How Zero Trust Network Access can thwart ransomware
On July 2nd, 2021, Kaseya discovered they were the most recent ransomware victim. Kaseya’s VSA software is used by MSPs to remotely manage their customer’s IT environments. Ransomware attackers found a vulnerability in the VSA software and exploited it to gain access to the MSP’s and the MSP’s customer’s networks. The attackers are now seeking $70 million in ransomware from approximately 60 of the MSPs and approximately 1500 of their customers. The attack follows ransomware attacks on Colonial Pipeline and JBS, each of which paid out millions of dollars of ransom.
The Kaseya attack is an example of the growing trend in attacks that focus on software development and delivery “pipelines”, or sometimes referred to as attacks on software supply chains. These attacks are significant because they not only target one organization but seek to infiltrate all the organizations connected into the software supply chain. In the case of Kaseya, as mentioned above, this amounted to approximately 1,500 businesses.
The root cause of the Kaseya attack is surprisingly simple. The attack itself was sophisticated but the attack would not have been able to hit its target – the VSA servers – if the VSA servers were not publicly exposed. Note: that root cause analysis of the ransomware is from Kaseya itself, and the expert firms hired to analyze the attack.
Before going into some of the preventative measures that can be used to contain ransomware, let’s step back and quickly review how ransomware works. All ransomware attacks follow four similar steps. The longer form version of how ransomware works is posted here. In short, ransomware operates as follows:
- Land – Get a thin version or loader app of the ransomware placed on to a computer such as the Kaseya VSA servers at the 60 infected MSPs.
- Expand – The ransomware contacts a server to expand its capabilities – so it can continue its seek and destroy mission.
- Multiply – The ransomware spreads over the business WAN. In the case of the Kaseya breach, it could spread to the 1500 businesses managed by Kaseya MSPs.
- Destroy – In ransomware terms, destroying a business is encrypting the data which the business depends on (rendering it useless to the systems which need it), and taking copies of the data. If the business pays the ransom, then the data is decrypted (so business ops can resume), and theoretically the business data has not been stolen, shared or tampered with.
How could NetFoundry’s zero trust network access (ZTNA) architecture been used to prevent the Kaseya ransomware attack?
Using a Zero Trust Network Access (ZTNA) architecture, the MSPs would have prevented the attacks from ever hitting the Kaseya VSA servers to begin with. Normally, the land and destroy steps are very difficult to prevent, and zero trust architectures focus on minimizing the risks and impacts of the expand and multiply steps.
In the case of Kaseya, ZTNA’s ability to ‘take the VSA servers off the Internet’ would have blocked the ransomware to begin with. This doesn’t mean every business needed ZTNA. Either Kaseya (as the ISV or SaaS provider) or the MSPs could have embedded ZTNA in the Kaseya solution to protect the downstream businesses. Due to the many doors ransomware has into WANs, the ransomware may have found a different way in at Kaseya, but the VSA servers would have been removed as a target in a zero trust architecture.
NetFoundry’s zero trust solution is uniquely made available for ISVs (or SaaS providers) like Kaseya, the MSPs who use Kaseya, or the businesses who rely on the MSPs. This means that if any of those three parties were using NetFoundry, the ransomware attack could have been prevented. This is particularly important as usually only the business itself can implement ZTNA. Zero trust implementations can be a very long process, whereas businesses, ISVs, SaaS providers and MSPs need ransomware protection now. NetFoundry supports multiple deployment options that can enhance protection against ransomware immediately.
Option One: Kaseya Implements NetFoundry ZTNA
ISVs and SaaS providers like Kaseya can leverage zero trust by embedding NetFoundry zero trust in their software via the NetFoundry SDKs. In this scenario, zero trust network access is added natively inside the Kaseya application. Kaseya has taken control and can tell its MSPs and downstream customers that Kaseya servers no longer need to be opened to the Internet and will no longer be sitting duck targets for ransomware or other attacks. This ransomware protection then applies even if the MSPs and the MSP business customers haven’t finished their zero trust architecture evolutions.
Option Two: Kaseya MSPs Implement NetFoundry ZTNA
Kaseya’s MSPs can integrate zero trust by using NetFoundry SDKs to add zero trust to MSP agent software, or by deploying NetFoundry in containers or VMs alongside the Kaseya software if the MSP doesn’t have software on the customer premises. Either way, the MSP can tell its customers (businesses) that the MSP has used zero trust to shield the Kaseya servers from ransomware and similar attacks. This ransomware protection then applies even if the MSPs and the MSP business customers haven’t finished their zero trust architecture evolutions.
Option Three: Businesses Implement NetFoundry ZTNA
Businesses can require their ISVs, SaaS providers and MSPs to embed zero trust. Or, the businesses can deploy NetFoundry zero trust in containers or VMs alongside the vendor software. In this scenario, NetFoundry provides zero trust as a SaaS service, and the business has the flexibility to use NetFoundry ZTNA for specific user groups, solutions or clouds. Because NetFoundry zero trust is provided as turnkey SaaS and can be applied to specific use cases without disrupting the WAN, the business can be up and running with ZTNA in hours or days instead of months as required by traditional solutions.
In all zero trust deployment scenarios, NetFoundry’s ZTNA platform provides:
+ Secure identity
+ Authenticate before connect architecture
+ Least privileged access
+ Posture check and endpoint security
+ Dark networking – taking apps, servers and data off the Internet
+ Simplified and secured architecture: close all outbound ports
+ Optimized delivery over a Global Zero Trust SDN (the NetFoundry Fabric)
More details on how these zero trust functions can block or mitigate ransomware are here.
Summary: ZTNA could have prevented the Kaseya ransomware attack
No solution is 100% impervious to security threats. However, ZTNA, within a zero trust architecture, could have prevented the Kaseya attack in the method they used (attacking exposed Kaseya VSA servers). If a zero trust architecture had mitigated that vulnerability, the ransomware may have found other doors in. However, ZTNA also isolates ransomware, preventing it from spreading to the point at which it can take down businesses.
Everyone needs ransomware solutions now. By enabling ISVs, SaaS providers and MSPs to easily integrate zero trust, NetFoundry provides an immediate solution to the ransomware pandemic now cascading across the globe.
Proactive ISVs, SaaS providers and MSPs will integrate zero trust to strengthen their security, and ensure their solutions are not ransomware conduits. Businesses will increasingly require their vendors to embed zero trust as table stakes for being selected. Likewise, businesses are rapidly moving to zero trust, and NetFoundry accelerates this migration by enabling businesses to implement zero trust as a service, in an iterative manner, without forklift upgrades and without any hardware deployments. ZTNA won’t prevent every attack. But the Kaseya ransomware attack vector would have been thwarted if Kaseya, the Kaseya MSPs or the downstream businesses implemented a zero trust architecture.
Click the Banner to Get Started Today
NetFoundry Blog: https://netfoundry.io/about/blog/