Webinar Recording

Breaking the Ransomware Attack Chain


Log in and watch the full video!

At some point, any business connected to the internet is likely to become a victim of a ransomware because they are relatively easy and inexpensive to carry out, but potentially yield large payouts for cybercriminals. The best way of tackling this threat is to know how to break the attack chain. Join security experts from KuppingerCole Analysts and BeyondTrust to find out why digital transformation has massively increased the attack surface, what you need to know about ransomware, why it appears to be winning, and how to create effective defenses against it. 

John Tolbert, Lead Analyst at KuppingerCole is joined by Brian Chappell, Chief Security Strategist at BeyondTrust to discuss what security practices can realistically be implemented to defend against ransomware, which has become one of the most common cyber threats facing most organizations, particularly those in the energy, shipping, wholesale, retail, healthcare and financial industry sectors. These experts and security industry veterans will also discuss the role that Privileged Access Management (PAM) can play in mitigating the risks of ransomware and other cyber threats by reducing the opportunities for attackers to access and navigate targeted IT environments.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Good morning, good afternoon. Welcome everyone to today's webinar. Today's topic is Breaking the Ransomware attack chain. I'm John Tolbert, Lead Analyst here at KuppingerCole, and today I'm joined by Brian Chapel, Chief Security strategist from Beyond Trust. Hi Brian.
Hi John,
Man. There we go.
So a little bit about logistics. We're in control of the audio. You don't need to mute or unmute yourself. We will take questions and answers at the end of the session. So you'll find a questions blank in the go to webinar control panel. Feel free to enter questions at any time. We'll do a couple of polls near the end of my presentation, and then we'll look at the results during the q and a session. And we are recording the webinar and both the recording and slides should be available in the next couple of days. So again, I'm John Tolbert from Co Cole. I'm gonna give some background on ransomware, how the business model is working, and then talk about cybersecurity tools that can help prevent ransomware from happening. And then I'll it over to Brian and as I said, we'll do the q and a at the continuing of ransomware background and trends, you know, won't go too deeply into the history of ransomware.
I'm sure everyone has heard plenty about that. But just a kind of a quick overview, you know, way back in the beginning. And ransomware is not a new thing, unfortunately, You know, they started off as screen lockers annoying, a bit injurious to productivity, but it wasn't until, you know, a few months, years later, that encryption kind of became the standard thing that they would do in an attempt to hold, you know, hold victims files ransom. And, you know, that started with on local machines, individuals would commonly get it. Then it became more of an a business and enterprise problem and they moved on to, you know, not only encrypting content on local machines and on servers, but also in the cloud. And many organizations do have backups. Many have online backups or use the cloud for backup. So in order to stop victims from being able to simply restore from backup, they started trying to encrypt those online backups. Then we moved on and, and you know, we saw destructive wipers, you know, not just about trying to collect a ransom, but actually destroying data, destroying hardware in some cases, and using that as an attack vector. More recently we see data x filtration, almost like a p t advanced persistent threat style, take the information threaten to release confidential data, you know, and then detonate the ransomware. So this is what we've seen, you know, approximately over the last 10 years or so in how the, the, the changing tactics that the ransomware perpetrators are using.
So what are the factors that have enabled the growth of ransomware? Well, cryptocurrency availability obviously would probably be number one on most people's list acceptance of cryptocurrency. It's become something that everybody's aware about and how to, how to get it. And then, you know, increasing value throughout the 2010s and even up until the 2020s, of course, the willingness of victims to pay ransoms has certainly contributed to that. Shouldn't be controversial at this point, but the use of cybersecurity insurance in some cases to pay ransoms has contributed to this as well. But we've also seen specialization in the labor market around ransomware and the development of ransomware as a service business model.
So how does ransomware as a service work there? You know, broadly speaking, we can say there are like three main specialties in ransomware as a service. There are the service providers themselves, these, so they're cyber, cyber criminal outfits that, you know, develop and update the ransomware. They provide tech support, believe it or not. You know, they occasionally provide decryption keys, not always collect the money from the victims and then pay the affiliates. They're also responsible for recruiting and vetting the affiliates or operators. Then we have access brokers. Access brokers are the malicious actors that go out and discover and compromise accounts. These are accounts generally within victim organizations. They may be, you know, RDP accounts, VPN accounts, something that allows the perpetrator to get inside the network and the assets of the victim. They then sell access to the operators or affiliates who are the ones that go out and look for the target companies that they wanna exploit, actually conduct the attack. And then after the ransom is paid to the service provider, they get paid.
So just illustrate that this is one of the top concerns and has been for several years. Here's a recent survey from Allans about, you know, what are the biggest concerns in cybersecurity? You see in this report, 57% of executives IT staff think ransomware is, is, you know, the number one issue to be on the lookout for tied with data breaches. So it certainly has the attention of the right people within it. So how does ransomware get propagated? You know, I think this is really interesting. Take a look at this graphic here from Cove, where, where, you know, if you look at over the last four years, we see kind of an interesting inversely proportional relationship between RDP compromise and emailing. So rdp, again, remote desktop protocol. You know, this is commonly used for remote access to directly to machines. And of course this really skyrocketed in use during the pandemic as more and more people were working from home.
RDP became, you know, a highly prevalent attack vector and as as it did email fishing dropped off just a little bit. But then we see some variations in the curve as well as we approach, you know, the current time both are still very prominent vectors as well as the exploitation of software vulnerabilities containers. They are a new vector. You know, office macros were often used to download malicious payloads. You could use a bad guy could use an office macro to deliver, you know, some executable code and you know, in the form of like a, a document or a spreadsheet, Microsoft disabled macros by default back in October, 2021, which led to a huge drop in their use by malicious actors. So instead they started using container files, things like ISO r files, zip link image files, and they may not have the mark of the web and they may not be properly scanned. So I think this is why we see, again, kind of an inversely proportional relationship between their use of container files versus office macros.
