Defending against backdoor attacks with zero trust

Attackers are doubling down on backdoor attacks that deliver ransomware and malware, proving that businesses need zero trust to secure their endpoints and identities.

IBM’s security X-force threat intelligence index 2023 warns that attackers are prioritizing these backdoor attacks as they attempt to extort downstream victims whose data has been compromised. Twenty-one percent of all intrusion attacks started with a backdoor breach attempt. Two-thirds of backdoor attempts included a ransomware element. 

IBM’s X-Force Intelligence team also discovered that backdoor attacks surged in February and March of last year, measured by a significant spike in Emotet malware incidents. The spike was so significant that it accounted for 47% of all backdoor intrusion attempts identified worldwide in 2022. 

“While extortion has mostly been associated with ransomware, extortion campaigns have also included a variety of other methods to apply pressure on their targets,” said Chris Caridi, cyber threat analyst for IBM security threat intelligence. “And these include things like DDoS attacks, encrypting data, and more recently, some double and triple extortion threats combining several of the previously seen elements.”

Ransomware attackers are out-innovating businesses that rely on perimeter-based security. In two years, they’ve achieved a 94% reduction in the average time to deploy a ransomware attack. What took ransomware attackers two months to accomplish in 2019 took just under four days in 2021.

The lucrative world of backdoor attacks

Backdoor access to an enterprise’s infrastructure is among the most marketable and high-priced assets for sale on the dark web.

CrowdStrike’s 2023 global threat report found that access brokers continue to create a thriving business remarketing stolen credentials and identities to ransomware attackers in bulk. CrowdStrike’s highly regarded intelligence team found that government, financial services, industrial and engineering organizations had the highest average asking price for access. Access to the academic sector had an average price of $3,827, while access to the government sector had an average price of $6,151.

The IBM team notes in the 2023 index that “initial access brokers typically attempt to auction their accesses, which X-Force has seen at $5,000 to $10,000, though final prices may be less. Others have reported accesses selling for $2,000 to $4,000, with one reaching $50,000.” 

Manufacturing extends its lead as the most attacked industry 

Nearly one in four incidents that IBM tracked in its threat intelligence index targeted manufacturing, an industry known for a very low tolerance for downtime. This increases their motivation to pay ransomware demands fast, and often at high multiples.

The sector has also earned a reputation as a soft target because many manufacturers underspend on security. Manufacturers’ systems are down for an average of five days after a cyberattack. Of these, 50% respond to the outage in three days, and only 15% respond in a day or less.

How organizations can battle backdoor attacks with zero trust 

Backdoor attacks prey on the false sense of security that perimeter-based systems create and perpetuate. Edward Snowden’s book Permanent Record removed any doubts across the cybersecurity community that assumed trust is lethal. It proved that too much trust could compromise an intelligence network. CISOs tell VentureBeat that they keep a copy of this book in their offices and quote from it when their zero trust security budgets are questioned. 

Here are the proven ways businesses can battle back against backdoor attacks, starting with treating every new endpoint and identity as a new security perimeter.

Audit access privileges, delete unnecessary or obsolete accounts and re-evaluate admin rights

Ivanti’s 2023 cybersecurity status report found that 45% of enterprises believe former employees and contractors still have active access to company systems and files due to inconsistent or nonexistent procedures for canceling access. De-provisioning isn’t often followed, and third-party apps still have access embedded within them.

“Large organizations often fail to account for the huge ecosystem of apps, platforms and third-party services that grant access well past an employee’s termination,” said Srinivas Mukkamala, chief product officer at Ivanti. “We call these zombie credentials, and a shockingly large number of security professionals — and even leadership-level executives — still have access to former employers’ systems and data.”

Multifactor authentication can be a quick win

Forrester senior analyst Andrew Hewitt told VentureBeat that the best place to start when securing identities is “always around enforcing multifactor authentication. This can go a long way toward ensuring that enterprise data is safe. From there, it’s enrolling devices and maintaining a solid compliance standard with the unified endpoint management (UEM) tool.

Forrester also advises enterprises that, to excel at MFA implementations, they should consider adding what-you-are (biometric), what-you-do (behavioral biometric) or what-you-have (token) factors to legacy what-you-know (password or PIN code) single-factor authentication implementations. It’s an area where CISOs are getting quick zero-trust wins today that are saving tomorrow’s budgets.

