Much More Than a Checkbox: Cyber Insurance Can Stop Ransomware Attacks

Qualifying for a cyber insurance policy is just one more checkbox that security teams are required to tick. We’ve heard this statement over and over. For most organizations, this is the main reason to purchase cyber insurance.

While this mindset is not entirely without grounds. It turns out that by implementing the identity protection controls that insurers are now requiring, it significantly increases the resilience to ransomware attacks to the point of blocking lateral movement attempts altogether.

In this blog post, we’ll recap how Optix, a market leader in the optics IT software industry has implemented Silverfort’s service account protection for the sole purpose of meeting its insurer’s requirements, and how, Silverfort’s protection enabled it to block and fully mitigate a lateral movement attack.

Why Do Insurers Care So Much About Service Accounts’ Visibility and Protection?

The need for complying with cyber insurance requirements has surged by 50% in 2022 due to the increase in ransomware attacks. The insurance industry has responded by revising its cyber insurance policies to provide much more specific requirements regarding security controls to ensure that organizations are protecting their resources while being cyber-resilient to incoming attacks.

Insurance companies have recently focused their attention on the non-human service accounts that are used for machine-to-machine communication to run various processes related to software maintenance, scanning, and management.

As a result of their low visibility and the fact that they are generally excluded from password rotation and MFA protection, these accounts are frequently targeted. Several policies require companies to maintain regular inventories of these accounts and demonstrate an ability to monitor their activities as well as gain insight into their privilege levels, sources, and destinations.

The underlying logic of this requirement is that since adversaries would prefer to use these accounts for lateral movement and ransomware spread. By closely monitoring their access attempts, it would reveal an anomalous use that indicates a compromise.

Even though many organizations find these requirements hard to implement due to configuring policies to monitor all service account behavior is a very time-consuming process that consumes a tremendous amount of IT resources, their impact on resilience to ransomware attacks is significant.

How Silverfort Enables Organizations to Prevent Ransomware Attacks

Silverfort’s Unified Identity Protection platform addresses all service accounts related requirements that insurers require for the renewal or purchase of a ransomware cyber insurance policy.

Silverfort’s visibility into every authentication request enables it to automatically discover every service account in the environment since those accounts display highly predictable behavior. This allows organizations to easily conduct inventories of these privileged non-human accounts and create policies to block access or send alerts in case of any abnormal access attempt, preventing threat actors from using them in ransomware attacks.

Partnering with Silverfort enables organizations to meet service account requirements, to qualify for a cyber insurance policy. Moreover – as we’ll now demonstrate – it would go beyond that and empower these organizations’ security teams to prevent any ransomware-related lateral movement attempt.  

Preventing a Ransomware Attack by Complying with Service Account Requirements

Optix’s sole reason to deploy Silverfort was to comply with their insurer’s requirements so they could renew their cyber insurance policy. In May 2023, Silverfort customer Optix was targeted by a ransomware attack via their service accounts. However, shortly after working with Silverfort, they were targeted by a malicious actor who was trying to move laterally across their network using the compromised credentials of an Optix service account.

The Attack Flow:

1. Delivery: The attacker targets and sends a malicious link to an Optix employee on LinkedIn
2. Initial access: The Optix employee clicked a malicious link enabling the attacker to gain access to their machine.
3. Credential compromise: From its initial foothold in the machine the attacker achieved to compromise the credentials of two service accounts.
4. Lateral movement: With these accounts, the attacker began to move laterally across Optix’s network.

The Protection Flow:

1. In Silverfort’s console, the security team could see the two service accounts accessing machines they have never accessed before.
2. The security team immediately reset the passwords of the accounts blocking the lateral movement immediately.
3. Following that, the team used Silverfort to track down the authentication trail of the accounts to the patient zero machine to conclude remediation and remove the remaining malicious presence.

This example illustrates the importance of having a full identity protection solution in place, not just to comply with new cyber insurance requirements but to prevent attacks by threat actors using compromised credentials.

To learn more about this attempted attack and how Silverfort helps organizations to comply with cyber insurance requirements, download this customer success case study here.