So let's look at the political, legal and financial landscape and how that has affected and how it may affect future ransomware scenarios. On the financial side, just as we watch crypto go up in value, we've seen, you know, some interesting tumbles and, and, and attempts to rise back up in, in various cryptocurrency formats throughout 2022. You know, on the cybersecurity insurance side, excuse me, we're seeing increased technical requirements for obtaining cybersecurity insurance coverage. And this is a good thing. This means companies order to qualify to get cybersecurity insurance or to get reasonable premiums have to deploy certain technologies, certain security technologies to help reduce the risk of being compromised. Those cybersecurity insurance premiums have gone up on average somewhere between 20 and 50% and up to a thousand percent for some high risk customers. And we've also seen some denied claims for cybersecurity insurance in cases where the insurance provider senses that maybe the, the claimant did not take all necessary security steps to prevent that a breach for happening. We also see a decrease in that willingness to pay ransoms. You know, you know, three years ago there was a huge percentage of companies that would pay ransom. Now that's dropped significantly to less than 50%. And you know, there's two reasons for that. Companies are becoming better prepared to withstand ransomware attacks and also the ransomware perpetrators don't always provide description keys that work. So why pay a ransom if the key isn't going to work?
So reporting and transparency, you know, there have been some regulations that I think have had a, a good effect on on ransomware events as well. Of course, EU GDPR requires a disclosure, disclosure of data breaches involving the personal information of EU residents. So there have been some and some work cases where personal information's exposed that winds up needing to be reported. The EU I two requires organizations within member states to report to their C certs within 24 hours of becoming unaware of an incident. And now the US requires critical infrastructure providers to notify CISA within 72 hours of a cyber attack and 24 hours of a ransom payment.
Prosecutions. You know, historically ransomware operators have been able to get away with, you know, conducting their crimes, but there have been some limited successes on the prosecution side. We see the US department, a treasury OFAC office having sanctions against a couple of cryptocurrency mixers. US DOJ was able to recover, you know, approximately half of the colonial pipeline payment, the colonial pipeline incident, you know, reaching global news last year with a major, excuse me, economic impact within US because of a ransomware event. And in that event, only the IT systems are affected, not the operational technology systems that actually drive the pipeline. And there have been a few high profile arrests of ransomware operators and sanctions have been imposed against some ransomware service providers as well.
So what is this mode for the future of ransomware? Ransomware attack attempts hit an all time high in 2021 and everything suggests that that would continue. But we see some evidence that these legal, political and economic factors have so far potentially decrease some of the attacks that would've been seen in 2022. However, most experts feel that this is kind of a temporary blip in the frequency and severity of ransomware attacks is likely to increase just in the the coming months. So let's talk about refocusing on prevention and stopping ransomware before it actually happens. You know, prevention focused antivirus endpoint security solutions have been around for at least 30 years. And then about 10 years ago we saw the advent of endpoint detection response technologies. These are sort of predicated on the notion that not all your security measures will work and you need to have a way to detect breaches when they happen and then be able to remediate them.
So EDR is designed to, you know, do detection after attacks and and mitigate the effects of attacks. In the last five years or so, we've seen endpoint protection tools acquiring, emerging with endpoint detection and response tools and we call these suites E P D R, Endpoint Protection, Detection and Response suites. But really both protection and prevention and detection are needed to be able to stop ransomware attacks. Today I wanted to take a look at the minor attack framework and just kind of look at, you know, the high level tactics and techniques, you know, called out here on the top rows and I've color coordinated them. Which ones I think sort of pertained to the prevention or the, the tactics where prevention works and the tactics were detection is the main way of figuring out what's going on there. So we have everything from recon, which can kind of be a mix of both resource development, initial access, execution. Those are places where prevention technologies can work. The rest, you know, by and large it's about detection.
So you know, not to dive too deep into the various tools here, but we've got active intelligence, good identity and access management, including multifactor authentication, email security, zero trust architecture. Then you know, we see that E P D R anti-malware in particular is useful across many of the different stages here within minor attack. Also ndr network detection and response xdr, which is a union of endpoint and network detection response plus some other tools, privilege access management and endpoint privilege management to stop the escalation of privileges because that's a major step in the successful execution of malware of all types, identity, threat detection and response. Then we see other tools like dlp, data loss prevention, casb, cloud access, security brokers, and Disaster recovery.
So looking a little bit more closely here at, you know, the different risk mitigation technical measures, uhdr, you know, we've been talking about that, that's important including the application controls, being able to stop applications from requesting privileges getting installed in the first place, URL filtering OS and application patching, vulnerability management. So many of the attacks that have happened are dependent on exploitation of of known vulnerabilities and both operating system and application vendors have patches that would, would close those gaps if, if companies were able to put those in place. But we see many organizations that are running older operating systems because of dependencies for applications that have been coded specifically to them. And if you think back to like the PET and some of the other ransomware events from like five or so years ago, those specifically were leveraging exploits that that could be patched because they were in ancient operating systems that were end of life even at that point.
