on preventative measures and perimeter defences.

This assumes 100 per cent of attacks can be stopped ‘at the border’ while also assuming anything ‘inside the border’ can be trusted. Enterprises have been investing in such measures for decades, yet still attackers are able to thwart them and bring businesses to their knees. This demands a rethink.

VIEW ALL

While perimeter security still has its place, organisations need to consider how they can make their data resilient when an attacker breaches those defences – this is the core of a zero-trust approach to security.

Developed by the National Institute of Standards (NIST), zero-trust is defined as “an evolving set of cyber security paradigms that move defences from static, network-based perimeters to focus on users, assets, and resources”.

Consider the physical security of a bank branch as an example. Its doors might include heavy locks, complemented with CCTV, alarms, and security guards. But once past these defences, are cash and gold left strewn in a storage room? No. They’re locked up in heavy safes that can’t be breached without an access code or key. This is the heart of a zero-trust model. It assumes everyone is a bad actor and you can only grant access to approved, safe members.

The ‘crown jewels’ of every business today is its data, and that data must be protected in a similar way.

Back up and running

For any victim of ransomware, recovery – without being forced to pay multimillion-dollar ransoms – comes down to the quality of its backups.

Ransomware attacks are evolving all the time but there’s one recent development that is particularly concerning.

Attackers have begun targeting backup data to make recovery even harder. Backup data ruins the entire ransomware business model because it allows a business to restart operations from a ‘save point’ prior to the infection. Hackers are well aware of this, so by also encrypting backup data, the victim is more likely to have to pay the ransom.

The Australian Cyber Security Centre recommends organisations back up their critical data at least daily to ensure operations can restart quickly following a ransomware attack. The more frequently data is backed up, the more rapidly you can recover without having to pay attackers the ransom – which recent research suggests is $1.25 million on average.

This ability to rapidly recover operations from backup data is the best ransomware counter-measure businesses have at their disposal.

Consider the experience of another Australian ransomware victim – Queensland-based Langs Building Supplies.

The business was hit with ransomware one morning, with the malware quickly encrypting hundreds of thousands of files. Despite the extent of the attack, Langs was able to completely restart its operations from its immutable backups within just an hour.

Rather than face days, weeks, or even months offline struggling to recover its systems – along with the need for expensive cyber security consultants and forensic specialists to support remediation – Langs’ business was back operating at 100 per cent capacity before lunchtime on the same day.

With a zero-trust approach to data management, every user, every application, and every device is treated as untrustworthy. By only providing the minimum level of access needed to perform an approved task, and assuming an attacker has already infiltrated the network, trust can no longer be weaponised.

Dale Heath is the head of solutions engineering at Rubrik A/NZ.