{"id":24835,"date":"2022-08-10T21:13:06","date_gmt":"2022-08-10T21:13:06","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/?p=24835"},"modified":"2022-08-10T21:13:08","modified_gmt":"2022-08-10T21:13:08","slug":"zero-trust-ransomware-test","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/networks\/zero-trust-ransomware-test\/","title":{"rendered":"Zero Trust Speeds Ransomware Response, Illumio-Bishop Fox Test Finds"},"content":{"rendered":"\n

From mass production of cheap malware<\/a> to ransomware as a service (RaaS)<\/a>, cyber criminals have industrialized cybercrime, and a new HP Wolf Security report<\/a> warns that cybercriminals are adapting advanced persistent threat (APT)<\/a> tactics too. That means hackers will increasingly mimic nation-state threat groups by establishing a long-term presence inside networks to mine highly sensitive data.<\/p>\n\n\n\n

Additionally, attacks are poised to become even more damaging as companies expand their digital footprint and the attack surface grows. This is one reason organizations across industries and geographies are turning to zero-trust architectures<\/a> to fortify their security posture.<\/p>\n\n\n\n

Zero trust implies that every access and connection made to a point of the network is reevaluated and re-authenticated to ensure the user and connection are authorized, with no more access than the user’s role requires.<\/p>\n\n\n\n

But how effective is zero trust? That’s an especially important question given the recent emphasis on the technology – including from the White House<\/a>.<\/p>\n\n\n\n

To answer that question, Illumio<\/a>, a zero trust segmentation<\/a> (ZTS) vendor, engaged Bishop Fox, a leader in offensive security, to measure how effective zero trust is in detecting and containing ransomware attacks. The company put its zero trust solutions to the test by simulating attacks based on real threat actors\u2019 tactics, techniques, and procedures. The results were announced today at the Black Hat USA 2022 cybersecurity conference.<\/p>\n\n\n\n

See the Best Zero Trust Security Solutions<\/a><\/p>\n\n\n\n

Zero Trust Security Testing<\/h2>\n\n\n\n

Bishop Fox\u2019s report found that Illumio’s zero trust segmentation technology \u201csignificantly improves an organization\u2019s ability to detect, contain, and proactively limit the available attack surface.\u201d ZTS can also be applied to effectively isolate compromised hosts during an active attack, the report said.<\/p>\n\n\n\n

Bishop Fox ran four ransomware scenario attacks, a control test with no Illumio ZTS deployed; detection and response; pre-configured static protection; and full application ring-fencing with ZTS. They found that the stricter ZTS is, the faster security teams can detect and stop an ongoing attack.<\/p>\n\n\n\n

The attack simulations where no ZTS was deployed breached and compromised the system in 2.5 hours. On the other hand, in the simulation with full app ring-fencing policies enforced, the attack was detected and stopped in just 10 minutes.<\/p>\n\n\n\n

\u201cZTS can be used in a proactive fashion to ring-fence entire environments and applications, drastically reducing the pathways available for exploit through lateral movement,\u201d Bishop Fox said.<\/p>\n\n\n\n

The other two simulation scenarios also showed that the zero trust protections were superior. Attacks simulated with preconfigured static protection were stopped in 24 minutes, and those with detection and response were blocked in 38 minutes.<\/p>\n\n\n\n

\u201cIf an organization chooses to invest in zero-trust strategies, including zero trust segmentation, it will find that, compared to an environment that simply implements a detection and response approach, the organization is four times faster to contain a bad actor and minimize the impact of a breach,\u201d said Raghu Nandakumara, head of industry solutions at Illumio.<\/p>\n\n\n\n

The report also found that ZTS can play a critical role in covering endpoint detection and response (EDR)<\/a> blind spots. EDR gains visibility on what\u2019s happening on an organization\u2019s endpoints by capturing activity data. However, organizations are learning the hard way that cyber criminals commonly use EDR blind spots.<\/p>\n\n\n\n

Bishop Fox\u2019s report assures that in terms of data collection, they found Illumio\u2019s telemetry to be especially useful to cover some EDR blind spots, where the preconfigured EDR alerts did not properly detect attacker activities.<\/p>\n\n\n\n

\u201cIn a particular scenario where the red team performed more evasive maneuvers, Bishop Fox properly identified a suspicious traffic pattern using Illumio\u2019s telemetry combined with EDR alerts,\u201d Bishop Fox said.<\/p>\n\n\n\n

Also read: Why You Need to Tune EDR to Secure Your Environment<\/a><\/p>\n\n\n\n

Ransomware: Breach and Attack Simulations<\/h2>\n\n\n\n

To assess Illumio ZTS, Bishop Fox\u2019s assessment team chose an infrastructure-as-code solution. The environment was based on the Splunk Attack Range<\/a> open-source project but modified to include more hosts and to deploy a more complete Active Directory<\/a> configuration.<\/p>\n\n\n\n

The test environment was made of the following resources:<\/p>\n\n\n\n