Zero trust architecture, multifactor authentication, authorization, network segmentation for containment, removing unused accounts, these are things that definitely can help prevent ransomware as well as data security dlp, data leakage prevention and any other tool in the, in the data security realm. Pam, Privilege, access management and endpoint Privilege management. You know, this is one that's actually like cpdr specifically called out in some cybersecurity insurance policies. Having something to stop privilege escalation by the attacker can certainly prevent further exploitation. Offline backups as we were discussing, there are many cases where perpetrators have not only encrypted local machines, cloud resources, but online backups as well. So it's imperative to have offline backups and test your backups to make sure that the, the restore procedures actually work. And again, as email phishing, it's still a prominent vector. Email and web security gateways are continued to be important components of security architectures. So let's take a quick poll. Does your organization run old operating systems? Those which are beyond end of life? Yes, no or not sure. And we'll give you a few seconds here to answer the question. Okay, thank you. Second question, has your organization deployed endpoint privilege management? And again, a yes no or not sure.
Okay, looks like votes are still coming in. Okay, thank you all for participating in that and we will take a look at those during the q and a period and a reminder if you have any questions, please feel free to enter them into the questions blank and then go to webinar control panel. And with that I would like to turn it over to Brian.
Thanks very much John. What I want through this presentation is to build a little bit on some of the stuff that John has said. I'm gonna agree with most of it as you might expect. And at the end of this, I want this to be you when you encounter a ransomware scenario, I want you to be on the winning side that you have stopped ransomware in its tracks and that you don't find yourself in this room. We've all been in this room at some point in our lives trying to work out why the defense is crumbled, what went wrong, and most importantly, have we actually stopped them? Are they gone? Have they left back doors in our environment? It's not a great place to be in. It's a difficult place to when you start thinking about rebuilding because it's absolutely the last thing on your mind.
You just really don't want to enjoy the, the current feeling that's happening in your environment. And as John highlighted, you know, while we have seen some dips in ransom, whereas we came into 2022, generally it's felt that we are gonna see a resurgence of that. You know, there have been other preoccupations for some of the teams who may have been involved in ransomware with things like the invasion of Ukraine. So you know, some teams who, who have changed their allegiances within that, but they will return to ransomware and I don't think there can be any doubt when we think about that. And why is this? And John kind of gave some of the the reasons as to why, you know, ransomware continues to be a challenge in our environment. And I relate back to a story that came to me when I was at a CISO conference in Dubai around 20 14, 20 15.
And I was looking out of my hotel window in the morning and I'd been there for two or three days and I looked out and the desert looks the same every time you kind of glance out at it. But the truth of the matter is that it's in constant movement, especially when you think of these little ripples at the, the front of the screen here. You can find some videos on YouTube of these things moving almost in real time. And it made me think this is very much like the attack surface that we are trying to defend both against and you know, for our environment. So every day we come into our offices and we sit down at our desks and what we are being attacked with is changing and the ways in which we can defend against those are changing as well. It's a continually moving scenario.
And what we do is we try and build solutions in this landscape. We try and build cybersecurity edifices, you know, big constructions that are beautiful and shiny and have flashing lights on them and all kinds of goodness that might exist within there. But what we're doing is we're building on top of the sand and as we just said, the sand will move and that will topple and that's your point of breach. We haven't really set ourselves up for success in many of the ways we approach this because we're trying to solve a problem, we're trying to solve that quickly and we're trying to solve it comprehensively. So it's quite natural to look towards solutions that promise to solve all of those problems in one go for us. Whereas the truth is there are some fundamentals of cybersecurity which apply irrespective of the threat because the fundamental attack chain remains the same.
When we actually dig down and look at it and I think think of these as piles that we can sink down into this sand and anchor our cybersecurity solution within the attack surface so that as the sand moves our solution just sits there in unmoved by it. And some of those foundations, some John touched on, but I, you know, vulnerability management, good asset management, configuration management, patch management, keeping up to date with the latest releases of things, identity and access, privileged access and on into the EDRs and the XDR of this world. There's a whole raft of these things which are pretty basic, pretty fundamental things. But when we get those right and we get those piles sunk down into the into the sand, we end up with a much more stable solution moving forwards. And there are some other benefits within there, which we'll come back to a little later.
So one of the reasons that ransomware is as prolific as it is, is John highlighted, you know, going back to things like wanna cry and not petty, being able to get in through the eternal set of vulnerabilities that existed in Windows. They were patched months before the attacks took place but people hadn't got to them cuz this attack surface is changing so quickly and we're firefighting so much, we're always slightly behind the the ball so to speak. We're not quite up at the cutting edge where our attackers are. So the attack surface is one. Obviously the change in working practices over the past couple of years has been something that we've all had to cope with. Both as people who might have moved into remote work as well as the teams who are now having to defend what are often hastily installed solutions to allow users to access systems from home.
Now I'm not blaming the users in any way here. It's an incredibly difficult scenario because those machines that were often designed and built to be within the corporate network following that moton castle or fortress mentality as I like to call it that you know inside your network was a safer place, are now out in networks that are not just uncontrolled. Often we have no visibility into what those networks look like at all or we end up with is IP address coming in through a VPN or an RDP port. There was a, a significant increase in the number of RDP implementations between Q1 of 2021 and Q4 of 2021 as well as you might have expected a commensurate increase in the number of attacks. And we saw that in John's chart, although because of earlier high volumes of rdp, it kind of gets lost a little bit in the, in the chart if you kind of shrink that down.
