CASB: How Cloud Security Solutions Help Stop Ransomware in its Tracks

Ransomware has grown in terms of volume and sophistication. The FBI found that the cost of ransomware attacks rose by more than 200 percent to roughly $29.1 million between 2019 and 2020, according to the FBI 2020 Internet Crime Report. Meanwhile, Proofpoint’s 2021 Human Factor report revealed that ransomware attackers have changed their methods – targeting larger organizations with more to lose and more incentive to pay, in other words, “big game hunting.”

The COVID-19 pandemic has highlighted the importance of collaboration and ease of doing business. Nowadays, many organizations are primarily using cloud applications and doing their work from outside the corporate offices. But it’s not just employees that are making use of cloud apps. In a study of 2020 data with over 20 million cloud users, Proofpoint research confirmed that attackers have followed us to the cloud:

• 52 percent of all organizations had at least one cloud account (or user) compromised in their organization
• 32 percent of those compromised organizations had post-access activity such as file manipulation, email forwarding and OAuth app activity

Later on, you will see how these two stats showcase the prevalence of the cloud in the initial access stage (think: cloud account compromise) and consolidation stage (think: lateral movement between cloud apps and accounts).

Preventing, detecting and remediating cloud ransomware attacks requires a comprehensive strategy. Our partners at Proofpoint provide a comprehensive solution to complement your strategy, including Threat Protection, Security Awareness and Cloud Security. Many organizations have found that a modern, integrated and people-centric CASB can play a critical role in curtailing cloud ransomware attacks, especially when combined with isolation technology.

CASB (pronounced cas-bee), which is an acronym for cloud access security broker, is an intermediary between users and cloud platforms that protect data in the cloud while addressing authorization and visibility concerns of corporations leveraging cloud services. The CASB term was coined originally by Gartner in 2010. As Gartner explains it, CASBs address security gaps associated with third-party cloud services and platforms that are not under your control but that process and store your data.

Modern CASBs are cloud-native and can be deployed in multiple modes. The fastest time to value is achieved through the agentless cloud API route. For more real-time traffic inspection, you can choose an agentless approach to a reverse proxy or adaptive access control that works best for IT-approved applications and unmanaged devices. The alternative is the forward proxy approach that runs a small endpoint client to inspect and control traffic on managed devices and any IT-approved and tolerated cloud app.

When dealing with ransomware attackers, you are dealing with unmanaged devices that have compromised your user’s accounts. The appropriate CASB architecture will rely on a reverse proxy or an adaptive access control approach.

What may surprise some is that email and the internet remain the primary attack vectors for ransomware. Furthermore, most ransomware attacks are multistage, with the actual encryption of the data being one of the last stages of the ransomware attack.

Proofpoint Cloud Security research teams provide customers detailed information on threats and campaigns that target cloud and web applications and accounts. According to Proofpoint’s research, ransomware attacks can be broken down into four unique, but integrated, attack vectors:

In the initial access phase, an attacker looks for a way into the organization. Although this can initiate from a software vulnerability or a remote desktop protocol access, the majority of the breaches come from social engineering through email and on the internet.

In the cloud context, we’re seeing attackers sending phishing lures to steal users’ domain, or single sign-on, account credentials. In early 2021, Proofpoint saw a vaccine scam in which malicious actors targeted dozens of different industries in the United States and Canada. The threat actors asked users to urgently confirm their email credentials to receive a COVID-19 vaccine. This was used to steal their email account credentials as the initial access to take over their account.

After successfully harvesting these credentials, threat actors will want to establish a few compromised cloud accounts. They will then use the newly compromised account to phish a few more of the compromised user’s colleagues, as employees are more likely to trust emails from their peers than from strangers.  

How Proofpoint protects you in the initial access stage:

• Email protection can protect from malicious files and other suspicious messages being delivered in email
• Proofpoint CASB can detect suspicious logins in IT-approved applications
• Their proven detection combines people-centric context of Very Attacked PeopleTM (read: those most exposed to attacks), threat intelligence across email, web and cloud layers and machine-learning-based user behaviour analytics (read: changes in login patterns)
• CASB can block or route highly suspicious logins to access apps in isolated, off-the-network environments – all in real-time
• In the background, Proofpoint can remediate suspicious logins in cloud applications federated by Microsoft Active Directory, Okta and Google. They cover 7000+ of the most popular enterprise cloud applications

By using CASB, you can stop threat actors from taking advantage of those harvested credentials and continuing past the initial access stage.

In the consolidation phase, the attacker attempts to gain access to sensitive information on endpoints. Continuing the example of users harvesting cloud account credentials, threat actors usually attempt to discover recent contacts, sensitive data and cloud apps they can access based on the stolen credentials. After that, they’ll want to spread the ransomware laterally to infect more devices and make their ransom more valuable. For example, attackers may upload malware files into the cloud storage apps to share more widely. By sharing the ransomware through the organization’s own chat, email and cloud storage apps, threat actors are more likely to phish and infect other users.

The second part of this phase – preparation – usually involves destroying backups and stealing sensitive data and intellectual property. Lately, ransomware actors have taken to these double-extortion tactics, with the threat of releasing information if the ransom isn’t paid.

How Proofpoint protects you in the consolidation and preparation stages:

• CASB provides the breadth of visibility to surface the lateral spread or risk to your data because of a compromised account; Proofpoint correlates suspicious logins with the associated post-access activity, such as lateral movement and establishing persistent access, within one people-centric view on the platform
• CASB monitors your cloud apps for malicious file uploads and oversharing of sensitive files or data
• CASB can automatically take remediation and other mitigation steps to contain the lateral movement of attackers
• CASB can isolate risky traffic in IT-approved apps in real time to intelligently contain downloads, uploads and sharing of potentially infected files
• CASB can prevent data exfiltration of sensitive files or intellectual property from IT-approved apps in real-time

Using CASB, we can limit an attacker’s ability to move laterally and steal data for their double-extortion tactics. Leading CASBs can integrate with endpoint security solutions to extend ransomware protection across email, cloud and endpoints.

Once all the systems are identified, infected and information is collected, the threat actor then sends the ransomware payload. This normally takes place through the same channel that is being used for data exfiltration. The previously infected devices and servers have the ransomware payload downloaded, which then encrypts the drives, making them unusable. Because the threat actor normally attempts to render the backups unusable in the consolidation and preparation phase, most infected organizations are not able to rely on their backups to restore service. Once the data is encrypted, the threat actor moves onto the final phase.

Proofpoint focuses on stopping the attacker at each of the previous stages so that you can at least stop the sensitive data exfiltration, if not remediate potentially risky files and file sharing or even protect from account takeovers at the initial stage.

In this final phase, the attacker who previously stole and encrypted the data demands ransom to have the systems decrypted. Remember that the threat actor holds the decryption key that is needed to restore the systems. If the victim organization does not want to pay to have the files decrypted, the threat actor has three main areas that can be used to force payments.

The first is threatening to leak the data online, which would most likely cause irreputable damage to the business and their employees and customers due to the personal, corporate and potentially customer-sensitive information that has been stolen. The second method is to threaten to sell the exfiltrated data to the highest bidder, normally through the dark web. The outcome of selling the data means that more than one threat actor has access to the data. The third area is to threaten to send emails to the organizations’s customers and partners threatening to leak their data. This would put immense pressure on the organization to pay the ransom due to reputational damage, and potential loss of future revenue, customer loss, or loss of future sales.

Finally, the impact of having their environment down for an extended period of time can be catastrophic to an organization’s ability to maintain their business. In some cases, organizations that were attacked by ransomware could not recover from this operational downtime in an timeline that ensures the continuation of the business. That is why it is essential to invest in cloud security solutions that can mitigate a ransomware attack before it reaches this final stage.

Proofpoint’s CASB solution protects corporate app users from threats, data loss and compliance risk through five pillars:

• People-centric visibility, which combines threat awareness, user behavioural context and content monitoring to simplify detection and accelerate response for security and IT teams. That includes visibility into VAPs through integrations with Proofpoint Threat Protection.
• Proven advanced threat protection, which defends your users and cloud apps against account takeover, malicious files, malicious data exfiltration and oversharing of sensitive information. Proofpoint integrates intelligence from email, cloud apps, URLs and the web within the Proofpoint Nexus Threat Graph.
• Risk-aware data security, which integrates data loss prevention (DLP) across cloud, email, endpoints and web channels through Proofpoint Information Protection. This enables risk-aware access to sensitive data and protects sensitive content from leakage and exfiltration by users.
• Cloud app governance, which discovers cloud apps, audits them for security and compliance risks and helps you contain shadow IT, including third-party OAuth apps that access Microsoft 365 and Google Workspace data.
• Fast time to value, which starts with agentless CASB API integration with your cloud apps and other Proofpoint products for immediate visibility before you set up any rules. Supplement that with Proofpoint’s CASB in forward proxy and reverse proxy modes for more real-time threat protection and DLP.

CDW sees CASB as a great solution to close the gap between cloud security strategy and adoption. The CDW solutions team can help you select and evaluate the right CASB solution based on your specific needs and budget. If professional services are chosen, our team will also help design and implement the chosen solution.

CDW has the capability to assess and review IT general controls that require implementation with various degrees of involvement, freeing personnel to work on key business deliverables while alleviating the burden of dealing with stressful audits, complex legislative and regulatory requirements. We back up our security expertise with an array of industry and partner certifications.