ZTNA minimizes retailers' holiday ransomware threats

Holiday shopping season is here, which means retail organizations find themselves in the crosshairs of ransomware groups. And, if the past year has been any indication, organizations of all brands can look forward to higher attack frequency and potency. 

Although US and Western governments have cracked down significantly on ransomware groups since the wave of disastrous ransomware attacks, including the ColonialPipeline attack earlier this year, the allure of monetization keeps new and evolving groups coming back into the fold.

Retailers, manufacturers, and organizations with seasonal revenue dependencies simply can’t afford network downtime over the holidays. When point-of-sale systems, branch location connectivity, or payment servers go down, companies lose money and customers to competitors who may be operating just fine.  

On top of potential lost revenue, ransomware groups target retailers they know can’t afford downtime. Ransomware groups meticulously scour companies’ public financial statements, competitor information, and insurance coverage to identify worthy victims and decide how much they will charge to extort retailers for regained access to critical systems or data. 

Recently, we’ve seen the rise of various groups targeting VPN vulnerabilities, unpatched internet-facing servers, and leveraging commonly used windows persistence mechanisms to hide on corporate networks. 

How ransomware groups exploit retail networks

Ransomware groups generally use many of the same tactics used by other criminal and state actors to access corporate networks. These include conducting brute force attacks on passwords, or gaining entry through unpatched internet-facing servers and services, or connecting via uninspected VPNs. 

However, the holiday season brings a seasonal twist to the tried and true tactics malicious actors use to gain illicit network access, including the use of squatting domains, or websites designed to look like legitimate shopping sites; fake gift purchase emails; or spoofed credit card fraud alerts that trick users to supplying credentials on phishing sites. 

In fact, spear phishing remains one of the most popular methods of credential theft, and clever attackers love to use the lure of a free holiday gift card to load malware onto user devices. 

Compromised credentials allow attackers to cloak their network movements behind trusted user behavior, moving laterally to other retail networks, servers, and applications. Where ransomware groups differ from other malicious actors, though, is what happens after they gain network access.   

Once inside, ransomware groups focus on encrypting sensitive files and holding them for ransom, requiring victims to pay exorbitant amounts of money to access business-critical data or tools required to conduct business. While any sort of illicit behavior on corporate networks is bad for business, a ransomware attack—especially during the holidays—can wreak substantial financial and reputational havoc for retailers. 

 5 steps to protect retail operations from ransomware attacks

Retailers aren’t destined to be ransomware victims. With the five following network management and security best practices, they can fortify their networks against opportunistic infiltration attempts during the holiday season. 

1. Restrict access for superuser or privileged accounts. These usernames and passwords are often the most sought after by attackers as they enable access to a business’s most important resources. 
2. Conduct a quick audit of the remote desktop systems used to access corporate resources. If the remote desktop system isn’t essential, consider disabling it.
3. Provide extra monitoring for mission-critical systems and high-risk users.
4. Enable multi-factor authentication (MFA). This is especially important for remote users as they experience higher instances of device and credential compromise.
5. Back up critical systems and air gap them from the network. If attackers can reach backups, they’ll target those for encryption as well. 

What is a retailer’s best defense for ransomware attacks? A Zero Trust mindset.

A retailer’s best defense for ransomware attacks is embracing an effective Zero Trust mindset. Based on Zero Trust best practices, a Zero Trust mindset includes deploying products and policies that enable you to verify all users, devices, and applications; applying context-based access; securing all content; and monitoring users continuously. 

Given that VPN, remote desktop, and internet-facing applications are among the most popular ways for ransomware groups to gain network access, securing these access points with zero trust network access (ZTNA) technologies is a good starting point for retailers to begin their zero trust journey. An effective ZTNA solution, also known by many as a software-defined perimeter (SDP), does the following:

• Cloaks all internet-facing servers, applications, and services behind a single cloud-delivered service. Attackers can’t attack what they can’t see, and this prevents brute-forcing of exposed servers.
• Pre-connect device inspection. Before authenticating a user's access to a resource, the solution evaluates the security posture of the connecting device for signs of compromise or attacker persistence. 
• Provides identity-based access control. An effective ZTNA solution integrates with all of your identity stores to implement role-specific, contextually adaptive policies regardless of where or how a user is connecting - managed or unmanaged device, at the office or from home. 
• Defaults to deny posture. Only grant access to applications and services that the user has been explicitly authorized to access. Even once a user is authenticated, access should be granted to only specific services based on need-to-know.
• Executes continuous post-connect monitoring. Even after a user has been granted access to a resource, ZTNA solutions inspect the user’s traffic for signs of data loss, malware, or attempted lateral movement and reconnaissance. 
• Includes credential theft prevention. Advanced ZTNA solutions can detect and prevent users from supplying credentials to malicious websites by scanning username and password submissions on webpages against active corporate credentials.  

There are plenty of things for retailers to think about during this holiday season, but figuring out how to reclaim data, files, or even the ability to run their business from a ransomware group doesn’t need to be one of them. The proper preparation and Zero Trust know-how may be the difference between having a holiday season that is more merry and bright versus scary and a fright. 

Check out how Prisma Access leads the pack for ZTNA in the 2021 Forrester New Wave™: Zero Trust Network Access report.