Weeks after critical systems were taken offline in a serious cyber-attack, multiple services at Hackney Local Council in London remain unavailable, and according to latest reports, the situation may not resolve for months. Key services, such as those dealing with local coronavirus response, are available but others, including some online payment services, remain down and there is no estimate for when they’ll be back online — and this, at a time when Coronavirus restrictions are limiting in-office service provision.
While the details of the attack have not been released, speculation has centered on ransomware, similar to the attacks on the Redcar and Cleveland Borough Council earlier in the year, which cost the council more than £10m. These types of attacks on state and local government agencies are occurring 50% more frequently in 2020 than previously, in the United States as well as the UK and other countries. In the state of North Carolina alone, at least 16 local government agencies and public school systems have been impacted by these types of attacks in 2020. Beyond service disruptions, ransomware-based attacks may result in citizens’ personal data being leaked. If – or rather, when –that happens, larger issues like identity theft and fraud can quickly enter the picture.
In the United States, an alert was recently issued by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation, and Department of Health and Human Services, indicating that the situation could soon get even worse. While this ransomware alert was focused on the healthcare sector, headlines offer a continual reminder that cyber-criminals know no bounds and all sectors, including education and government, are being aggressively targeted by sophisticated strains of malware.
Ryuk, for example, is an especially pernicious type of ransomware. Identifying its infection vectors is difficult, since the ransomware typically deletes all evidence of its access method. Delivery methods have varied: In some cases it was introduced by web and phishing-based malware such as Emotet or Trickbot, while in others it was introduced directly through vulnerabilities in an organization’s network, firewalls, or VPNs. Unfortunately, Ryuk is highly effective at bypassing anti-virus products; it persists on targeted machines; and it behaves stealthily — for instance, running as a “legitimate process” by injecting itself into Windows processes.
When an attack occurs, IT teams working for the organization affected obviously focus their immediate attention on getting their networks up and running and determining how the attack was successful. A visit to a malicious website, a click on a phishing URL, or a download of a weaponized attachment may be discovered as the source of the attack. Or it may have been an unpatched VPN that was exploited to introduce malware to the network, which then moved laterally throughout the infrastructure to infect and impact multiple systems.
With so many security solutions in place, how can this happen? Well, the reality is that many – even most – legacy security systems and approaches designed to protect organizations against these types of threats are simply not up to the task.
A new approach, based on the Zero Trust security approach (“never trust – always verify”), is needed. Zero Trust is a broad security construct with recommendations on controls across a number of areas in your IT infrastructure. Given the nature of ransomware threats, however, I’d recommend that these are two good places to start your Zero Trust security program:
Improve Defenses at the Points Where Ransomware is Likely to Enter – via the Web and Email
As mentioned above, ransomware primarily penetrates networks by way of an endpoint that’s compromised via an interaction with the outside world – typically an infected website, a download from the web, or an email link or attachment. Despite training and knowing better, sooner or later a staff member or student will click on a link that they shouldn’t click. And that one click can unlock malware that’s sufficient to bring a council’s network to its (figurative) knees. Given the stakes, the sophistication of the malware, and the rapid pace at which new variants are released, signature-based scanning techniques used in secure web gateways simply can’t reliably spot ransomware in web, email, and document content, since malware evolves faster than these solutions can be updated.
That’s why organizations need to move to a zero trust-based approach, which does not implicitly trust any website to be free of malware that might penetrate endpoints and networks. Remote Browser Isolation (RBI) effectively “air-gaps” devices from web-based threats like ransomware by executing web content in virtual browsers located in remote, isolated cloud-based containers. If a user browses to a malicious site or clicks a link in a phishing email, they are completely safe since no web content executes on their device. Users experience safe, fully interactive, seamless browsing, via rendering information that is streamed from the isolated browser to the browser on the user device.
For additional phishing protection, websites launched from links in emails can be rendered in read-only mode, preventing users from entering credentials on lookalike phishing sites. Attached files can be sanitized before transmission to endpoints, ensuring that malware within downloads cannot compromise user devices. Remote Browsing Isolation stops 100% of web-based malware targeting your endpoints – even Ryuk ransomware.
Limit Ransomware Spread by Segmenting Access and Cloaking Network Apps and Data
Consider this common scenario: A council member who has been working remotely comes to the office for to accomplish a task that must be done on site. They bring their personal device, or perhaps a council-provided laptop that they’ve been using on their home network – and which they occasionally use for personal browsing as well as for work. Some stealthy malware – maybe ransomware – has made it onto the device and now, since the staff member has connected to the in-office network, the malware is entering the council network as well. It’s poised to move laterally to more valuable targets – the council’s apps, databases, servers and other resources.
What if, when the user connected to the network, the ransomware could not “see” anything there? It could not encrypt data or disrupt systems, since it would not be aware that the apps, databases, and other resources were even there. This capability, application isolation, vastly reduces the damage that ransomware can cause by making apps and data invisible to any unauthenticated program or device trying to discover and access network-connected resources.
By microsegmenting access to resources using this technique, the impacts of ransomware – whether introduced within the office from a compromised device, or remotely through a crack in the network’s armor (such as a VPN vulnerability) — can be dramatically reduced. This capability, known as Zero Trust Network Access (ZTNA), can be quickly added to existing networks to secure both remote (e.g. VPN-based) and internal (e.g. LAN-based) application access.
IT and Security teams do the hard work, day in and day out, that enables our state and local government organizations to fulfill their critical role for our communities. I strongly recommend Zero Trust Security approaches, like the innovative remote browser and application isolation techniques discussed here, as essential tools that can make sure that local and state government organizations stay online and remain effective in delivering the services that our communities need.