Disincentivizing Ransomware Attacks
Disincentivizing Ransomware Attacks
Ransomware, malicious software designed to prevent access to resources until a ransom is paid, has grown in prominence over the past few years, and shows no signs of slowing down. Well-known ransomware examples include CryptoLocker, WannaCry, and SamSam, are all highly successful from an attacker’s point of view. These successes have further incentivized the perpetrators to press on with more attacks. Security vendors tirelessly fight to protect their customers from these types of fast spreading and highly destructive attacks. When one or two computers in a network are stricken with ransomware, spreading to the rest of the network should not be easy. Based on current best-practices, this is a losing battle. A single initial infection often takes over an entire business, hospital, or government office. This larger spread of Ransomware disrupts operations, destroys or leaks data, and grinds the organization to a halt. The root of the problem is that enterprise network architectures and protocols were designed more than 30 years ago, and are wholly incompatible with the security needs of the modern enterprise. In addition, network vendors favor ease of use and connectivity over security. The best location for stopping ransomware attacks has moved from the network perimeter to each endpoint (i.e. each computer or IP device) in order to safeguard lateral traffic inside the network.
Innovative and forward-thinking capabilities exist today to eliminate and/or mitigate these fundamental faults in our networks. A Zero Trust architecture is an emerging cyber security paradigm that brings together a variety of capabilities including end-to-end identity, adopting least-privilege access restrictions, network obfuscation and monitoring. From a network standpoint, using micro-segmentation (policy-driven isolation of endpoints) to restrict access and moving target cyber defense (dynamically manipulating network addresses) to prevent discovery are two enabling technologies of Zero Trust. CryptoniteNXT is a cyber security product which combines these two capabilities with end-to-end identity context and monitoring to drive a Zero Trust ecosystem. A properly implemented Zero Trust network requires dramatically increased levels of effort for an attacker, while the potential risk of breach is greatly reduced.
Let’s discuss the problem in more detail. Focusing on how micro-segmentation and moving target defense disincentives ransomware attacks. Generally, a vlan equals a subnet equals a broadcast domain. Vlan’s are created to group similar devices in order to contain broadcast traffic and ease the manageability of legacy layer 3 filtering rules. The vast majority of the time these filtering rules are ingress only due to manageability concerns. While limited intra-vlan filtering capabilities exist, these are rarely used as they are not-scalable and are unwieldy to configure and maintain. There are also isolation capabilities that exist, such as private vlans and protected ports/client isolation. Both prevent intra-vlan traffic at a port level. However, these technologies are binary. Two endpoints have full access to each other or no access to each other. One could try and combine these techniques. However, just thinking about managing an environment like this sends shivers down my spine. The way switches learn which port an endpoint is attached to is based on unauthenticated, broadcast/multicast protocols. Once learned, the switch provides no filtering. Do you see how this is incompatible with the current threat landscape? If an adversary gets code to run on your computer, whether via email/web-borne exploitation, they now have free-reign to poke, prod, and impersonate within that vlan.
Segmenting your network is a best practice set forth by organizations like the Defense Information Systems Agency (DISA) and security vendors. This means separating endpoints at layers 1-3 by department, function, location, and etc. For example, DISA requires that printers are placed in a printer vlan and web servers are in a web server vlan. This is better than no segmentation at all, but is simply not good enough. If there is more than one device utilizing a shared medium such as ethernet, in the same vlan, how can one really trust anything that comes in or goes out of that vlan? The security of an entire vlan is equal to the least security of any device within that vlan. I understand that segmentation in a traditional network architecture is non-trivial. It takes planning, an understanding of one’s network, and what resides in it to configure segmentation. In addition, every segment requires a new layer 3 access list and dhcp scope. CryptoniteNXT solves these problems because each endpoint is automatically isolated. Attackers know correctly configuring segmentation in a traditional network architecture is hard. In fact, they rely on it being hard for potential victims to get this right. Once the attacker has a foothold in the network, they will likely, especially in the case of ransomware, make attempts to rapidly spread and infect.
