How PAM Defends Against Ransomware’s 1-2 Punch

December 14, 2021

Ransomware attacks abound, with one expected every 11 seconds (Cybersecurity Ventures). As security practitioners, a problem for us and the businesses we protect is that the barrier to entry is painfully low in terms of both access and cost. Just like Netflix, Salesforce.com, and Slack, ransomware is available as SaaS. On the Dark Web, you can subscribe for as little as $20 for a basic attack (CSO Online). You don’t have to be a genius or a member of an advanced nation-state hacking team to take advantage of this.

At the annual Irish Reporting and Information Security Service (IRISS-CERT) meeting recently, conference moderator Gordon Smith said,

“Everyone remembers the attack on the [Irish] Health Service Executive this year. That’s probably not the most technically advanced attack you’ve come across, but nobody can deny the devastating consequences it has.”

Historically, most of these attacks focused on the ransomware element alone. Now we see a data breach as a routine accompaniment. Yes, not satisfied with bringing your business to a screeching halt extorting bitcoins in exchange for decryption keys, they’re also selling your data to the highest bidder for extra income or threatening to leak it if you fail to pay the ransom.

That’s the 1-2 punch.

However, a growing trend is yet more aggressive tactics that include denial of service attacks (DOS) that shut down your websites plus an outreach to your customers spreading word of the hack.

If you think this might represent the most significant potential security threat to your business, you’re not alone.

Should You Pay the Ransom?

We can’t advise you on that, but let’s discuss the potential impact on your business.

These attacks can impact you in many ways with lost revenue while your business is down, the ransom itself, and the cost of remediation that demands new security software to help mitigate further risk.

The ransomware first punch alone can be costly, but not everyone will pay a whopping $67m in related costs like United Health Services did in 2020. According to Unit 42 Security Consulting, ransom demands averaged $5.3m in 1H2021, and remediation costs averaged $761,000 in 2020. Also, getting the decryption keys doesn’t mean business, as usual, day 1. It can take weeks or months to restore business operations, continuing that top-line impact.

What about a data breach second punch? Anticipate additional impact in the form of liability for lost personal or customer data, legal issues from compliance violations, lost reputation, customer churn, and a drop in share price if traded.

Cyber Risk Insurance

Insurance helps, though, right? Yes, however, it may only cover the ransomware first punch (typically the costs of the ransom demand, hiring experts to negotiate with hackers, and computer forensics experts for root cause analysis) but not the data breach. Not only that, but insurers are adjusting their products to better protect themselves from mounting claims. Expect your policy premiums to rise, underwriting to become more intensive, and carriers to sub-limit cyber extortion and ransomware costs to a fixed amount.

How Can PAM Help?

So, what can we do to mitigate these risks? I’m going to focus on security technology, of course, but’s let’s not ignore employee security awareness training. This still delivers huge benefits because email phishing attacks are the most common way cyber criminals gain an initial foothold in your network to execute their ransomware attacks.

On to the technology. Ransomware isn’t magic; it depends on admin-level permissions to execute its payloads and propagate around the network. Similarly, for a data breach – the attacker needs admin-level permissions to download and execute tools, perform surveillance, move laterally from system to system, and exfiltrate the data.

The common denominator in all of this is privileged accounts. Without these, ransomware and the cyber attacker can do squat. The security discipline that focuses on governing and protecting access to, and use of, such accounts is privileged access management (PAM). PAM is your best bet to protect yourself from these attacks with its supporting cast of characters that include password and secrets vaulting, least privilege, access control workflows, audit trail and session recording, and multi-factor authentication (MFA).

And the insurers agree. They’re pushing for MFA and PAM as prerequisites for insurance.

Cloud-ready and with the principle of least privilege at its core, ThycoticCentrify PAM delivers all these necessary moving parts. It aligns with modern best practices such as Zero Trust and zero standing privileges.

It’s laser-focused on protecting your privileged accounts (via Secret Server) and controlling access to the workstations, servers, virtual systems, and containers that host your business apps and data (via Cloud Suite, Server Suite, and Privilege Manager). With ThycoticCentrify PAM, you can block access to the permissions ransomware needs to execute, propagate, and cripple your business. Prevent that initial foothold and even if an insider is involved, contain activity with least privilege and MFA, prohibiting elevation and lateral movement.

Our latest December updates bring yet more innovations and value to help you combat these, and other, identity-related threats:

  • Fine-grained privilege elevation for Windows and Linux sessions. Your admins still need elevated rights to do their job, but you must strictly constrain those rights to only what is necessary for the task. Grant limited rights, just-in-time, for a limited time. Manage login, elevation, and MFA policies from a centralized SaaS platform and enforce those policies across all your cloud-hosted workloads.
  • Linux identity management. Big Linux estates can get messy, especially with inconsistent namespaces that lead to situations where files, folders, and network shares become inaccessible for administrators. This new capability solves that problem for you.
  • SCOM module for auditing allows customers to monitor the health of their host-level auditing and session recording with Microsoft System Center Operations Manager. Disable auditing and recording can be a sign of a breach in progress.
  • Tagging for recorded sessions enables custom tags for recordings and queries to speed incident investigations and audit/compliance efforts.
  • gMSA account types enable support for Microsoft group managed service accounts used for logging in to Linux and Unix systems. These are popular as they allow clients to authenticate to any instance of a service in (for example) a server farm with a single identity instead of knowing which service/identity to use. Windows takes care of password management, password sync, and offline hosts.
  • Mobile password offline rescue allows users to log in to a managed system even if their connection to the vault is down. The ThycoticCentrify client on the target machine can prompt the user for a one-time rescue password obtained from the iOS or Android mobile application.

Please check out release notes here and here for more information about these new releases. Also, please check out our website to discover more about ThycoticCentrify PAM (Secret Server, Privilege Manager, Server Suite, and Cloud Suite). For more ransomware-related info, please read this post by Joe Carson: Ransomware Mitigation: Where do we go from here?

This is written by the individual author in his/her personal capacity, and the opinions, views and/or thoughts expressed herein are solely the author’s own. They are not intended to and may not necessarily reflect the official policy or position, or the opinions or views of ThycoticCentrify or its affiliates, employees, or any other group or individual.