Those changes are quite dramatic when you look at them in terms of what's going on. But that's something that's gonna be with us for a while. So we've gotta learn to live with it, we've gotta find defense strategies for it. And the last one, the elephant in the room we might call it is, is the money, as John indicated, the number of people paying is going down but the average payout is increasing and between 2029 and 20 20, 29, 20 19 and 2021, that went from around $115,000 per breach to over $500,000 per breach by 2021. In fact it was about two years for that transition to happen and it will increase and that's just the average payout. So you know, you look at Colonial pipeline at 4.4 million, that contributes a lot to that. But it means that people are paying, and I don't know about your businesses and your organizations, but I rarely see a company walking away from a good income stream and we have to think of the site of the cyber criminals and particularly their ransomware criminals as businesses.
They are businesses we're almost competing against. They're trying to take our data, we're trying to stop them, but it almost feels like a competition. You know, we, we, we actually have to treat them with the same respect that we treat competitors in our markets. But money will continue to drive it while people keep paying and often there really isn't a choice or the amount being asked for is so close to the cost of just recovering all the systems yourselves. It's sometimes worth the the payment just to, to give it a go if there is a key. Now John mentioned quite in his presentation the kind of four key areas of of ransomware, you know, the scare where it started with just up saying something has happened but something really hasn't happened in any dramatic way easily circumvented the lockers which actually got into the underlying system and actually stopped them from operating or booting.
So until you gave them some money, the Hollywood poster child as I would call it to ransomware, I don't think there's a Hollywood movie that would refer to ransomware which wouldn't have all the machines popping up with screens, with files encrypting and wonderful graphics that go along with it if only there was some kind of entertainment while it was happening. But encrypts I think are what most people think of. And then docs wear, which is where we are now, which, so what I think is the more insidious side of ransomware is where they're not just encrypting your files, they're stealing them beforehand and using those as additional leverage to extort money out of you. And let's be clear, this is extortion as no other word for it's not, you know, while it's being done through cyber means, it is the basic crime of extortion. And the big problem with docs wear is that it has the repeat business aspect to it, particularly if you pay, if you pay to stop your documents being released and you get your key life San you Dori the hacker said they'll delete your files, which of course they're not going to do because you've just paid the money.
So why not come back in six months and ask for more money for not releasing those files once again And who knows, they may have left other back doors. I think we're getting to the point with these kind of technologies where even the threat of them is enough of a reputation hit for organizations that it's often just not worth taking the risk there. So you know, we've gotta do something within our environments to stop them getting to this point of being able to extort us. And there are some tools out there which purport to give us defenses and they watch far rights to the system and they'll do all kinds of exciting, you know, high tech stuff. But the truth of the matter is I think the prob the solutions are actually much closer to home. So let's think about the ransomware attack chain. And this is very similar to any malware attack chain or in fact any cyber attack chain.
There are some fundamentals and again John mentioned this in his presentation. We've got using Mitra attack framework terminology, you've got the initial access into the system. The key points are still fishing payloads as well as RDP and VPN access. Rdp its biggest problem is password hygiene and the complexity that that's being used cuz often we've got users logging in using their credentials which are often easily breached, especially when they've used them other systems. And while I have no particular evidence for, I do think we will see an uptick in the number of people reusing their work credentials for other systems because they're away from the office and now everything there access through the laptop feels like a work system. But that's yet for me to be proved wrong and I seriously hope I am vpn. I mean there's no good reason really for VPNs to still be being used outside of office to office links, which are probably more like NPLS links, you know, more tightly controlled than a VPN dialup but or dial up showing my that.
But there's this initial entry point, invariably we now have a piece of software on your system, whether it's a script, whether it's a macro, whether it's a actual piece of application code it's gonna want to execute and a guarantee it's gonna be looking for some level of privilege. If your user has no privilege at this stage, then there's probably gonna be very little that the executable can do unless your system has vulnerabilities And here you begin to see those other things coming into the environment and it's really got three objectives it wants to spread because one machine hit by ransomware is an inconvenience I would say it isn't actually a serious impact to your organization unless you're a one person shop and even then you probably fall back to paper very easily. They're gonna want to steal documents for that dock square for that extra leverage for you in the environment.
And the last one is encrypt, which is the classic. And the thing to bear in mind is that while encryption may have been one of the early things that came along, the other two don't cause that to stop. There's still gonna encrypt your files whether they're gonna give you the key or not. When we look at the spreading piece and just looking back at that vulnerability and privilege credentials are the two key mechanisms for moving laterally across an environment. You actually spread and extract information. And similarly privilege and vulnerability also feature heavily in stealing of data because often the sensitive data they're looking for not the day to day data that would normally exist on an individual's workstation. They want to be on the machine that holds a sensitive data that only limited number of people have access to. That's the juicy stuff. So again, privilege pays point in that apart in that.
And the last thing we do then is lock the system down extra inconvenience for you so that it's not like you can boot the machines and start decrypting files or trying decrypt files, you're often left needing to decrypt partition tables before you even get there. So if we think about this in terms of ways in which you know, solutions can help, so privileged access management is a particular thought process can help a lot when it comes to that initial access into the environment. Secure and mate access tools that provide mechanisms to get into your infrastructure without a vpn, without an rdp, without any kind of direct network connection between the outset machine and the inside machine. So you're in full control, good vulnerability management there is gonna help. That doesn't work well unless you have good asset management. Patching is a low resolution way of resolving a lot of vulnerabilities, keeping up to date.