When the attacker or malware finishes attacking its local vlan and next starts gathering intelligence upstream, outside the vlan, they will not be met with obstacles to enumerate the network architecture. This is because the addressing scheme has not changed much since it was conceived more than 30 years ago. Internet Protocol (IP) describes the layer 3 addresses of endpoints. Similar to the best practice of grouping similar devices in the same vlan, these devices also share a common IP subnet belonging to the larger organization. The static nature of traditional enterprise networks makes it trivial to map an entire network quickly. These protocols and technologies made perfect sense for their time, but now they are being used as the weak links to get access to networks.
The most secure path forward is to first isolate every endpoint from every other endpoint. Next, make an access decision based on an endpoints or users role or membership to groups. The current practice of making access decisions based on IP would be unmanageable at this scale, and besides IPs are vulnerable to spoofing. Finally, obfuscate the network topology to prevent reconnaissance. As an example, Cisco took a huge step forward with the introduction of Trustsec. Trustsec isolates endpoints and makes access decision based on the source and destination security group. Each packet carries contextual meaning to inform policy decisions. Trustsec is limited in that it requires specific hardware throughout the network, can only handle one source group to one destination group for a given source and destination endpoint, and provides no protection against malware or malicious actors systematically mapping the larger network.
CryptoniteNXT works with any switch or wireless controller hardware, applies multiple source and destination groups for a given source and destination endpoint, allowing for finer grained, layered access control, while never revealing to any endpoint the true layer 3 network topology. Essentially, creating on-demand point to point connections over an ethernet network. By isolating each endpoint, leveraging role based access controls, and obscuring the true topology of the network, an organization can radically change the calculus in the ransomware purveyor’s equation, where the level of effort to gain only a few exploited boxes is no longer profitable.
###
Hans Ismirnioglou, CISSP served 8 years in the US Navy, and worked at Cisco prior to joining Cryptonite, hans@cryptonitenxt.com
Ransomware, malicious software designed to prevent access to resources until a ransom is paid, has grown in prominence over the past few years, and shows no signs of slowing down. Well-known ransomware examples include CryptoLocker, WannaCry, and SamSam, are all highly successful from an attacker’s point of view. These successes have further incentivized the perpetrators to press on with more attacks. Security vendors tirelessly fight to protect their customers from these types of fast spreading and highly destructive attacks. When one or two computers in a network are stricken with ransomware, spreading to the rest of the network should not be easy. Based on current best-practices, this is a losing battle. A single initial infection often takes over an entire business, hospital, or government office. This larger spread of Ransomware disrupts operations, destroys or leaks data, and grinds the organization to a halt. The root of the problem is that enterprise network architectures and protocols were designed more than 30 years ago, and are wholly incompatible with the security needs of the modern enterprise. In addition, network vendors favor ease of use and connectivity over security. The best location for stopping ransomware attacks has moved from the network perimeter to each endpoint (i.e. each computer or IP device) in order to safeguard lateral traffic inside the network.
Innovative and forward-thinking capabilities exist today to eliminate and/or mitigate these fundamental faults in our networks. A Zero Trust architecture is an emerging cyber security paradigm that brings together a variety of capabilities including end-to-end identity, adopting least-privilege access restrictions, network obfuscation and monitoring. From a network standpoint, using micro-segmentation (policy-driven isolation of endpoints) to restrict access and moving target cyber defense (dynamically manipulating network addresses) to prevent discovery are two enabling technologies of Zero Trust. CryptoniteNXT is a cyber security product which combines these two capabilities with end-to-end identity context and monitoring to drive a Zero Trust ecosystem. A properly implemented Zero Trust network requires dramatically increased levels of effort for an attacker, while the potential risk of breach is greatly reduced.
Let’s discuss the problem in more detail. Focusing on how micro-segmentation and moving target defense disincentives ransomware attacks. Generally, a vlan equals a subnet equals a broadcast domain. Vlan’s are created to group similar devices in order to contain broadcast traffic and ease the manageability of legacy layer 3 filtering rules. The vast majority of the time these filtering rules are ingress only due to manageability concerns. While limited intra-vlan filtering capabilities exist, these are rarely used as they are not-scalable and are unwieldy to configure and maintain. There are also isolation capabilities that exist, such as private vlans and protected ports/client isolation. Both prevent intra-vlan traffic at a port level. However, these technologies are binary. Two endpoints have full access to each other or no access to each other. One could try and combine these techniques. However, just thinking about managing an environment like this sends shivers down my spine. The way switches learn which port an endpoint is attached to is based on unauthenticated, broadcast/multicast protocols. Once learned, the switch provides no filtering. Do you see how this is incompatible with the current threat landscape? If an adversary gets code to run on your computer, whether via email/web-borne exploitation, they now have free-reign to poke, prod, and impersonate within that vlan.
Segmenting your network is a best practice set forth by organizations like the Defense Information Systems Agency (DISA) and security vendors. This means separating endpoints at layers 1-3 by department, function, location, and etc. For example, DISA requires that printers are placed in a printer vlan and web servers are in a web server vlan. This is better than no segmentation at all, but is simply not good enough. If there is more than one device utilizing a shared medium such as ethernet, in the same vlan, how can one really trust anything that comes in or goes out of that vlan? The security of an entire vlan is equal to the least security of any device within that vlan. I understand that segmentation in a traditional network architecture is non-trivial. It takes planning, an understanding of one’s network, and what resides in it to configure segmentation. In addition, every segment requires a new layer 3 access list and dhcp scope. CryptoniteNXT solves these problems because each endpoint is automatically isolated. Attackers know correctly configuring segmentation in a traditional network architecture is hard. In fact, they rely on it being hard for potential victims to get this right. Once the attacker has a foothold in the network, they will likely, especially in the case of ransomware, make attempts to rapidly spread and infect.
When the attacker or malware finishes attacking its local vlan and next starts gathering intelligence upstream, outside the vlan, they will not be met with obstacles to enumerate the network architecture. This is because the addressing scheme has not changed much since it was conceived more than 30 years ago. Internet Protocol (IP) describes the layer 3 addresses of endpoints. Similar to the best practice of grouping similar devices in the same vlan, these devices also share a common IP subnet belonging to the larger organization. The static nature of traditional enterprise networks makes it trivial to map an entire network quickly. These protocols and technologies made perfect sense for their time, but now they are being used as the weak links to get access to networks.
The most secure path forward is to first isolate every endpoint from every other endpoint. Next, make an access decision based on an endpoints or users role or membership to groups. The current practice of making access decisions based on IP would be unmanageable at this scale, and besides IPs are vulnerable to spoofing. Finally, obfuscate the network topology to prevent reconnaissance. As an example, Cisco took a huge step forward with the introduction of Trustsec. Trustsec isolates endpoints and makes access decision based on the source and destination security group. Each packet carries contextual meaning to inform policy decisions. Trustsec is limited in that it requires specific hardware throughout the network, can only handle one source group to one destination group for a given source and destination endpoint, and provides no protection against malware or malicious actors systematically mapping the larger network.
CryptoniteNXT works with any switch or wireless controller hardware, applies multiple source and destination groups for a given source and destination endpoint, allowing for finer grained, layered access control, while never revealing to any endpoint the true layer 3 network topology. Essentially, creating on-demand point to point connections over an ethernet network. By isolating each endpoint, leveraging role based access controls, and obscuring the true topology of the network, an organization can radically change the calculus in the ransomware purveyor’s equation, where the level of effort to gain only a few exploited boxes is no longer profitable.
###
Hans Ismirnioglou, CISSP served 8 years in the US Navy, and worked at Cisco prior to joining Cryptonite, hans@cryptonitenxt.com