Zero Trust Speeds Ransomware Response, Illumio-Bishop Fox Test Finds
From mass production of cheap malware to ransomware as a service (RaaS), cyber criminals have industrialized cybercrime, and a new HP Wolf Security report warns that cybercriminals are adapting advanced persistent threat (APT) tactics too. That means hackers will increasingly mimic nation-state threat groups by establishing a long-term presence inside networks to mine highly sensitive data.
Additionally, attacks are poised to become even more damaging as companies expand their digital footprint and the attack surface grows. This is one reason organizations across industries and geographies are turning to zero-trust architectures to fortify their security posture.
Zero trust implies that every access and connection made to a point of the network is reevaluated and re-authenticated to ensure the user and connection are authorized, with no more access than the user’s role requires.
But how effective is zero trust? That’s an especially important question given the recent emphasis on the technology – including from the White House.
To answer that question, Illumio, a zero trust segmentation (ZTS) vendor, engaged Bishop Fox, a leader in offensive security, to measure how effective zero trust is in detecting and containing ransomware attacks. The company put its zero trust solutions to the test by simulating attacks based on real threat actors’ tactics, techniques, and procedures. The results were announced today at the Black Hat USA 2022 cybersecurity conference.
See the Best Zero Trust Security Solutions
Zero Trust Security Testing
Bishop Fox’s report found that Illumio’s zero trust segmentation technology “significantly improves an organization’s ability to detect, contain, and proactively limit the available attack surface.” ZTS can also be applied to effectively isolate compromised hosts during an active attack, the report said.
Bishop Fox ran four ransomware scenario attacks, a control test with no Illumio ZTS deployed; detection and response; pre-configured static protection; and full application ring-fencing with ZTS. They found that the stricter ZTS is, the faster security teams can detect and stop an ongoing attack.
The attack simulations where no ZTS was deployed breached and compromised the system in 2.5 hours. On the other hand, in the simulation with full app ring-fencing policies enforced, the attack was detected and stopped in just 10 minutes.
“ZTS can be used in a proactive fashion to ring-fence entire environments and applications, drastically reducing the pathways available for exploit through lateral movement,” Bishop Fox said.
The other two simulation scenarios also showed that the zero trust protections were superior. Attacks simulated with preconfigured static protection were stopped in 24 minutes, and those with detection and response were blocked in 38 minutes.
“If an organization chooses to invest in zero-trust strategies, including zero trust segmentation, it will find that, compared to an environment that simply implements a detection and response approach, the organization is four times faster to contain a bad actor and minimize the impact of a breach,” said Raghu Nandakumara, head of industry solutions at Illumio.
The report also found that ZTS can play a critical role in covering endpoint detection and response (EDR) blind spots. EDR gains visibility on what’s happening on an organization’s endpoints by capturing activity data. However, organizations are learning the hard way that cyber criminals commonly use EDR blind spots.
Bishop Fox’s report assures that in terms of data collection, they found Illumio’s telemetry to be especially useful to cover some EDR blind spots, where the preconfigured EDR alerts did not properly detect attacker activities.
“In a particular scenario where the red team performed more evasive maneuvers, Bishop Fox properly identified a suspicious traffic pattern using Illumio’s telemetry combined with EDR alerts,” Bishop Fox said.
Also read: Why You Need to Tune EDR to Secure Your Environment
Ransomware: Breach and Attack Simulations
To assess Illumio ZTS, Bishop Fox’s assessment team chose an infrastructure-as-code solution. The environment was based on the Splunk Attack Range open-source project but modified to include more hosts and to deploy a more complete Active Directory configuration.
The test environment was made of the following resources:
- Five Windows Server 2019 instances representing hosts in a corporate network
- Five Windows Server 2019 instances representing hosts in a staging network
- Five Windows Server 2019 instances representing hosts in a production network
- One Windows Server 2019 acting as a domain controller
- One Ubuntu 18.04 server running a Splunk server
All Windows instances ran a Splunk Universal Forwarder agent and a System Monitor (Sysmon) service configured with the default Splunk Attack range configuration. These instances were also deployed with the default configuration of Nextron Systems’ Aurora EDR agent, including the default set of Sigma rules.
All Windows hosts had the following remote administrative services enabled:
- Windows Remote Management (WinRM)
- Remote Desktop Protocol (RDP)
The Illumio VEN agent was installed during instance provisioning on top of that configuration.
The Bishop Fox team based their attack techniques on real-world attacks, creating playbooks from active known ransomware threats groups such as Conti. The attack aimed to identify available assets, execute lateral movement, and escalate privileges within the system to finally deploy the ransomware across the domain-joined systems.
Full Application Ring-fencing Attack Simulation
The fourth scenario — full ring attack simulation — showed the most effective results in time to identify and stop a ransomware attack, accomplishing these milestones in just 10 minutes.
In the scenario used, the microsegmentation policy consisted of the following rules:
- Database workloads in one environment could not connect to other environments.
- API workloads in one environment could not connect to other environments.
- The Jump host workload from the Corporate environment could access every host in the Staging environment using RDP.
- The Jump host workload from the Staging environment could access every host in the Production environment using RDP.
- Every workload could communicate with the domain controller.
- Every workload could access public SMB shares in all environments.
- Every workload could communicate to the internet on the following ports:
- RDP access was authorized from the internet to API workloads in the Corporate network as an entry point for the attacker.
The red team, simulating the attack, started by connecting to corp-win-serv-0 using the CORPADMIN account. The team then uploaded a Sliver agent to C:\ProgramData\Amazon and executed it. Once Microsoft Defender detected the initial payload, the team modified Defender to allow the binary and re-executed the payload.
“After waiting several minutes for a C2 callback and fallback connection methods to execute, the red team still had no established session with the Silver agent, indicating additional segmentation had been enforced,” the report explained.
The red team followed methodology without a C2 agent and began local host enumeration using a Windows command prompt to enumerate running processes, as shown below.
The team continued the discovery process and identified the password policies in place, along with local user accounts on the machine, before losing the RDP session due to blue team countermeasures. The entire simulation ended 10 minutes after it started.
The Importance of Real Threat Simulations
The Bishop Fox assessment of Illumio revealed in detail how running simulation attacks can enlighten the industry on the capabilities of zero trust segmentation.
However, the assessment did have some limitations:
- The number of and style of attacks evaluated was limited.
- Technical settings and rules of attacks, environment, and microsegmentation policies.
- The environment representing hosts was a Windows-only environment.
- Only two Bishop Fox consultants engaged in the simulations: One acting as the attacker (red team) and the other acting as the security team defending the system (blue team).
Despite these limitations, the assessment is a big step in the right direction. Putting zero-trust security to the test with real attack simulations is often considered the ultimate cybersecurity defense.
These simulations can help organizations stay one step ahead of cyber criminals. Running simulated attacks can level-up security as malware evolves and the attack surface expands with the never-ending digital transformation.
Read next: Zero Trust: Hype vs. Reality