Ransomware loves network blind spots: see how to get 100% visibility
Ransomware isn’t showing signs of disappearing anytime soon. Ransomware attacks on the French Ministry of Justice and German fuel suppliers Mabanaft GmbH and Oiltanking GmbH Group were just some of the cases which occurred in just the first few months of this year.
The sophisticated incidents were intended to have a destructive impact on real people, especially when they hit critical infrastructure, leading to the rise of the phrase “killerware.”
The continued threat of ransomware on organizations
A joint Cybersecurity Advisory (CSA) recently released by cybersecurity authorities in Australia, the UK, and the US found continuing threat of ransomware on organizations of all sizes throughout 2021.
In the UK, victims included businesses, charities, the legal profession, and public services in the education, local government, and health sectors, according to the report. There was a shift away from “big game” victims to mid-sized ones to avoid heightened scrutiny in the US.
The report was based on observations by the Australian Cyber Security Centre (ACSC), the National Cyber Security Centre UK (NCSC-UK), and the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) of the US. The report’s contents noted an increasing targeting of cloud infrastructure, not only to gain direct access but also to enable lateral movements inside connected networks.
There is also awareness that attack surfaces have expanded, due to users using their own devices remotely and deploying a greater number of cloud-based services.
Suggested actions to mitigate lateral infiltration
The cybersecurity authorities listed ways to mitigate lateral movement post-infiltration, a problem potentially affecting anything connected to a network, from mobile devices to other IT, OT, and IoT appliances and applications. Some of their suggested actions include:
- Applying network segmentation to cordon traffic flows and limit access to subnets
- Implementing end-to-end encryption to prevent unwanted eavesdropping using mutual Transport Layer Security (mTLS)
- Deploying a network monitoring tool to identify, detect and investigate unusual and suspicious activities
- Collecting operational data from cloud environments, such as network, identity, and application telemetry, and making these visible to the security team.
Visibility of the network is crucial. Blind spots are precisely where ransomware can begin its damaging mission. Where there are visibility gaps, by definition, not all network traffic is being monitored. Additionally, there is no possibility of inspecting encrypted payloads, and any insights drawn from traffic data will present false results.
As such, there is a rising realization that all-around visibility into all network traffic, internal and external, is becoming more pertinent. The new approach is known as deep observability.
Deep observability covers the entire distributed network spanning on-prem and the cloud’s hybrid and multi-cloud structures, plus outward-facing interfaces – and even encompasses microservices. Monitoring everything in increasingly complex application architecture is challenging but not impossible.
How is deep observability different from a traditional monitoring approach? It goes beyond MELT – metrics, events, logs, and traces – and applies advanced real-time intelligence to close the visibility gaps.
US Department of Defense and Gigamon solutions
The US Department of Defense (DoD), for example, deployed Gigamon solutions as part of its upgrade to a zero-trust architecture. Gigamon helps give 100% visibility by harnessing:
- Network intelligence that sits above the network layer, so all traffic reaches the security tools for more reliable analysis. This facility also covers cloud, container, and virtual machine traffic.
- SSL/TLS decryption centrally decrypts all network traffic and shares it with security tools to expose hidden threats and malware before re-encrypting it.
- Application-based intelligence helps detect network risks using application-specific metadata. It discovers and categorizes Level 7 traffic, decreasing required analysis time, and allows application prioritization and isolation.
“The Gigamon platform enables us to feed all the different tool sets we have acquired and offers us X-ray capability, not only in the physical world but also in the virtual world,” said David Jones, chief architect for zero trust cloud at the DoD.
Aside from improved cybersecurity through proactive threat hunting and detection, complete visibility translates to lowered OPEX (operating expense) and creates a fast ROI.
Gigamon Visibility and Analytics Fabric cost-effective for The University of Glasgow
Chris Edwards, information security coordinator at the University of Glasgow, Scotland, runs a network that supports 30,000 users and oversees infrastructure that’s seeing continuous traffic growth. He said:
“The Gigamon technology has solved our scale issues. Now we can detect compromised PCs before damage is done in a way we couldn’t do earlier — helping identify users with a virus and taking remedial action. It enables us to split the traffic load across multiple monitor ports, minimizing packet loss, so we can operate a cluster of multiple IDS boxes, comprised of cheap commodity hardware, each of which ‘watches over’ a portion of our campus.”
Deep observability is more than a buzz phrase. Total visibility of every node and Layer of an organization’s network infrastructure is essential to bolster cyber resiliency and help prevent any attack’s success. After all, what you can’t see, you can’t protect.
Click here to learn more about Gigamon’s platform that gives better network visibility and analytics from container to core to cloud, keeping your organization fast, secure, and innovative.