George WilkesJanuary 5, 2022
How to Protect Against Ransomware and Other Top Cyberthreats With Zero Trust Network Access
Threat actors are creatively relentless and too many organizations are unprepared for a swath of cyberattacks, like ransomware. Zero Trust Network Access (ZTNA) combats escalating threats with fast, secure, simple user connections from anywhere to wherever your workloads reside.
Malicious actors continue to target vulnerable organizations and critical infrastructure with ransomware, including notable hits to healthcare and the supply chain. By one estimate, ransomware payouts reached $590 million in the first half of 2021, already eclipsing the $416 million paid over the full year of 2020. Ransomware doubled in frequency year over year, accelerating costly disruptions and data theft.
Of course, ransomware is just one of many cyberthreats that attackers use to target your network and steal your data. And today’s top cyberthreats seek out IT and security weaknesses like flat networks and perimeter-based security solutions, as well as lurk in the dark for inevitable human error like design flaws, system misconfigurations and employees clicking the wrong thing.
ZTNA and ransomware
Zero Trust Network Access (ZTNA) is built on Zero Trust security principles that help mitigate ransomware and other cyberthreats. It is the tool for now and the future. According to Gartner, “By 2024, at least 40% of all remote access usage will be served predominantly by Zero Trust Network Access (ZTNA), up from less than 5% at the end of 2020.” And as organizations rely more and more on a hybrid workforce, these numbers will only increase.
Let’s look at how ZTNA defends against ransomware and other top cyberthreats such as distributed denial-of-service (DDoS), man-in-the-middle (MITM) attacks and insider threats.
What is ransomware?
Most ransomware attacks start by gaining access via phishing campaigns to obtain employee credentials that can be used to establish an initial foothold within an organization's system. Flat network topologies are then ripe for a threat actor's malevolent executable to move laterally, escalating privileges until reaching their target and encrypting sensitive data. The malware may also utilize system and network vulnerabilities to move from one computer to another across networks.
Unfortunately, ransomware has become a strong, albeit morally corrupt, business model with low start-up costs and high rewards. And today's thieves don't need to be computer-savvy ... ransomware marketplaces on the internet welcome anyone who wants to be a cybercriminal or malware authors who want a piece of ransom funds. According to the U.S. Treasury Department, an average of roughly $100 million was made in ransomware payments each month in the first half of 2021.
How ZTNA defends against ransomware
Legacy remote access tools, like virtual private networks (VPNs), are prime targets for threat actors. Their open ports are easily discoverable, weak authentication is readily bypassed and they often provide wide-open network access. ZTNA is far superior at protecting sensitive data and limiting an attack surface when a ransomware attack occurs.
Some of the benefits of ZTNA against ransomware include:
- Default deny: no access, not even a connection, is established until user identity and risk context has been verified
- Device ringfencing: helps reduce the impact of ransomware in several ways. Through ringfencing, you can control a device’s outbound connections, limiting an infected device’s ability to receive data from command and control servers (CnC). It also prevents a compromised device from reaching out to other devices on the network
- Cloaked infrastructure: no open ports listening for inbound internet connections thwarts reconnaissance
- Microperimeters: segments the network to isolate the “blast radius” and spread of ransomware for ease of containment
With ransomware handled, what about distributed denial-of-service (DDoS) attacks?
Ransomware is the current top player in the cyberattack scene, but distributed denial of service (DDoS) also causes major disruptions. One report says that there were 5.4 million DDoS attacks in the first half of 2021, an 11% rise year-over-year.
The way a DDoS attack works is that threat actors flood a network with so much traffic, typically using botnets, that the infrastructure collapses. This sort of assault takes advantage of the network's specific capacity restrictions, such as the infrastructure that allows a business to run its website. The DDoS assault will send numerous requests to the targeted site with the goal of overwhelming it and preventing it from responding to legitimate traffic.
How ZTNA defends against DDoS attacks
Just like in the case of ransomware, ZTNA is a far better protector than an archaic instrument like a VPN, which listens for inbound pings from the internet.
- Eliminates attack surfaces: cloaking a network’s assets keeps DDoS scans from finding anything
- Uses single packet authorization (SPA): proven cryptographic techniques make internet-facing servers invisible to unauthorized users
What are insider threats?
Human error is a factor that no cybersecurity tool can fully overcome. Negligence is one threat from inside your organization, but it’s not the only one. If a user becomes compromised, or worse, willfully malicious, it’s hard to get a handle on activity that may harm a network.
Not all insider threats necessarily come from employees. Third parties and contractors that are granted access can be vectors for attack, and in some cases, they are the intended target for threat actors seeking to infiltrate larger enterprise prey. The damage from an insider threat might take the form of malicious, complacent, or unintentional acts that jeopardize an organization's integrity, confidentiality, and availability.
According to a study conducted by the Ponemon Institute, 44% of businesses have suffered a data breach caused by a third party within the last 12 months. Nearly three quarters of those victims had granted too much privileged access to third parties.
How ZTNA defends against insider threats
Instead of granting all-or-nothing user access, ZTNA offers the ability to restrict access to specific users for certain segments of a network and for a defined amount of time to prevent lateral movement of a threat, so your most sensitive data is well-protected.
Other benefits of using ZTNA to defend against insider threats include:
- Granular least privilege access: limits a user’s access to only resources that are absolutely necessary
- Device posture checking: assesses whether a legitimate user’s device has been compromised
- Dynamic policies: allows users’ permissions to change automatically based on contextual changes or “risky behavior”
- Activity monitoring: access logs help allow for quick threat identification, mitigation and remediation
What are man-in-the-middle (MITM) attacks?
Threat actors that intercept communications and essentially eavesdrop on victims are using man-in-the-middle (MITM) attacks. While there are a variety of strategies within MITM attacks, they all involve the threat actor spying between the victim and the targeted asset. Ultimately the MITM attack is carried out when the threat actor can impersonate each endpoint in a communication string. MITM attacks can include, but are not limited to:
- IP spoofing
- HTTPS spoofing
- DNS spoofing
- SSL hijacking
- Email hijacking
- Browser cookies theft
- Wi-Fi eavesdropping
One example: in October, cybersecurity researchers in the UK found a flaw in Apple Pay that made users vulnerable to making payments unknowingly.
How ZTNA defends against MITM attacks
MITM attacks are usually made on open Wi-Fi networks that don’t offer protection. Having an encrypted connection through ZTNA makes it far more difficult for the attacker to gain access or read either side of the communication between endpoints.
These ZTNA features are particularly helpful in stopping an MITM attack:
- Dynamic rules: analyzes changing context around a user before granting access
- Mutual transport layer security (MTLS): provides mutual, two-way cryptographic authentications
- Single packet authorization (SPA): obscures the connection points on the network so the attacker can’t position themselves
Appgate SDP: a ZTNA solution to mitigate ransomware and other top cyberthreats
If your organization seeks an alternative to insecure traditional security tools to defend against evolving cyberthreats, Appgate can help. Our team will support your journey with guidance on how to deploy our industry-leading, full-featured Zero Trust Network Access security platform.
Appgate SDP was named a Leader in the The Forrester New Wave™ Zero Trust Network Access, Q3 2021 receiving a differentiated rating, the highest possible, in six criteria including deployment flexibility, non-web and legacy app support, ecosystem integration, client support, connector capabilities and product vision. Explore some of the assets below to get started today.