Combatting Ransomware. Part 2: Identity Governance as the Foundation

In part 1 of our blog series on ransomware we started with a Sun Tzu quote about knowing one’s enemies, dove into a brief history of ransomware, and described a couple of key things to keep in mind when combatting attackers. Strategies for doing so include four main components: having a cybersecurity response plan that’s been tried and tested, regularly installing security patches, backing files and data up, and prioritizing the security of digital identities. This is a battle that requires constant vigilance, with FireEye estimating that 76% of ransomware attacks used to encrypt systems happen after hours; meaning on a weekend, or before 8am or after 6pm on weekdays. It’s clear that doing the minimum and praying for the best is no longer a suitable approach for today’s enterprises and setting up a strong foundation to combat the threats of ransomware is a top priority.

Here in part 2, we’ll talk about some specifical ways in which identity governance can aid in this fight against ransomware attacks. But first, back to The Art of War: “Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat.” It goes without saying, that while strong cybersecurity technology is needed, it needs to be married with people and processes that know how to get the most out of them.

With that in mind, it’s important to reiterate that one of the most cited metrics in ransomware attacks is the number of devices that have been infected. The reason being that the more devices the attackers can infect it becomes that much more expensive, time-consuming, and stressful to remediate. A modern identity governance solution can help organizations ward off attackers, but if they do still get in with their malware, that damage can be limited and dealt with swiftly. With 90% of organizations agreeing that IGA is an important aspect in combatting ransomware, here are a few controls that help illustrate why.

1. Manage Dormant Accounts. A key control to help prevent ransomware attacks is identifying accounts and access that are unowned or orphaned. IGA can help in identifying orphaned accounts, or ones that are over-permissioned and either flag them to administrators or automatically remediate the risks by assigning an owner to evaluate them. These types of accounts are often targeted as soft spots for attackers and are used as launch pads for attackers to gain trust internally and move laterally and vertically until they reach their desired effect and by constantly searching for these types of accounts yourself and thinking like an attacker you can stay one step ahead.
2. Enforce Proper Access Rights. Modern Identity Governance & Administration (IGA) solutions are built around a central tenet of making sure that people only have access to the data, applications, and other resources that they need to perform their jobs. IGA solutions should also be able to institute controls that help avoid social engineering and phishing attacks, often a common spear for attackers. By using self-service workflows like password management not only reduces help desk calls, but also helps implement policies for how people can reset passwords in a way that’s hard to intercept. These basic principles of IGA in enforcing proper access rights also help prevent lateral movement in a way that can really stunt ransomware attackers.
3. Continually Recertify. Similar to enforcing proper access rights, recertification campaigns and surveys are core functions of a modern IGA solution. This can be critical in the fight against ransomware and in minimizing damage. Recertifications help continually ensure that access is warranted and that operations are proceeding as they should. In the context of ransomware, certifications can help identify things like improper access and arm security teams with the insights they need to take definitive action in disconnecting affected systems from the network if/when they are infected with malware.
4. Evaluate and Audit Processes. While having these three controls in place can help minimize risks, ransomware is a persistent threat that needs to be constantly evaluated. As such, security and IAM teams need to make sure that these processes, and any automation is working as intended. Maintaining full audit, including who made decisions around granting access rights, and seeing who has access to what and why is a constant process, but with a modern IGA approach, it can be done and can dramatically cut down on the time it takes to identify an attack and take action quickly.

With these four IGA principles, enterprises can set up a foundation to help put them in a better position to deal with ransomware attacks. While there is always work to be done, and threats around every corner, attackers are often lazy and will oftentimes simply seek a new target if they face real resistance when trying to breach their target. That is why having a foundation is so important in staving off attackers, and in setting up the enterprise to continually build up its security practices. For more information on implementing IGA in 12 weeks or less, be sure to check out the Omada Accelerator Package, which helps organizations deploy a full-featured, IGA as a Service solution with tangible outcomes and a roadmap for success.