Is Stopping a Ransomware Attack More Important than Preventing One?

The sophistication and frequency of ransomware attacks is growing. According to Akamai CTO Robert Blumofe, ransomware has become “a repeatable, scalable, money-making business model that has completely changed the cyberattack landscape.” Conti, for example, the cybercrime giant that operates much like the businesses it targets – with an HR department and employee of the month – not only aims to make money but to carry out politically motivated attacks. (Learn more in our Ransomware Threat Report H1 2022.)

And although ransomware is still mostly targeted at large organizations, small to medium sized organizations are increasingly falling victim. Lincoln College in Illinois announced in May that it will close its doors after 157 years, citing a ransomware attack as a contributing cause.

How to avert a ransomware disaster

It makes sound security sense for organizations to put strong measures in place to stop ransomware from gaining access to their IT environments (often referred to as north-south movement). But our increasingly complex traffic flows coupled with distributed workforces have left many security organizations playing catch up and making tough decisions on tradeoffs. In this post-breach world, focusing on implementing microsegmentation to ensure the organization can stop a ransomware attack – rather than trying to prevent one – can be the best way to ensure there are no disasters.

Microsegmentation accomplishes two things organizations desperately need. The first is visibility. Enforcing a zero trust policy – which is the ultimate goal – begins with understanding the assets that are being protected and how they are (and should be) communicating with each other. Microsegmentation helps accomplish this using artificial intelligence (AI) and machine-learning (ML), which classifies traffic flows and labels data. Security teams then write rules with the confidence that those rules will do what’s needed: prevent malicious actions without disrupting the business.

Second, microsegmentation enables granular policies that restrict lateral movement to precisely prohibit malicious behavior without false positives. This is the coup de grace for ransomware. If it cannot travel laterally within your IT environment, it cannot reach your valuable data and encrypt it.

The other plus in starting your defense strategy with microsegmentation is the tole AI can play in helping organize, protect, and make sense of the vast amounts of data used to make the business run. So, no matter your industry, using AI to map all data and information flows gives you a better chance of staying ahead of ever more sophisticated cyberattacks.

As we learned from the leaked Conti documents, threat actors don’t begin to encrypt machines until they’ve achieved network dominance, and network dominance is achieved by spreading laterally (east-west) throughout the environment. Their initial access into a network usually isn’t a particularly valuable machine, but rather an end user who was duped by a phishing email. Encrypting that machine is of little value to the threat actor, who must move laterally to more valuable machines, such as critical workloads, or machines with personal identifiable information.

To keep this movement from occurring, agent-based microsegmentation logically divides the enterprise into segments that each have their own well-defined security controls. It also allows for policy within the segments, down to the machine, process, and service. Those controls ensure each process communicates only with the other processes necessary to carry out the function.

But it’s not only about blocking lateral movement, it’s also about detecting the presence of a threat. There are five facets to building a strong ransomware defense strategy, and microsegmentation addresses all of them.

To ensure your organization does not fall victim to ransomware, you need to:

1. Prepare your IT environment – Identify every application and asset running in it. Microsegmentation gives you this level of granular visibility, which helps you to quickly map critical assets, data, and backups – and also better identify vulnerabilities and risks.  This complete picture of your network environment means you can respond quickly and activate rules to thwart a breach.
2. Prevent movement – Create rules to block common ransomware propagation techniques. Software-defined segmentation creates zero-trust micro-perimeters around critical applications, backups, file servers, and databases. Segmentation policies can also restrict traffic between users, applications, and devices to block any attempt at malicious lateral movement
3. Detect attempted access – Get alerts to any blocked access attempts to segmented applications and backups. This can work in concert with reputation-based detection that alerts you to the presence of known malicious domains and processes. Rapid discovery of attempted attacks minimizes dwell time and increases your odds of catching attackers.
4. Remediate an attack – Use automatic threat containment and quarantine measures through microsegmentation. When an attack is detected, isolation rules allow the rapid disconnection of affected areas of the network, while segmentation policies block access to critical applications and system backups.
5. Recover and restore operations – Restore connectivity gradually through visualization capabilities that allow different areas of the network to be validated as all clear.

To get details on how microsegmentation can help you prepare for, detect, remediate, and recover from a ransomware attack, get direct access (no forms) to our in-depth white paper: Stop the Impact of Ransomware

Dan Petrillo is a Director of Product Marketing at Akamai (Former AVP of Product Marketing at Guardicore). He began his career as Product Manager for an Industrial IoT company in charge of ensuring the security of smart lighting and building automation systems. Petrillo went on to lead Product Marketing for Cybereason then Morphisec before joining Guardicore. He received his Bachelor of Science degree in Electrical Engineering from Northeastern University.

Jim Black is a Senior Product Marketing Manager in Akamai’s Enterprise Security Group. He has spent his entire career in technology, with roles in manufacturing, customer support, business development, product management, PR, and marketing.