Fighting Ransomware – CTO Roundtable Insights

Yitzy Tannenbaum sits down with AlgoSec CTO, Avishai Wool and Guardicore CTO, Ariel Zeitlin, to discuss the role of micro-segmentation in the fight against cybercriminals 

I recently had the pleasure of moderating a virtual panel with AlgoSec co-founder and CTO, Avishai Wool and Guardicore CTO, Ariel Zeitlin, in which the two industry leaders discussed how organizations can fight ransomware using micro-segmentation.  

According to recent survey figures, more than 60% of organizations claim not to have experienced a cyber-attack, but another 40% said they have experienced a significant number of breaches in the past two years alone. During the session I asked both panelists about these two extremes, and whether or not they thought the COVID-19 pandemic had been a contributing factor. 

Impact of COVID-19 of ransomware attacks 

Avishai began by talking about AlgoSec’s experience of its own customers being targeted more in recent years. He made the point that cybercriminals are opportunists, and once they have discovered a vulnerability or found a tactic that works, they’re likely to keep repeating it. There are frameworks out there which allow bad actors to mount quite sophisticated attacks without much technical knowledge, making cybercrime easier and more lucrative than ever been. The number of potential targets is also growing as COVID-19 has pushed businesses further online.  

Ariel then highlighted the speed at which businesses had been forced to move to remote working in 2020, and that there wasn’t time to put proper security strategies in place. He said that employees were the number one access point for bad actors, and the move to agile working just made them even more vulnerable.  

Ariel went on to talk about the move towards reconnaissance and how bad actors would typically choose their targets based on the amount of business-critical or sensitive information they were likely to have. However, he did warn that smaller enterprises shouldn’t become complacent in thinking they are “too small” to be targeted. Ransomware is far too easy to monetize in 2020, so everybody is a target. Ariel also discussed the trend of lateral attacks and exfiltrating small amounts of data at a time, creating a lever to continuously ask for ransom payments.  

Avishai picked up on Ariel’s comments and highlighted the emphasis on the lateral movement of attackers. Traditionally, a ransomware attack may have been confined to one computer or one very small network. Today, however, the first infection could be an employee working at home who opens the wrong email. That infection could then spread laterally throughout the entire organization making it much harder to defend against, quarantine or eradicate. I asked Avishai what steps could be taken to prevent the lateral spread of something like a ransomware attack, and he talked about the importance of backups, access controls and quality staff training.  

Minimizing loss with micro-segmentation 

When asked about the first steps an organization should take if they’ve experienced a ransomware attack, Ariel explained how the number one priority should be to contain and stop the spread of the virus, saving whatever can be saved. Start using back-ups, disallow access to servers, and block SNP ports all over the network to contain the attack. Then it becomes an investigation – finding out what happened with whatever tools are available, ideally with a rapid response team. Avishai then talked about the advantages of segmenting an overall network into pieces to help with diagnostics and containment.  

While traditional firewalls can offer some high-level segmentation, it’s not really feasible to deploy multiple firewalls to create smaller segments. Thankfully, that’s not much of a concern nowadays, since all leading public cloud vendors already include network filtering which gives businesses incredible levels of control over their network. However, Avishai went on, the real problem organizations face when it comes to micro-segmentation isn’t a lack of technological capability, it is a lack of policy and strategy. 

In Avishai’s experience, this is a huge knowledge gap for many businesses. Ariel reinforced this, adding that policies aren’t static and change over time, often hundreds of times per week in larger organizations.  

While vendors can provide the ability to create micro-segments, it’s down to organizations themselves to write the policy rules around what kind of traffic to allow through each segment. To hear more thoughts on micro-segmentation from Avishai and Ariel, including how to write effective micro-segmentation filtering policies both inside and outside of the data center, you can watch the recorded discussion here.