But the latest version falls into the same kind of space as that the execution of the application, you know, application whitelist and blacklist can help you in this space. Only allowing applications to launch with privilege that are specifically targeted for privilege only. Allowing applications to execute from specific places on the file system can help with this. When we are in control of things like privilege, et cetera, we can begin to affect that, that movement laterally. If you've got no access to privilege credentials and there are no vulnerabilities in your environment, lateral movement becomes immensely harder. It really requires compromising an account and that, you know, hopefully people don't have direct access to. Same thing applies for stealing. If they've got no privilege, it's really hard to get to that juicy data at the center. And if you've got no privilege, again you try and overwrite the booth sector on a Windows machine.
If you don't have privilege in the environment, it's similar for Unix and Linux machines, you've got to have privilege to get to these fundamental core controls within the environment. So if we think about having implemented a scenario where, you know, we have made all of our users in our environment standard users so they have no standing privileges where we have control over privileged credentials in the environment, which means that even if they're compromised outta something like the cash and windows, they're no longer valid within the environment. That then begins to unhinge this attack chain. So if you can't get to the window subsystem and do something to override the boot sector, I can't lock down the system anymore. I could maybe have still encrypted your files, maybe I'm still spreading, maybe I'm still stealing. But we've talked about the fact that if we've got good vulnerability management, patch management, configuration management and things like privileged access management within our environment, the access to credentials or vulnerabilities to gain me access to privilege is limited.
And if you've done good vulnerability management, almost extinguished, then that whole piece disappears off the front. We're now to the point, okay, they got onto the system and they dropped an executable on there, okay, it might have done something but hey we've got secure remote access in our environment by removing the ability for applications that maybe are not signed by people We recognize fishing payloads fall off and there's now no execution. And obviously if we do have secure remote access in place, we're literally left with fishing payloads as a potential entry point. And we've already kind of established through this that having that payload there, we've kind of taken the teeth out of the payload it might run, and this is the truth for many malwares in this situation, it might run. But you know, regular Microsoft reports indicate things like Windows 80% of malwares are useless if you don't have any access to any kind of privilege on the system.
So it really, really reduces your attack surface with some relatively simple and easy to implement strategies and we'll bounce through a few of those quickly. Vulnerability management, this is kind of how I always think about systems when I'm thinking in terms of vulnerability management, they really are cracks in the cases. You know, these are ways that people can get in that they shouldn't get in and get access to privilege. And what a lot of organizations will do when confronted with this kind of scene is they will get a technology solution. They will paper over the cracks, they haven't solved the problem but they've put something in the way that they believe will stop the crack from gaining, allowing access. And for a while it will, but the cracks are gonna continue to grow. Anyone who's ever wallpapered over a crack wall will know this. Sometime later the wallpaper will split and there'll be an even bigger crack behind it.
So how do you get better at this? How do you get to solve the right vulnerabilities most easily? And it's about focusing, focusing on the vulnerabilities that have known exploits because this is where ransomware as a service or hacking as a service generally lives. It's using known exploits because these people are not gonna take the time to identify zero days themselves in most scenarios. You have to be a very specific target for someone to do that. For the rest it's a drive-by you were low hanging fruit because you hadn't patched the known vulnerabilities in your system with known exploits and they got your environment. So focus on that first. After that you can sort the list in whatever way you like, but go for the vulnerabilities in your system with known exploits first for lateral movement within your environment. Lateral movement requires some kind of privilege and the only way to get access to privilege across a network is generally starting with a password.
And I might have people in the background, you know, thinking, oh I'll pass the hash and things like that. It's just a hash password. Certificates are just a big long digital password. SSH keys are a binary password. It doesn't really matter which way you cut, slice and dice those things or what you do with the password to encrypt another piece of text or the current time it's a password and I'm gonna, I stood by that one for a good while now. But if we got good control over our passwords, we're changing them every time they're being used. Cash passwords hashes are no longer valid when moving across the network cuz the receiving machine is gonna validate the hash against the the directory or whatever system it has in place. Or if it's a local account it would've been changed locally. So privileged access management here or privileged password management specifically really brings lateral movement to a screeching halts.
And we are now, you know, we've contained the attacker to the system that they arrived at. Vulnerabilities covered cuz it's a piece of software coming in. It's not gonna look for a zero day, it's gonna only do the stuff it has exploits for passwords. Don't give it the access with air. And when we think about why users get privilege in the first place, they didn't wake up this morning and go, hey I, I want to be a, you know, I wanna be an admin. There are some strange people out there like me who may well have done that but most of them clicked on something or they typed command and the system told them they didn't have sufficient privilege. And for the longest time Microsoft told you to call your help desk because you weren't an admin. I think now it just tells you you just need to talk to your help desk.
But the general response to it was to give them privilege so that they could run this application. Endpoint privilege management solves that problem by being able to give the privilege to the application, not the user. So we never changed them from being a standard user, but they can still run all the tools they need to run with the privilege they needed to run at and have tight control over how that privilege is subsequently, you know, passed on to other applications so you can really lock down your systems. And that was just three things. Vulnerability, privilege, password and endpoint privilege management. And if we think back to that attack chain, that covers off most of those points where I put a shield on the environment. So we really can break the attack chain very quickly and very simply beyond trust as a privileged access management vendor, we have the broadest portfolio in the in the market space.
