Is Stopping a Ransomware Attack More Important Than Preventing One?

secure data network digital cloud computing cyber security concept picture id1157887211 3

Ransomware’s sophistication and the frequency of its attacks continues to grow. According to Akamai CTO Robert Blumofe, ransomware has become “a repeatable, scalable, money-making business model that has completely changed the cyberattack landscape.” Conti, for example, the cybercrime giant that operates much like the businesses it targets – with an HR department and employee of the month – not only aims to make money but to carry out politically motivated attacks. (Learn more in our Ransomware Threat Report H1 2022.)

Another alarming development: though ransomware still mostly targets large organisations, small to medium sized organisations are increasingly falling victim. Lincoln College in Illinois announced in May that it will close its doors after 157 years, citing a ransomware attack as a contributing cause.

How to avert a ransomware disaster

It makes sound security sense for organisations to put strong measures in place to try to stop ransomware from gaining access to their IT environments (often referred to as north-south movement). But our increasingly complex traffic flows coupled with distributed workforces have left many security organisations playing catch up and making tough decisions on trade-offs. In this post-breach world, focusing on implementing micro-segmentation to ensure the organisation can stop a ransomware attack – rather than trying to prevent one – can be the best way to ensure there are no disasters.

Why? Micro-segmentation accomplishes two things organisations desperately need now. First is visibility. Enforcing a zero-trust policy—which is the ultimate goal—begins with understanding the assets that are being protected and how they are (and should) be communicating with each other. Micro-segmentation helps accomplish this: Using artificial intelligence (AI) and machine-learning (ML), it classifies traffic flows and labels data, which accelerates the path to policy creation. Security teams then write rules with the confidence that those rules will do what’s needed: prevent malicious actions without disrupting the business.

Second, micro-segmentation enables granular policies that restrict lateral movement to precisely prohibit malicious behaviour without false positives. This is the coup de grace for ransomware. If it cannot travel laterally within your IT environment, it cannot reach your valuable data and encrypt it. The other plus in starting your defence strategy with micro-segmentation is that the role of AI is helping all of us organise, protect, and make sense of the vast amounts of data we use to make our businesses run. So, no matter your industry, using AI to map all data and information flows gives you a better chance of staying ahead of ever more sophisticated cyberattacks.

Why is micro-segmentation the best way to stop ransomware?

As we learned from leaked Conti documents, threat actors don't begin to encrypt machines until they've achieved network dominance, and network dominance is achieved by spreading laterally (east-west) throughout the environment. Their initial access into a network usually isn't a particularly valuable machine, but rather an end user who was duped by a phishing email. Encrypting that machine is of little to no value to the threat actor; they must move laterally to more valuable machines, like ADs, critical workloads, or machines with IP or PII.

To keep this movement from occurring, agent-based micro-segmentation logically divides the enterprise into segments that each have their own well-defined security controls. It also allows for policy within the segments, down to the machine, process, and service. Those controls ensure each process communicates only with the other processes that are necessary to carry out its function.

But it’s not only about blocking lateral movement, it’s about detecting the presence of a threat as well. There are five facets to building a strong ransomware defence strategy, and micro-segmentation addresses all five.

To ensure your does not fall victim to ransomware, you need to:

  1. Prepare your IT environment by identifying every application and asset running in it. Micro-segmentation gives you this level of granular visibility, which helps you to quickly map critical assets, data, and backups–and also better identify vulnerabilities and risks. With this complete picture of your network environment, you can respond quickly, activating rules that will thwart a breach.
  2. Prevent movement by creating rules to block common ransomware propagation techniques. Software-defined segmentation creates zero-trust micro-perimeters around critical applications, backups, file servers, and databases. Segmentation policies can also restrict traffic between users, applications, and devices to block any attempt at malicious lateral movement.
  3. Detect attempted access by being alerted to any blocked access attempts to segmented applications and backups. This can work in concert with reputation-based detection that alerts you to the presence of known malicious domains and processes. Rapid discovery of attempted attacks minimises dwell time and increases your odds of catching attackers.
  4. Remediate an attack with micro-segmentation’s automatic threat containment and quarantine measures. When an attack is detected, isolation rules allow the rapid disconnection of affected areas of the network, while segmentation policies block access to critical applications and system backups.
  5. Recover and restore operations using visualisation capabilities that restore connectivity gradually as different areas of the network are validated as being all clear.

To get details on how micro-segmentation can help you prepare for, detect, remediate, and recover from a ransomware attack, get direct access (no forms) to our in-depth white paper: Stop the Impact of Ransomware.


Dan Petrillo is a Director of Product Marketing at Akamai (Former AVP of Product Marketing at Guardicore). He began his career as Product Manager for an Industrial IoT company in charge of ensuring the security of smart lighting and building automation systems. Petrillo went on to lead Product Marketing for Cybereason then Morphisec before joining Guardicore. He received his Bachelor of Science degree in Electrical Engineering from Northeastern University.

Jim Black is a Senior Product Marketing Manager in Akamai's Enterprise Security Group. He has spent his entire career in technology, with roles in manufacturing, customer support, business development, product management, PR, and marketing.


Copyright © 2022 IDG Communications, Inc.