Monitor all network traffic, assuming any user, identity, endpoint or device could be compromised

As one of the core elements of any zero trust strategy, CISOs and their teams need to monitor, scan and analyze network traffic to identify any backdoor threats before they succeed. Nearly every security and information event management (SIEM) and cloud security posture management (CSPM) vendor includes monitoring as a standard feature.

There continues to be an increase in the scope and scale of innovation in the SIEM and CPSM markets. Leading SIEM providers include CrowdStrike Falcon, Fortinet, LogPoint, LogRhythm, ManageEngine, QRadar, Splunk and Trellix.

Limit lateral movement and shrink attack surfaces with microsegmentation

One of the foundational concepts of zero trust is microsegmentation. The NIST zero trust framework mentions microsegmentation at the same level of importance as identity-based governance, authentication, and network and endpoint security management.

Airgap, AlgoSec, ColorTokens, Illumio, Prisma Cloud and Zscaler cloud platform have proven effective in identifying and thwarting intrusions and breach attempts early using their unique approaches to microsegmenting identities and networks.

Airgap’s zero-trust isolation platform is built on microsegmentation that defines each identity’s endpoint as a separate entity and then enforces contextually relevant policies, preventing lateral movement. AirGap’s trust anywhere architecture includes an autonomous policy network that scales microsegmentation policies network-wide immediately.

Monitor endpoints and make them self-healing and resilient

With the attacker’s tool of choice being Emotet malware, every endpoint needs to be resilient, self-healing and capable of monitoring traffic in real time. The goal must be to enforce least-privileged access by identity for any resource requested across each endpoint. 

The more resilient an endpoint is, the more likely it can repel an attack on identities. A self-healing endpoint will shut down and validate its core components, starting with its OS. After patch versioning, the endpoint will automatically reset to an optimized configuration. Absolute Software, Akamai, CrowdStrike Falcon, Ivanti Neurons, Malwarebytes, Microsoft Defender, SentinelOne, Tanium, Trend Micro and other vendors offer self-healing endpoints. 

Endpoint platforms are innovating rapidly in response to threats. The unique approach of Absolute’s resilience platform provides IT and security teams with real-time visibility and control and asset management data for any device, networked or not. The company has shown consistently high levels of innovation.  

Absolute also invented and launched the first self-healing zero-trust platform for asset management, device and application control, endpoint intelligence, incident reporting, resilience and compliance. The company’s undeletable digital tether has proven effective in monitoring and validating every PC-based endpoint’s real-time data requests and transactions. 

A data-driven approach to patch management can give IT a much-needed break

CIOs tell VentureBeat that their teams are stressed out enough without dealing with device inventories that need patching. As a result, patching gets pushed down the priority list as IT and security teams are too often fighting fires. 

“Endpoint management and self-healing capabilities allow IT teams to discover every device on their network, and then manage and secure each device using modern, best-practice techniques that ensure end users are productive and company resources are safe,” Srinivas Mukkamala, chief product officer at Ivanti, said in a recent interview with VentureBeat.

Getting patch management right at scale takes a data-driven approach. Leading vendors in this area are capitalizing on the strengths of AI and machine learning (ML) to solve the challenges of keeping thousands of devices current. Leading vendors include Broadcom, CrowdStrike, SentinelOne, McAfee, Sophos, Trend Micro, VMWare Carbon Black and Cybereason.

One of the most innovative approaches to patch management is found in Ivanti’s neurons platform, which relies on AI-based bots to seek out, identify and update all patches across endpoints that need to be updated. Ivanti’s Risk-based cloud patch management is noteworthy for how it integrates the company’s vulnerability risk rating (VRR) to help security operations center (SOC) analysts take risk-prioritized action. Ivanti had discovered how to provide service-level agreement (SLA) tracking that also provides visibility into devices nearing SLA, enabling teams to take preemptive action. 

Zero trust doesn’t need to be expensive to be effective 

Backdoor attacks thrive when an organization cuts its security budget and relies on perimeter-based security — or none at all, simply hoping a breach won’t happen.

Defining a zero trust framework that fits an organization’s business strategy and goals is table stakes. And the technologies and approaches involved do not need to be expensive to be effective.