Despite best efforts from the government and security teams, ransomware attacks continue to plague the Middle East. Traditional prevention and detection strategies are no longer working, and organisations must shift their focus to breach containment to stop attackers from moving through the network and reduce the impact of attacks.
The Middle East region has a tense cyberspace landscape. The fault lies in a combination of a thriving economy and high rates of digitisation attracting the attention of malicious actors around the globe. Despite commendable efforts by the authorities, the average cost of a data breach in the Middle East is now over $8 million, according to IBM, almost double the global average and the second-highest cost globally behind the US.
Ransomware remains a top threat globally and the Middle East is no different – the activity of ransomware groups increased by 77 percent in the first quarter of 2023 compared to the same period in 2022, with the most targeted countries in the GCC being the UAE (33 percent), Saudi Arabia (29 percent), and Kuwait (21 percent).
With cyber threats showing no signs of slowing down, organisations need to focus their efforts on building a security strategy that can maintain operations in the event of an attack. The UAE and KSA already have high cyber maturity, but with attacks more pervasive than ever and AI increasing success rates for attackers, strengthening resilience is critical.
How does a ransomware attack proceed?
To build resilience against ransomware, we first need to understand how they work. Most attacks start with a successful phishing attack, exploit of an exposed vulnerability, or leveraging a misconfiguration, leaked credentials, or malicious insider to gain access to gain access to an organisation.
Then once in, attackers behave as inconspicuously as possible during the compromise, moving undetected through the network, obtaining comprehensive access rights – also called privileges. Once they have reached their target – likely high-value applications or sensitive data – only then is the ransomware deployed, and the encryption of important data and systems begins.
The limits of EDR or XDR and network monitoring or observability
Now, one could argue that there are security products such as Endpoint Detection and Response (EDR) or Extended Detection and Response (XDR) and network monitoring or observability solutions to detect, report and – in the case of EDR/XDR – react to such suspicious behaviour. But the problem is these solutions were not designed to contain ransomware.
EDR and XDR, focusing on “detect” and “respond” functions, identify and counteract threats across endpoints, email, servers, cloud workloads, and network traffic. Despite their effectiveness, they don’t ensure 100 percent protection. A successful attack can cripple an organisation. Network monitoring lacks proactive prevention, only detecting attacks, and is insufficient against advanced persistent threats. In the face of fast, sophisticated attacks, discovery and response may occur too late. Enhanced security strategies are crucial to preemptively thwart attacks and fortify overall resilience against evolving cyber threats.
Building resilience with Zero Trust
Ransomware’s success depends on maximising the reach and impact of an attack as quickly as possible, so the only way to strengthen defences is to begin by accepting that at some point you will be compromised. This means adopting an “assume breach” mindset and building a breach containment strategy based on the principles of Zero Trust.
Fortunately, the Middle East is already a leader in Zero Trust adoption – research shows that security teams are prioritising Zero Trust over data privacy and regulatory compliance. But the focus until now has largely been on securing access through Zero Trust Network Access (ZTNA) rather than segmenting networks and containing breaches through modern technologies like Zero Trust Segmentation (ZTS).
ZTS extends protection outside of the perimeter, enabling rapid containment of ransomware attacks. It also supports a “defence in depth” by ensuring that any attacks that bypass detection and response do not become cyber catastrophes.
ZTS actively defends networks from infiltrated attackers, blocking all traffic by default and permitting only pre-approved traffic. This innovative approach assumes everything is untrusted, allowing only known-good elements. In case of a breach, ZTS contains the impact to a limited area, safeguarding customers and broader operations. When integrated with EDR, this combination enhances cyber resilience. Bishop Fox’s simulation demonstrated the synergistic value of EDR and ZTS, addressing blind spots in EDR and successfully identifying suspicious patterns during sophisticated attacks. This proactive strategy proves effective, ensuring a robust defence against evolving cyber threats.
Strengthening cyber resilience in the Middle East
It is clear that perimeter protection alone is no longer enough to stop ransomware, and with the threat not going away anytime soon, organisations urgently need to take steps to build resilience and reduce risk through breach containment.
Unfortunately, ransomware will always be a threat because it’s the quickest and easiest way for cyber attackers to make money. But attacks will only be successful if organisations continue to allow attackers to roam free throughout their networks. The only way to stop ransomware is to prevent attackers from moving laterally by isolating and containing the attack at the initial point of entry.
Zero Trust is an established security strategy for achieving cyber resilience, and Zero Trust Segmentation (a key pillar of Zero Trust) is a proven way to stop ransomware from spreading. By implementing proactive controls like ZTS, alongside reactive technologies like EDR, organisations can be confident that critical data and systems remain safe and business operations can continue, even if a breach occurs.
