Identity’s Role in Addressing Ransomware Attacks

Ransomware attacks are on the rise, and cyber criminals are using a variety of methods to carry out these potentially damaging assaults. Among these are entry through endpoints and administrative accounts – both human and machine. Ransomware attacks grew exponentially in the last few years in North America and around the world. According to a Google Transparency report, more than 2,145,013 phishing sites were registered as of Jan 2021 and that represented a 27% jump from the previous twelve-month period. Malware sites also rose from 21,803 to 28,803 during the same time period, an increase of 32%.

A cyberattack typically happens due to a gap or a vulnerability in an organization’s IT infrastructure. This security gap is exploited by attackers to get access to systems, devices or data on the network. A ransomware attack is a type of cyberattack, where an attacker drops malicious code on a computer or network that encrypts data and eventually demands ransom from the victim organization or individual. Some attackers even threaten to expose stolen data if ransomware is not paid.

Malware (ransomware) finds its way to the target system by means of phishing, compromised code, email attachments, malicious links etc. Once the malware is downloaded, it scans the local and network systems for files to be encrypted. Compromised credentials, simply logging in, can be the easiest way for a cyber attacker to find their way into a target organization and drop a malicious payload. In fact, in the case of Colonial Pipeline, an unused VPN account was used to gain entry into the network.

Organizations need to be prepared for these types of incidents, to assume they are next to be victimized. One of the most effective ways they can defend themselves and mitigate the risk is by taking an identity-defined security approach.

Strategies for Mitigating the Risk
Here are some steps organizations can take to mitigate risk from ransomware attacks:

Multi-factor Authentication (MFA): Identity and access management solutions such as MFA with single sign-on are now a must-have rather than a nice-to-have. With all the users trying to gain access to corporate networks—employees, business partners, customers, consultants, and others—having strong authentication is paramount to securing systems and data.

In addition, it often makes sense to deploy some kind of biometrics tool or push notification to users’ phones, to make it more difficult for bad actors to gain access. Trusted digital identities are vital for digital business, enabling companies to provide secure and convenient access to critical resources for business users and devices.

Privileged Access Management (PAM): Organizations should deploy privileged access management (PAM) solutions with a full audit trail of privileged user activities, session recording, frequent password changes etc. Privileged access offers designated users with special access that goes above and beyond what standard users have and hence a need to protect the misuse of privileged accounts.

Principle of Least Privilege: Organizations should also apply the principle of least privilege, a key component of zero trust security. The principle of least privilege is based on the assumption that every person, every device, every application, etc., is a potential threat to the organization, and therefore should only be granted the access permissions they need to complete a particular job function. The principle, if applied correctly, can help organizations protect privileged credentials, data, and systems by limiting access from within the network. It reduces the risk of an intruder gaining access to privileged accounts, possibly decreasing the risk of a serious data breach.

Automation: Wherever possible, organizations should automate security processes such as identity management and access policies. If people are required to handle changes, updates, etc., and they are done in a manual way, there is more likelihood that things will fall through the cracks and the organization will open itself up for security gaps that bad actors can take advantage of. The Colonial Pipeline attack is the classic example. If the VPN account, that was used to gain access, was automatically de-provisioned after its intended use, that account would either have been disabled or deleted and could not have been exploited.

Endpoint Privilege Management: Define policies around managing administrative access to endpoints – who can execute what, and what actions can be executed on endpoints. Employing an endpoint privilege management platform with capability to manage risk associated with privileged accounts can facilitate reduction in exposure by removing local administrative rights and controlling user and application permissions based on defined policies.

The Impact of People and Process
In addition to deploying technology solutions, companies must not forget about the people and process issues that can influence their risk factor with regard to ransomware attacks.

One of the most important things organizations need to do is train their employees to be aware of potential signs of ransomware attacks, how to avoid taking actions that can trigger such attacks, and why it is important to report suspicious emails and other content to the security team.

This cannot be overemphasized: good training is essential to defending against ransomware and other cyber threats. And educational programs should not be limited to workers. Every executive from the CEO on down should be required to take part in training programs.

In fact, in many cases senior-level executives are the common targets of cyber threats because they hold lots of access privileges, so training for them is all the more important.

Security tools that integrate with email applications can be helpful in reporting suspicious activity because they make the process easier. But users need to know how to use them.

Organizations can also explore various security standards (NIST, ISO 270001, GDPR etc.) to implement security best practices. This can assist in further strengthening security posture and hence reduce overall risk exposure.

Prevention vs Mitigation
When defending against ransomware and other attacks, organizations need to keep in mind the difference between prevention and mitigation. Companies can prevent these attacks from happening in the first place through efforts such as user training and testing. Mitigation is what they do to keep attacks from escalating into bigger problems.

It’s not just a matter of semantics. Mitigation is essential to defending against ransomware. But organizations should not underestimate the value of preventative measures such as educating users about tactics such as phishing, social engineering, and others.

Operating as a modern digital business means being exposed to a lot of cyber security risk. Bad actors are out there, waiting for opportunities to cause damage or make money. Digital businesses don’t exist within a closed perimeter, but are in constant connection with cloud services, supply chains, and remote workers.

Putting up a firewall is no longer sufficient. Because times have changed, the sophistication of attacks has changed. Cyber security teams need to think like bad actors and anticipate their moves. Then they will be more likely to stop them before they can carry out their mission.

For a growing number of organizations, a zero trust architecture is the way to go with cyber security. Executives and teams need to be thinking in terms of zero trust for every facet of security from here on. This is not just a good practice in terms of defending against ransomware, but to address every cyber security threat out there.

Zero trust can be the foundation of an identity-based security model that helps organizations protect their most valued information assets as they continue to evolve into digital businesses.

Ransomware attacks are not going away, and organizations need to prepare strong defenses to defend themselves. The best way to do this is to focus on identities. Through a combination of tools, people, and processes, organizations can put themselves in a better position to mitigate the risk.

For additional information on the role of identity in preventing ransomware attacks watch the webinar presented by  Atos and CyberArk, The Evolution of Ransomware: What Does it Mean for You?

About the Author: Anil Bamzai is the Identity and Access Management Practice Lead for Atos in North America. He is focused on Cyber Security and Identity and Access Management and engages in consulting, advisory and strategy services for clients in North America and other geographies. He helps clients enable business outcomes by designing and delivering IAM and Cyber Security Solutions. Prior to joining Atos, Anil worked at CA Technologies for over a decade in Identity and Access Management space and has overall industry experience of more than 20 years. Anil holds a B.S. in Electronics and Telecommunications Engineering.



Let's work together to help everyone become more secure.