When Battling Ransomware, the Most Successful Cyber Hunters Use a Cheat Code

John Skinner

The past year has been challenging for teams that hunt and detect threats. Forensic analysis of many breaches reveals that such attacks proceeded unfettered and undetected for months, if not years. Many in the IT community sounded the death knell for threat hunting and detection, to which I say, “Not so fast!” We need to ensure hunters and detectors use the cyber-equivalent of a video game “cheat code.” The most well-proven yet underutilized cheat code against attackers is readily available. In fact, this cheat code was included in recent ransomware alerts and advisories issued by the United States’ FBI, CISA and Department of Homeland Security (DHS).

The Preventive Measure Hackers Hate

In addition to these recommendations by white hat authorities, the black hat community has also acknowledged the effectiveness of this cheat code. The online Russian newspaper website Lenta[.]ru recently published an anonymous interview with a threat actor who claims to work with REvil, which is a dominant player on the ransomware scene, and other sophisticated ransomware collectives. The interview subject admitted that one specific, preventive defense works against ransomware. This proven yet underutilized “cheat code” is network segmentation, according to the principle of zero trust.

Zero trust segmentation is an effective, preventive measure against threats. The pre-attack use of zero trust segmentation, and, more specifically, modern host-based segmentation, simultaneously delivers three advantages to threat hunters:

1) Before the next attacker shows up, it quickly discovers, visualizes and removes all unnecessary east-west, node-to-node network pathways. What remains is a significantly reduced attack surface, i.e., a smaller hunting ground. This resizing of the hunting ground permanently shifts the advantage from the attacker to the hunter.

2) It also allows segmentation and division of the remaining least-privileged network into containment areas, similar to the compartmentalization built into Navy ships. This pre-attack segmentation of the east-west network imposes restraints on every would-be attacker. Most of the attacker’s node-to-node communication and lateral-propagation pathways will be fitted with a roadblock. Before any attack can proceed, the attacker is “cornered” by network segmentation barriers.

3) It supports instrumenting the east-west network with lateral movement tripwires and other telemetry that doesn’t exist in endpoint detection and response (EDR) and similar detection tools. We pre-integrate zero trust segmentation tripwires and telemetry with security information and event management (SIEM), analytics and real-time response systems.

How Does Zero Trust Segmentation Stymie Ransomware Attackers?

Prior to deploying its catastrophic encryption, and as described in the MITRE ATT&CK kill chain, ransomware tries to conduct reconnaissance. It will attempt to move laterally across the east-west network, while deleting the footprints it creates inside each endpoint. This establishes a signal-persistence problem for EDR systems. Ransomware may also attempt to communicate with a command-and-control server, to exchange intelligence on files to be targeted for encryption and to obtain the most current encryption key.

Its lateral movement and communication attempts will immediately generate real-time policy violation events and other previously unavailable real-time signals. These indicators of compromise, which occur much earlier and more persistently than the signals on which EDR systems rely, spell the difference between immediate, decisive action (e.g., blocking specific lateral movement ports or quarantining high-value nodes), and a failure to detect and respond quickly.

In the battle against ransomware and other threats, the most successful cyberthreat hunters and detectors impose a preemptive set of restraints to thwart future attackers, before attacks begin. They simultaneously deploy trip wires that function as the earliest and most persistent warning system for hunters, detectors and responders. They reduce attack dwell time and help “corner” each attacker, accelerating detection and response.

That’s why pre-attack zero trust segmentation is the successful modern cyber-hunter’s cheat code.

In part 3 of this series, I’ll describe how a secondary zero trust segmentation control set can be predefined, pretested and placed into standby mode, and then triggered as an “emergency ransomware containment switch” in incidence response runbooks.

John Skinner is vice president of business development at Illumio, the pioneer of zero trust segmentation. Previously, he was VP of global business development and APAC sales at Shape Security, served as the VP of business development at HyTrust and led several technology integration teams at Intel. He holds an MBA from Rutgers, a certificate in AI from DeepLearning, and a bachelor’s degree in electrical/computer engineering from Cornell, where he is a guest lecturer on technology monetization. You may follow him on LinkedIn or @illumio on Twitter.