So we can help across the broadest set of the, the PAM kind of pillars. So privilege, password management, we have that for end users through things good like password, safe, dev secret, safe, very much on that automated side. But with secrets as the teams and DevOps like to call them secure remote access, privilege, remote access, get not only your own people but a third party vendors interior environment without revealing passwords, without a direct network connection. It's a software air gap between the two sides of the system and often without them even needing a credential within your environment. So simplifying your credential landscape as well, that cannot be underestimated as a valuable thing. But now we don't need to create a dozen accounts because we've got a dozen people at an external vendor who need to come into our environment. We can give them access to a shared account cause we can record everything they're doing all the way through.
We can even chaperone 'em if they want better access for remote support within your environment. Don't have help desk people with access to privileged accounts, given the tools to do their job without direct privileged access. Endpoint privileged management, as I said, Windows, Mac, Unix and Linux there so there isn't a lot left there. The UNIX and Linux talk can also provide privileged access management into network devices. So anything U S S H into you can have full control over everybody and every bite out of those environments, which just gives you the ability to allow people to do their jobs effectively and easily. Even using the standard tools that still have full control over what's going on. Ad Bridge brings active directory to all your Unix, Linux, and Mac systems in the same ways you have it for Windows if that, that's a good way to put it.
It's like a Windows networking client for those operating systems. So there isn't a local account you're logging in straight using those accounts. Think of all those Unix and Linux accounts you might have nears plus other L apps. Those all go away. You have one account for each user and it covers all the systems you have that simplifies your environment. And as we look towards the cloud, cloud security management is another interesting space to look at. And entitlements management there is the key area as we stand today, we can cover a lot of the virtual systems using the other tools, but then the systems that control the virtual systems now need controlling and everyone has a different way of putting things. So having tools that can bring some sense to that and give you good suggestions on when there are outliers is vitally important. I say thank you there and I will rejoin John for the q and a.
Thanks Brian. So yeah, before we go into looking at the polar results and then the q and a, I just wanted to say, you know, a few of the things that you, you mentioned kind of reminded me, we often talk a lot about the ransom aspect of ransomware and we tend to think that that cost is, you know, the main driver, the thing that we need to worry about. But you know, I recently ran into a, a friend who worked at a company that just experienced a ransomware attack and you know, we really need to think about the loss productivity, you know, because you can spend in, in this case two months with an idle workforce.
Yep.
You know, and that is in many cases a greater cost than the ransom. So, you know, taking these preventative steps that we're talking about is gonna save a lot of money in the unlikely event or, or you know, in the unfortunate event of having a ransomware attack.
Absolutely. I mean I, I don't, I don't like to pick on any particular company because I think it's, we always say breach is if not when, so it's always gonna happen. But you know, looking at me as an organization that has a huge logistical aspect to their operation, you know, they had the ransomware attack which swept through their environment and lit literally rendered their IT useless. They had to move back to paper. And as you say, there's gonna be a transition period as you get back to moving to paper systems and get everything up and running, then that's great. Now we're working and we repair our all our IT systems. Now how many months on top of that is it gonna take us to move back from paper to it as we try to run through both of those scenarios. And you know, as you say, that's the real cost of of ransomware and, and one that's definitely worth focusing on.
You know, one other thing I forgot to mention is I saw a story a couple of months ago about the prevalence of ransomware in the healthcare industry in the US and even though, you know, we, we have mentioned that there are some signs of a, a small decrease, temporary decrease in the number of ransomware events. The healthcare industry is particularly hard hit with almost double the number of attacks this year. So I mean, and I think we can all figure out why because you know, you can't have healthcare data unavailable to healthcare providers. So I I think again as an industry, you know, we redouble our efforts to focus on prevention.
Absolutely.
So let's take a look at those poll results please. Did your organization run old operating systems that are beyond the end of life? Yes. 43%, no, 57%. So a little better than half and half on that. Interesting.
It's a little, little better result than I would've imagined. And maybe that shows a shift in the way that people are responding to those systems and actually finally bit that bullet and maybe even having something rewritten from an old operating system to, to be able to, you know, eliminate that from their environment.
Yes. Okay. Let's look in the next one please. Is, has your organization deployed endpoint privilege management? Yes. 46%, No, 38% and not sure 15%. So that's, that's interesting too. Nearly 50% said they've deployed endpoint privilege management.
Yeah, I think like so many solutions there can be a maturity path to be on when you've deployed any kind of solution. And it would be interesting from the attendees if they've got any kind of points to say about where they feel they are in the maturity of that deployment. Cuz if from our environment we see organizations who will deploy it in the kind of quick and dirty way and it remains in the quick and dirty way and there are others who move towards that more granularly assigned privilege, making sure that applications are only given the least privileged at every point and, and there'll be people somewhere on that journey. So the maturity piece is, is another important piece, but even doing that first even course approach is still many, many times better than not doing it at all.
Definitely. Okay. So yeah, feel free to answer some questions here if you haven't already and we'll start taking a couple. So let's see, what about when trusted applications get compromised? How do you tackle this problem?
