Page 53 - FCW, November/December 2021
P. 53
Tech Spotlight Ransomware Access Management Can Help Protect Endpoints
Modular protections, like privileged access management, can help defend against cybercriminals’ “Exploit Wednesdays.”
There are many reasons why security teams have a hard time protecting endpoints from being attacked by ransomware, but modular defenses, such as, privileged access management, can help in the fight.
Lavi Lazarovitz, head of security research at CyberArk, said ransomware often gets deployed via Oneday exploits and there’s typically a lag in the time a patch gets disclosed and federal agencies actually execute the patch.
“While Microsoft has PatchTuesday, attackers now have what the security community calls Exploit Wednesday,” Lazarovitz says. “It can be several days or even weeks and months before an agency makes a patch.”
Ransomware presents unique challenges for security. It is sneaky, relying on its target’s inattention. It’s also becoming easier for criminals to use Many organizations don’t want security to slow down the workplace, so they let employees use shadow IT—applications that make the organization vulnerable. Ransomware has become a commodity attackers can buy as a service. It doesn’t take any special programming or security expertise.
Lazarovitz points out that ransomware is a simple application: The malware opens up a file, overwrites it, and saves to disk. Because it’s a simple operation
and doesn’t require a high level of privileges, it can go under the radar andnotgetdetectedbysecurity
teams. “Through process injection, malware can inject itself to a benign application like a Word document and encrypt the files through it,” Lazarovitz explains.
Finally, while most organizations have anti-virus and endpoint detection and response software, the vast majority have no controls over privileged access—and because of that—are prone to wider infection.
“While Microsoft has Patch Tuesday, attackers now have what the security community calls Exploit Wednesday,” Lazarovitz says. “It can be several days or even weeks and months before an agency makes a patch.”
“Many threat actors use privileges to shut down and bypass security controls and gain access to sensitive data,” said Lazarovitz. “If a user with administrative privileges clicks on
a malicious link, which eventually executes ransomware on the host, the ransomware gains permissions, opening the door to the whole network.”
There are at least three steps Lazarovitz recommends for organizations to combat ransomware and create a multi-layer defense on top of anti-viruses and known threats security controls:
• Limit privileges. Only give employees the privileges they need to do their jobs. If privileges are limited, there’s less of a chance that malware can get injected and spread laterally.
• Control execution on the host. Graylisting the applications that
can execute on the workstations
and servers will reduce the attack surface of the host, provising another layer of defense against unknown ransomwares.
• Control remote access
by enforcing two-factor authentication. Especially in
a hybrid work environment, organizations need to deploy 2FA for all remote access requests. This will limit the attack surface and reduce the ability of attackers to access the network during an RDP or VPN session.
According to Lazarovitz these three steps lets security teams create a “modular” defense.
“Instead of depending on traditional anti-virus that’s based on known attacks, security teams need to limit privileges, don’t let users change configurations, and control access,” Lazarovitz says. “In doing so the malware can’t bypass security controls andexploitapplications.”
PRODUCED BY SPONSORED BY
January/February 2021 FCW.COM 1