Safety leaders tasked with thwarting ransomware assaults should leverage containment strategies to stop breaches from inflicting widespread chaos.

Containment methods scale back the blast radius of a cyberthreat by limiting or stopping the lateral actions of an intruder who succeeds in breaking into your community, a subject lined in a current submit.

It’s a method that, when correctly carried out, can all however remove the opportunity of a catastrophic ransomware assault, says John Kindervag, chief evangelist at Illumio and the creator of Zero Belief.

How ransomware works

Understanding what occurs throughout a ransomware assault and the way containment works makes it clear why he could make such a declare.

Containment protects beneficial community assets by allowing solely connections which can be explicitly allowed by a predefined coverage; all others are denied. When carried out based mostly on insights derived from synthetic intelligence (AI)–based mostly safety graphs, it allows extremely granular coverage management all through the community, as detailed on this earlier submit.

A ransomware assault requires a number of connections, Kindervag says.

First, an intruder who succeeds in infiltrating the community should drop the ransomware software program on a goal useful resource. That’s not essentially the last word goal however, quite, simply a place to begin.

Subsequent, the software program establishes an outbound connection to a command-and-control server, or C2 server. What follows is probably going a number of back-and-forth communications with the C2 server, which sends directions to the ransomware on lateral actions, to obtain further software program, or perhaps to do nothing for some time to keep away from detection.

Finally, when the intruders discover what seems to be like a sufficiently necessary goal, the C2 server will ship encryption keys together with directions to encrypt the goal information. After that, the intruders inform the goal firm in regards to the assault and try and extract a ransom.

“So, there’s six, eight, or 10 connections that occur that you simply have been fully unaware of,” Kindervag says. “It’s like a felony gang goes out and in of your home when you’re sitting and watching TV, paying no consideration.”

Correct coverage prevents ransomware

In a correctly configured Zero Belief atmosphere, that complete state of affairs can be all however unattainable, as a result of there can be no coverage permitting the preliminary connection between the ransomware and the C2 server, he says.

“It doesn’t matter how subtle the ransomware software program is, as a result of it nonetheless wants a coverage assertion to achieve success,” Kindervag says. “Persons are saying, ‘Oh, they’re making extra subtle assault software program.’ Effectively, yeah, however they’re making the most of dangerous or no coverage.”

Key takeaway

The Illumio Platform makes use of AI-driven safety graphs to color an image of the connections inside a community. It allows customers to create robust insurance policies to guard all their assets, together with stopping the form of outbound connections that ransomware depends on.

Find out how Illumio may help you win the combat towards ransomware and different types of information breaches.