Share Via
ZTI and how it prevents ransomware spreading
It is virtually impossible to predict ransomware attacks. Malicious actors use security holes in corporate IT networks to find vulnerable devices, gain unauthorized access to them, and then use this access to spread malware and ransomware to other devices on the network. These attacks can originate from a variety of sources, including phishing emails, which are phony emails that hackers use to access a person’s computer. Attackers have even been known to enter workplaces while posing as visitors or employees in order to connect to the networks and gain access.
What gaps typically exist in the network?
Many corporate IT networks have the following two gaps:
Authentication: Almost all corporate networks have flaws that make it almost impossible to make sure that every user and device is authenticated and authorized before connecting to the network.
Wireless access: While secure methods like 802.1x-TLS can be leveraged for user authentication, many small to medium sized organizations use PSK (pre-shared key) methods for user authentication due to the cost and complexity of deploying and managing radius servers. Many wireless Internet of Things (IoT) devices aren’t capable of using 802.1x-TLS based authentication — driving organizations to permit IoT devices to connect using a separate SSID with PSK. Unfortunately, PSKs are easy to share with others, and are vulnerable to attacks.
Wired access: While 802.1x is an option, it is too difficult to deploy and manage. Because of this, typically, there is no authentication method used when users are connected via an ethernet port. Even today, one can walk into many buildings disguised as an employee or a partner and connect to the network by plugging into any existing ethernet jack without authentication. Similarly, wired IoT devices are allowed to connect to the network without any authentication.
East-west or peer-to-peer communication: Almost all organizations use layer 2 as the access layer. When a device is connected to the network, it is placed in a group (VLAN) based on the port it is connected to or via a user/device profile. In a typical setup, one VLAN is for employees, one is for guests, and another is for IoT devices. Once a device is in a VLAN, it is allowed to discover other devices in the same VLAN and communicate freely with them. In many instances, one can discover and connect to any device in other VLANs as well.
Why do these gaps still exist?
Since its inception, network security has always been characterized by trade-offs. Traditionally, stronger security has been linked to higher complexity, cost, workload for the network and security teams, and the potential for decreased performance and availability. Monitoring, managing, and making changes as users and devices come and go are nearly impossible with currently available solutions.
Many solutions lack the necessary capabilities to securely add users and IoT devices to wired and wireless networks. If secure on-boarding was turned on for wired networks, users might be annoyed by the chance of network problems.
Though almost all customers agree that it would be better to divide devices into smaller groups or VLANs, this is not possible as it would require significant VLAN setup and Layer 2 techniques to ensure everything works right. There have been many attempts to reduce the size of Layer 2 (VLAN) domains, such as routing at the access layer, PVLAN, overlays, or out-of-band solutions. These cause more pain than they are worth in terms of the complexity of deployment and management.
Because of these challenges in preventing attacks, they look to invest in “detection” solutions. These solutions don’t detect malware propagating immediately within an organization. Usually, they detect the malware/ransomware before it becomes a major issue. This model is risky and full of trade-offs as well.
How are these gaps leveraged to propagate ransomware?
Many organizations underestimate how attackers can leverage their corporate IT networks to spread malware to other devices. Some rely on their physical access security controls to prevent these issues. However, employee laptops are compromised regularly through phishing and related tactics. Not only are there often compromised devices inside buildings, but social engineering and threats from insiders are also becoming more common.
Once a hacker gets into a network, they try to take over as many devices and accounts as possible. Local communication between devices is often used to move from one device to another, get more permissions, and stay connected to the network. Simple network mapping can be used to find possible targets, which can then be attacked using file sharing, SSH vulnerabilities, telnet, and other common tools. Attackers can stay hidden and use a single host that has been hacked to spread malware across an entire business.
The unfortunate irony is that while the majority of business traffic travels north to south from clouds, data centers, and the Internet, malicious traffic is increasingly moving east to west within networks.
What is Zero Trust Isolation? How can it help
Zero trust isolation is a fundamental part of the overall zero trust archetype. It completely isolates users and devices from other network users and devices, whether or not those other network users and devices are on the same segment, also known as a VLAN. It prevents any communication between these devices unless the policy expressly and explicitly permits that particular device, application, and type of communication. Each application flow between devices is examined to determine whether it complies with policy requirements. The “zero trust isolation” of the network is useful in this situation. Without a thorough policy check, the network forbids two devices from communicating with one another.
Zero trust isolation stops the lateral movement of malware or ransomware in an organization. It helps current prevention and detection tools find compromises earlier in the kill chain, preventing the possibility that they will ever lead to a breach. It does this without the problems, compromises, and costs that organizations face now.
Today’s enterprise campus environments are riddled with malicious attacks. A key principle in deterring the proliferation of malware within an organization is the adoption of the principles of zero trust isolation.
