As an onslaught of ransomware attacks accelerates, cybercriminal organizations are demonstrating increasing levels of sophistication and guile. Most recently, the Federal Bureau of Investigation (FBI) revealed that some hackers are targeting organizations facing time-sensitive financial events to maximize leverage over their victims. These events include planned earnings report releases as well as mergers and acquisitions (M&A).
Seeing as how ransomware gangs are increasingly operating like businesses themselves (albeit in a distinctly criminal manner), it only makes sense that they would seek to improve their negotiating position by applying pressure to their counter-parties at the most inopportune times. Due to the massive potential sums that can be extorted, this threat will continue to metastasize.
There is a silver lining to such behavior, as it is becoming more predictable and thus—in some aspects—more easily defended against. The very events that increase criminal hackers’ leverage against their victims will at the same time make timing of their attacks forseeable.
The role of zero trust and its policy engines
Zero-trust access (ZTA) models are increasingly in vogue as a method to protect against a broad array of threats, including ransomware. Although zero-trust principles are broadly applicable, in light of the new threats facing organizations—specifically from financially motivated actors that engage in extortion—special attention is due for the policy engines at the heart of ZTA systems.
A policy engine is the “brain” of a ZTA-based architecture, which dictates the level of scrutiny applied to human and machine network agents as they attempt to authenticate themselves and gain access to resources. These engines make decisions about whether to approve or deny access—or demand additional authentication factors—based on different factors including implied geolocation, time of day, threat intelligence indicators, and sensitivity of data being accessed.
ZTA does not merely facilitate heightened scrutiny of network actors that behave suspiciously. It also allows for streamlined access by bona fide users to enhance productivity and reduce business interruptions resulting from security measures. Thus, properly implemented zero-trust systems achieve the best of both worlds: enhanced cybersecurity and more rapid generation and delivery of business value.
Adjusting zero trust baselines for context-aware security
To make this model even more powerful in the face of the evolving ransomware threat, I would suggest that ZTA systems incorporate additional factors—in concert with the aforementioned ones—to allow organizations to assume a context-aware security posture. This could take the form of increasing or decreasing the baseline level of scrutiny applied to network agents based on both publicly announced and privately contemplated events.
The days before the release of quarterly earnings, a critical shareholder vote, or a major contract award decision are all examples of higher-risk times. During these periods, organizations could calibrate their policy engines to be more “suspicious,” driving more stringent authorization requirements. Similarly, when an enterprise knows confidentially that it is at higher risk—such as during acquisition discussions with a potential buyer or after a key cybersecurity executive has given notice of intent to depart the company—it could also increase the level of scrutiny applied by the policy engine.
Conversely, during lower risk times, employees would experience reduced levels of resistance when attempting to access various resources. This would ameliorate some frustration that employees have with security-related controls, making them generally less likely to attempt to evade such measures.
Implementing such a model would require substantial investment, to be sure. A key to maintaining a continually adjusted context-aware security posture is automation, which would rely on integrations between human resources, financial reporting, contract management, and similar systems and the policy engine. Furthermore, developing and tuning the algorithms driving the policy engine’s decision-making will require substantial time and research.
Organizations implementing such context-driven policies will need to be sure they don’t tip their hand through enhancing or relaxing security measures. For example, if authorized users could clearly detect an increase in security measures at an unexpected time (e.g., not before a scheduled earnings announcement), they might be able to intuit that something else is afoot that they should not otherwise know about, such as a planned merger. Similarly, a patient unauthorized intruder might be able to monitor fluctuating security requirements and determine what an especially critical juncture for its target might be.
With that said, a well-designed and well-implemented context-aware security posture could incrementally reduce the likelihood of a company suffering a devastating cyberattack at the worst possible moment. It would also drive additional value by reducing unnecessarily restrictive security burdens during lower-risk periods.
Context-driven security policies could be applied outside the private sector as well, in government and government-adjacent fields. The stringency of federal, state and local department and agency security policies could increase prior to major events such as elections to defend against malicious cyber actors attempting to improperly influence or disrupt them. In addition to other security measures, political campaigns could automatically harden their networks in the run-up to the polls to avoid doxxing or espionage.
Just like their corporate counterparts, governments would need to be careful not to reveal non-public plans or activities, such as a clandestine military action or movement. The U.S. Army is closely focused on signature management efforts to help achieve victory on future battlefields, and these efforts should consider the impacts of automated changes in an organization’s cybersecurity posture.
Despite these caveats, the potential use cases for a context-aware security posture are numerous. Given the incredible damage being wrought by malign cyber actors of all stripes—from purely profit-seeking ransomware gangs to nation-state advanced persistent threat actors—novel solutions are in dire need. Allowing organizations to adjust their cybersecurity defenses based on an increased range of factors, a context-aware security posture would help to prevent some of the massive harm that is bound to continue otherwise.