How Zero Trust Can Help Defend Against Ransomware Attacks

Ransomware is the most generally deployed malware in infiltrated cloud environments. Statistically speaking, it accounts for three times as many cases as crypto mining and botnet malware, second and third, respectively. Ransomware remains a serious threat, despite enhanced security capabilities that come out of the box in the cloud. In this article, we understand how zero trust can be a defense mechanism against ransomware attacks. In the era of cyberattacks, one can benefit from making a career in cybersecurity. Become a certified cybersecurity professional or a cybersecurity expert as it has a lot of potential to be the long-awaited turning point in your career.


Table of Contents

  • What is zero trust architecture?
  • Implementing Zero Trust
  • Mitigation of Risk
  • Mitigation Capabilities
  • Conclusion


Let’s take a look at what zero trust is and how it can help defend ransomware attacks.


What is Zero Trust architecture?

There is no single or unique answer to that question for two reasons. First, zero trust is not an architectural model but rather a guiding principle that should be applied to existing and new designs. With that said, these principles present several architectural patterns or use cases that can serve as a starting point for implementation. Second, the implementation of zero trust principles results in very different technical solutions and approaches for different uses cases. For example, applying the same zero trust principles for an employee remote access use case would be addressed in a very different way than handling micro-services connectivity in a service mesh running on containers.


Implementing Zero Trust

Applying zero trust as guiding principles places particular emphasis on expected results during the design phase. It is by no means a way of defining the relevance of the control frameworks to security controls. Applying the principles of zero trust allows us to focus on a specific sub-set of controls during design, such as controls and capabilities required for dynamic authentication and authorization using all possible contextual data. The governance model of IBM Zero Trust ensures that all criteria are identified, which are necessary to achieve this goal. The governance model for IBM Zero Trust and the IBM Zero Trust Acceleration services can help organizations to define security initiatives and related capacities.


Mitigation of Risk

To understand which principles of Zero Trust might help mitigate possible ransomware attacks, you need to know the common attack vectors. Multiple sources are available to elaborate on possible attack vectors that ransomware attacks may use.

The IBM X-Force Threat Intelligence Index 2020 defines a ransomware infection in three stages:

  • PSExec/WMI lateral movement.
  • MalSpam/phishing with PowerShell script.
  • Emotet/TrickBot infection.


Cybersecurity experts suggest that in the MITRE ATT & CK Knowledge Base, the most suitable technique is T1566, particularly the sub-technique, T1566.001 Spearphishing Attachment. The latter references to a listing of procedure cases, including the two commodity downloaders:

  • Emotet which has 26 documented known techniques.
  • TrickBot has 30 documented techniques.


A Zero Trust-based solution could address some of these attack techniques, such as the T1047 Windows Management Instrumentation (WMI) lateral movement technique. Looking further into the MITRE ATT & CK framework, two possible mitigations are listed against a WMI based attack: privileged and user account management. There is also a third option named micro-segmentation. This results in three probable mitigations to be designed and implemented. Privileged account management (PAM), which prevents overlapping of credentials across administrator and privileged account systems. Managing the user account only allows administrators to connect via WMI remotely. It restricts other users, as those permitted to connect or disallow all users to connect to WMI remotely.

Micro-segmentation is the MITRE ATT&CK knowledge base that may not be on the mitigation list. However, it can be seen as a combination of the following mitigations: M1030 “Network Segmentation,” M1037 “Filter Network Traffic,” and M1035 “Resource Over Network Limit Access.”


Mitigation Capabilities

From a design point, one might fuse these capabilities into one or more logical solution components, such as a PAM solution. PAM composes of several components, such as a password vault, the SSH/RDP Proxy, an API layer, and the Admin portal. A listing of required capabilities will allow an architecture team to identify standard requirements and the needed capabilities and solution building blocks. Some architectural decisions will be made once appropriate requirements are consolidated, and alternatives for the implementation of capabilities are decided. For instance, how would your organization’s on-premise workforce connect to the applications in the data center? Will the micro-segmentation-based implementation at the data center be adequate? Or, will an overall software-defined-perimeter solution be strong suited to accomplish the same goals?

To answer these questions, consolidate Zero Trust principles where possible. And, using Zero Trust principles is a journey with various steps, increasing the overall. For instance, one use case for the PAM component is logging onto an admin portal of the PAM solution.

First, employ micro-segmentation, so the PAM portal is only noticeable to the privileged users and the operations team of the PAM solution. Then, implement multifactor authentication before getting access to the portal. All relevant contextual information should define the authentication level. This includes the administrator’s device, the security posture of the device, geo-location of the user, device reputation history, and type of network connection. This is verified against the security policies. Based on the described access criteria, the connection can be refused. Consider re-validating authentication at routine moments or when overrunning the initially allotted time if the privileged user interacts with susceptible sources. In contrast, within the PAM portal, a step-up authentication could be enforced too.

The PAM solution’s principal goal to avoid administrators utilizing their privileged account for business purposes (reading email, browsing the internet). Its secondary goal is to decrease the time administrators are authenticated on systems, thus reducing the possible attack surface for malware tools. 



The IBM Zero Trust governance model and subsisting frameworks, such as the MITRE ATT&CK, can be merged to drive solutions to improve the security posture of your organization and reduce the attack surface against ransomware. Want to know how things go about? Enroll for a cybersecurity training certification today!