Share this article on:
We recently had the chance to catch up with Seamus Lennon, VP of operations at ThreatLocker, to talk us through what makes Zero Trust such a vital part of any organisation’s security toolbox, how ransomware gangs operate and target their victims, and the challenges of network security in a hybrid working environment.
Cyber Daily: We have a lot of business leaders that read Cyber Daily to try and understand the world of cyber security. So let’s get down to some of the basics – what is Zero Trust and why should businesses be implementing this kind of structure?
Seamus Lennon: So Zero Trust, or the definition of Zero Trust, is basically to only allow access where access is required. It's about least privilege. And when you take that concept into an endpoint security solution, think about it – if we only allow the applications that need to run, well, we're blocking and denying anything malicious from executing. But that's not the be-all and end-all of everything, because what happens is attackers will get into an environment, and what they will do is they'll use what we call living-off-the-land techniques. They'll utilise the applications that are installed on the machine to their benefit.
So every single application a user runs in a Windows environment, that application has access to all of that user's data because it runs under that user's profile. What they'll do is they'll utilise the likes of PowerShell to do data exfiltration. They'll combine PowerShell with BitLocker to encrypt files or even use Winzip. Winzip can encrypt files as well, a perfectly genuine application, but can be used nefariously in the environment.
With ThreatLocker, what we do is of the applications we run in the environment, we place what we call ring-fencing on those applications. In other words, we can say, “Okay, well, Powershell, you can run, but you cannot access any of my data”. You can only access what you need to access with least privilege. You cannot even go and reach out to the Internet to execute payloads or malware or anything on the devices as well.
Again, it's about applying that least privilege across the board. And when we're talking about least privilege, we're also talking about user rights in the environment, local admins, as we call them. There may be companies out there that have legacy applications that require the user to be a local admin on the machine. Well, we can implement what we call elevation control, which allows the elevation of that individual application without actually elevating the user at any point in time. Which means we can do that in a controlled manner, allowing the users to continue to work as they've always worked, without bringing in those vulnerabilities of that higher privilege in the environment as well.
And on top of that, then we have what we call storage control. And look, ransomware is all about data, and if we can protect our data, we can stop ourselves from being a victim of a ransomware attack. So with storage control, we can control the ability or the access to the data in the environment. Now this could be as simple as blocking, denying, USB devices. Most other solutions could do that as well. We can allow access to USB devices, but not only the access to the USB devices. We can say, “Okay, well, this person needs access to the USB device, but they only need to open up photos”. So we'll only allow access to JPEG files and that's it, nothing else.
Let’s talk about your data in the environment. We all do a local backup and then we push that off to the cloud. But what actually needs access to that local backup? Well, the answer to that is quite simple. It's not a user and it's not a device. The only thing that needs access to that backup location is the actual backup software itself. So think about it. If an attacker got into an environment with full Zero Trust in place, they can't really do much. They can't get anywhere.
Well, in true Zero Trust, it won't actually get in the first place.
Cyber Daily: And it's pretty important, especially with current data, with how long threat actors might stay present in a network where they're moving laterally in a True Zero trust model.
I'm a journalist – there would be no reason for me to be putting my nose in financial documents or pay documents or HR or any of the other functions of a business. With the Zero Trust model, you would detect that anomaly – why is this person now trying to move across the network and do these weird things?
Seamus Lennon: Yeah. And that's true when you talk about the persistence of attackers.
I'm based here in Dublin. The HSE – which is our Health Service Executive – had the worst ransomware attack we've seen in the history of the state. Back in 2021, basically the whole HSE was taken down completely. All of the systems were gone. Nurses and doctors were relying on pen and paper with no access to any systems. Now, when they looked at that attack, the attackers were sitting there for eight weeks before they executed that attack on a Bank Holiday weekend. As most ransomware attacks are done, the biggest ones are done over a bank holiday or any holiday period. And basically what they found was it was all PowerShell. They got in, they got access to PowerShell and they used PowerShell to basically deploy the ransomware across the whole estate and infect every single machine.
Now, obviously, if PowerShell itself had been locked down in that environment and could only access what it needed to access, the flags would have been shown and it would have been blocked and denied.
Cyber Daily: Given the rise of work-from-home, it seems that most businesses have some kind of element of remote or hybrid working – but that's also created a risk that I think a lot of businesses in Australia really overlook. And that's an endpoint security issue, because you've got people that are accessing your company's networks with their personal mobile phone, their personal laptop…
Do you think, from your experience, from what you've seen working with companies, that that's quite an overlooked vector?
Seamus Lennon: As a result of COVID hybrid is here to stay, it's never going to go away unless you work for Amazon, but the problem with hybrid working is about the connections that they're making.
So let's say there's an employee that works remotely from home, they're connected to the home broadband, they're using a VPN to tunnel into the corporate network to access all of their data and the functionalities as well. But that connection is also shared with everything else in the home network. Now long gone are the corporate-based firewalls that could protect us in that environment – they're gone.
So this is a home broadband connection that doesn't have a proper firewall. It's also shared in that network locally with all of the smart devices in that area. So you're talking about smart TVs, your lights, your cameras, your doorbells. Any single vulnerability in any of those devices will allow attackers into that network. And because they get into that network, they could get onto that user's device. Once they're onto that user’s device, they can use the VPN tunnel to gain access to the corporate environment.
And that's the thing – when it comes to the ransomware attack we talked about earlier, you know, attackers just moving on, it's the path of least resistance. And where is the path of least resistance? It's actually the endpoint. There's no point in going after the corporate network when they know that's backed up with a corporate firewall. Everything's in place to stop them from getting in. But the home network's not. So it's quite easy to just get into the home network and from there infiltrate into the actual network itself.
Cyber Daily: These are the unsecured entry points that people are going to go after. Gone are the days where you think there's going to be some major heist and you're going to go straight for the bank or straight for the insurer. We've seen many cases in Australia like this, it might be your contractor who has been given access rights, admin rights, across a range of things. And they log in from their personal laptop and it’s all history at that point.
Seamus Lennon: From there, it is all history. And that is the thing.
So let's say the endpoint is where attacks begin. That's where they all begin. If you look statistically, it's always at the endpoint or it's never. They never go for, you know, the Googles of the world, they never get attacked because they're backed by the infrastructure that will protect them.
A home network is not protected in the same way. A homeware network is connected to the Internet, and that's the biggest issue with remote working, is that remote workers are fully connected to the Internet and share in that Internet with all the adversaries that are out there as well.
Cyber Daily: For a lot of our business readers, that are trying to navigate the future of cyber security, do you perhaps have a tip or two that you could offer them to help them on that journey?
Seamus Lennon: Yeah, well, look, we are a Zero Trust endpoint security solution. I strongly believe that Zero Trust is going to be the future of endpoint security. The days of relying on detection to solve all of our problems are gone, unfortunately.
If you just look statistically at the number of ransomware attacks, the number of companies and businesses out there that had thought they were protected, but just aren't… By implementing that Zero Trust, and particularly within Australia – obviously you guys brought out the Essential Eight model, as well, for protecting and hardening devices. Now, of the Essential Eight, those maturity levels, ThreatLocker can help with all of those, and help implement them. Now, we didn't build ThreatLocker to align with the Essential Eight – it just so happened that we actually align together really well. And the synergy is really good.
So we can help companies that are out there looking to implement the Essential Eight framework into their environment as well and help harden that.
Tune in to hear more!
You can find out more about ThreatLocker and its cyber security offering in Cyber Daily’s Cyber Uncut podcast, here: