Unlike many holiday seasons, attackers continued an onslaught on US organizations between Christmas and the new year.
While many of the attacks continue to catch headlines as ransomware, a deeper look suggests that it may finally be time for all organizations to move beyond perimeter defense.
The Ransomware Invasion
Ransomware attacks starred as the holiday bogeyman. Various attacks shut down a U.S. Coast Guard facility for 30 hours, forced the shutdown of the University of Maastricht in the Netherlands, and even indefinitely closed a 300-employee telemarketing agency in Sherwood, AR.
And, those were just the some of the notable ransomware attacks to start the year. Facility shutdowns and company closures highlight the existential risk of malware attacks.
Yet, it can get worse.
In our Malware year in review blog, we noted that the Maze ransomware team threatened to release victims’ data in order to add additional pressure to pay the ransom. Since that blog was published, data from the city of Pensacola, Fl., and Southwire Company, LLC, have been publicly released.
The FBI has since released an alert that the Maze ransomware team is actively targeting US companies.
Recent: What to Expect From FBI Warning About Iran Cyberattacks
Traditionally, most security postures have been to seal off the perimeter of the organization. However, that fundamental strategy is being questioned as attackers continue to expose vulnerabilities in perimeter defense.
Phishing and Vulnerabilities
It is well known that phishing attacks remain as key entry-points for attackers. They use the phishing email to obtain legitimate credentials or to trick users into downloading malware to their local machines.
While many companies use educational programs to decrease the number of users who click on phishing emails, people simply make mistakes. In a large organization, it is likely that someone will slip up at some point.
Of course, phishing isn’t the only attack vector. Even as companies invest in stronger, more sophisticated firewall technology, remote access technologies such as Virtual Private Networks (VPNs) and Remote Desktops (RDPs) bypass these firewalls and can expose the interior network.
Threatpost elaborated on research that revealed how attackers might spoof a coffee shop WiFi router and inject data into the Transmission Support Protocol (TCP) session of VPN connections. This attack has been verified for OpenVPN, WireGuard and IKEv2/IPSec for macOS, iOS, Android, and most Linux distributors.
Even though that vulnerability isn’t found on Windows systems, IT managers shouldn’t relax. After all, the notorious SamSam attackers who took down the city of Atlanta are also known for attacking Microsoft’s IIS, FTP vulnerabilities and publicly exposed RDP instances.
Even Fortinet and Pulse Secure products have been found to be vulnerable to cybercriminal delivery of malware. Is this rather old news? Yes. This vulnerability was originally discovered early last year and patches were released in April 2019.
While that should be the end of the story for this vulnerability, unfortunately it’s not. The vulnerability monitoring company, Bad Packets, estimates that nearly 4,000 servers, including 1,300 in the U.S., remain unpatched and vulnerable.
This is a valuable reminder of both the need to patch, and the sad reality that many IT departments do not find the time to patch quickly.
Endpoint Protection
Is your organization relying on endpoint malware detection?
Sophos revealed that the Snatch ransomware enters an environment using exposed RDP ports, forces access to Azure servers, and moves sideways to Windows Domain controllers. The Snatch attack then loads the SuperBackupMan Windows service to add a register key to endpoints to force a safe-mode reboot.
Since most endpoint protection software does not load in a safe-mode reboot, the endpoint then becomes more vulnerable to the Snatch attacks. While the safe-mode reboot is generally obvious to any users, how many bleary-eyed coffee-zombies (i.e., your typical users) will enter their passwords and not initially notice why their computers look funny?
Using the Zero Trust Framework
With so many holes into an organization and the possibility to bypass endpoint security, what is an organization supposed to do? Network World suggests that one answer is to move to the Zero Trust framework.
Zero Trust has become quite a popular buzz word that frequently shows up in vendor marketing materials. To add further confusion, there are no hard standards or rigorous definitions for the concept.
However, there is actual substance behind the hype.
Zero Trust assumes that the perimeter has been breached as the basis for the defensive posture. While different companies implement Zero Trust in different fashions, most applications seek to prevent attacks from escalating through: Strict access control, identity-management, and monitoring user behavior.
Users no longer have broad access within the network or use vulnerable applications to access the network (VPN, RDP, etc.). Instead a gateway, or broker, first authenticates both the device and the user.
Once authenticated, the user and device are only provided with access to the application and network segments to which they have been assigned.
Gartner estimates that 60% of enterprises will switch from VPN access to Zero Trust networks by 2023. But, according to a recent survey, only 13% of enterprises have even started to implement any Zero Trust initiatives.
The issue is the technology.
While Google implemented Zero Trust in 2014, most companies lacked Google’s resources to follow suit. Fortunately, many vendors (such as Palo Alto Networks, Akamai, Okta, Symantec, Microsoft, and Cisco) now have begun to release Zero Trust-focused products and services.
In the Gartner article, several early adopters are interviewed about how they currently implement Zero Trust into their enterprise environments. While each has taken a different approach, they all recommend starting small and focusing on key vulnerabilities, such as non-employee access (vendors, third parties, etc.), or newly launched cloud infrastructure.
Additionally, the examples illustrate how Zero Trust has become focused either on networks or identities.
Network-focused Zero Trust starts with the assets to be protected and works its way out to the users. The implementation uses network segmentation, application-aware firewalls, and strictly assigns applications and users based upon need.
Identity-focused Zero Trust starts with verifying the users and their devices. This method utilizes identity management applications, privileged access managers, and issuing certificates to trusted devices before allowing users to connect to the network.
Choosing the Right Zero Trust Solution
The optimal implementation absolutely depends upon your organization’s needs.
Do you have many remote users? Then focusing on identity management might be the best option for you.
Do you have key assets to protect (drug research, credit card data, etc.)? Then a network-focused approach might be best to protect those assets.
Each vendor and service offers its own benefits and trade-offs.
Working with an experienced partner like Ideal Integrations can help your organization navigate the nuances and determine what aspects of Zero Trust can be easily adopted and integrated into your IT security framework.
Contact us today to get started! Just complete the form below, or call 412-349-6680.