Yeah, that's a, that's a challenging one cuz I think in just about every operating system that I've encountered, there's this kind of hierarchical nature to security that, you know, you log in, your security token gets generated, it stays with you until you log out and every application that gets launched gets launched with a copy of your security token. So if you have privilege and you launch an application, that application has a vulnerability and someone's able to launch something off of the back of that, it has your full privilege. And you know, there's obviously a concern that if we elevate an application and it's vulnerable that the subsequent application will also gain that capability. But there's a lot of clever technology inside these things now that actually will return that application to being a standard user again when it spawns off. So the malware jumps in going, hey I found a privileged process thinks it's hit the, the paid dirt and suddenly finds itself running as the standard user again.
So, you know, being able to control those in, in very careful ways. But also, and this is equally important, allowing that to happen when it's legitimate activity so that we don't break the application is also very important. And so there are ways that you describe what are rules as to how applications get elevated and how child processes get elevated as well. And if you are in the least privileged space and one of my favorite poster children, I've got two favorite poster children for this is Windows apps that everyone will recognize is like the clock changing the system time says hey, you need to be an administrator where you actually only need the administrative privilege, which is called change system time. If somebody spawns off of that and still had change system time, they can fiddle with the clock, which would be annoying, but they're not about to expose all of your company documents to the world.
And even the Defragment or in Windows which says you need to be an admin actually doesn't do anything admin at all. It calls an open system call that says DAG the drive. It's just trying to make sure you're the right kind of person to run it in the first place. So you know, when you begin to get into those things and most Windows apps will tell you what privileges they need, it's in the stub, you can then be very granular in that. And so that concern reduces even more in that space. So it's, it's about being clever about what you're doing and again, I would always say start with the broad brush and then evolve, but make sure that that evolutionist part of your plan from the beginning. Because you don't wanna just make do at this point cause you've made a really big step. You own all of the technology, use it.
Next question, and this is a really great question. How do you protect OT from the more exposed IT components? You know, that's, yeah that is a, you wanna give that one? Yeah, we mentioned, we mentioned colonial pipeline and there are other examples too where the threat to OT really originates on the IT side. So you know, this is, it's, it's a great question and it's a complex answer I think probably more than what we have time for here. Happy to talk about additional solutions that might be required there. But I think, you know, first of all, separation as much as possible, you know, they're kind, thinking back to the, the list of mitigations that we had being able to contain detonations of ransomware to the environment in which it first happens, you know, using E P D R, using endpoint privilege management, privilege access management, being able to separate, you know, at the identity level IT and OT domains, making sure that the, the trusts between IT and OT, if, if you have to have them at all are as least privileged as possible I guess you could say lot there, there are lots of different concerns and OT itself is just a huge subject.
There are many kinds of ot, you know, there's critical infrastructure, there's, you know, manufacturing and industrial controls. There's I I O T, you know, lots and lots of different protocols can be involved. Having an understanding of the protocols by the security solutions like let's say network detection response as useful distributed deception platforms, Lots of different kinds of security tools I think need to come into play to adequately protect OT environments. And again, it's kind of very dependent on the nature of the OT environment itself. Brian?
Yeah, I mean I I I hardly agree. I think you mentioned segmentation and I think zero trust is a, as a, an approach and architecture is, is very prevalent. You know, uses that very ply in the way that it operates and you know, certainly something we use in beyond trust quite extensively as a, as just a control mechanism. You know, making sure that similarly important systems are within segments that we can protect appropriately. And it's one of the things with ot, I think a lot of OT just got hooked onto the IT infrastructure and then they look to see how they might secure it. And I think that kind of speaks to the mindset change we need to make in cybersecurity, which is getting away from the how do we implement this and make it secure to the, how do we securely implement this when we're looking at these kinds of problems in the first place.
But you know, we all have the OT systems, we all have the machine in the corner that runs an old operating system. We can't upgrade for some reason those points. I kind of always think, well while as much as I hate the fortress mentality, we just have to go for a much smaller fortress that goes around those systems and control the access through that in that same kind of segmentation way that you're saying, you know, take away the direct access, still enable people to do their jobs because they'll always yell and say this needs to turn off cause it can't do my job. If we can make them productive, we can actually make systems work and hopefully they'll be happier and they'll listen when we say don't click on the fishing email. It's
Time for one more, which looks more like a comment. I think not many organizations go public and state they paid the rans of Yeah, I mean you can certainly understand why, but I think some of these regulations that I was mentioning that required disclosure I think can be helpful. I mean we, there are cases over the last few years where companies that were hit with rans where, who decided not to pay it but who, you know, tackled the problem head on and then provided a lot of information about how they did that. You know, I think the transparency is something that, that, you know, we should applaud the fact that, you know, a few companies have done this, show us what, what it's like, how they recovered and, and share that information with the, the broader IT security community.
Yeah, I, I hardly agree. I mean, I, I think the stigma around being breached for the vast majority of companies is, is vastly unwarranted. You know, teams out there are doing their best, they're doing everything they possibly could and they still get breached, but they get lambasted in a way that makes people not want to come forwards and share this information. But as a community, the more we can share, the more we can actually get the knowledge out there, just the better defended we're all going to be.
Definitely. Well, we're at the top of the hour. Thanks everyone for attending and thanks Brian for your insights and yes, the recording and the slides should be ready in a couple of days.
Fantastic. Thanks for John.

Stay Connected

KuppingerCole on social media

Related Videos

Analyst Chat

Analyst Chat #150: Clear and Present Danger - Ransomware Threats to Healthcare Providers

Only a week has passed since John Tolbert, our Cybersecurity Research Director, spoke at CSLS about ransomware and how to combat it. Today, he reports on specific threats posed by ransomware attacks to the healthcare industry, particularly in the US. But in the end, these are just examples…

Event Recording

Exploring the role of Endpoint Security in a Ransomware Resilience Plan

Ransomware attacks continue to increase in frequency and severity. Every organization needs a ransomware and malware resilience plan. Three major components of such plans should include deploying Endpoint Security solutions, keeping computing assets up to date on patches, and backing up…

Event Recording

Lessons Learned: Responding to Ransomware Attacks

The last year has seen almost two-thirds of mid-sized organizations worldwide experiencing an attack. Managing ransomware attacks requires significant patience, preparedness and foresight – Stefan shares his experience managing the ransomware attack on Marabu Inks, his key learnings…

Webinar Recording

Why Data Resilience Is Key to Digital Transformation

As companies pursue digital transformation to remain competitive, they become more dependent on IT services. This increases the potential business impact of mistakes, natural disasters, and cyber incidents. Business continuity planning, therefore, is a key element of digital transformation,…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00