Protecting your business' legacy systems from ransomware attacks

Despite the significant shift and adoption of new technologies over the past few years, many businesses still rely on legacy infrastructure. Legacy servers are often still in operation because they are far too critical, complex, and expensive to replace. Famous examples include Oracle databases running on Solaris servers, applications using Linux RHEL4, or other industry-specific legacy technology. 

Although critical to the business, these legacy systems can increase a company's risk -- gaining access to just one unpatched legacy device can be relatively simple for cybercriminals. Once inside, said criminals will move laterally to gain a deeper foothold inside the network and deploy more significant attacks.

Why Do Cybercriminals Target Legacy Systems? 

Cybercriminals target legacy infrastructure because they are usually easier to access and often contain critical data. An AIX database, for instance, is not typically replaced by new infrastructure because it is vital for production, and no advanced security, such as EDR, can be installed on it. In many cases, due to poorly supported operating systems, there is a slow patch release that leaves businesses open to ransomware attacks. Another common mistake is that companies do not segment their legacy infrastructure from the rest. Having the legacy system separate can prevent attackers from gaining access to all data in the event of a breach.

It is essential to understand the routes that a hacker could take from the easy target of a legacy server across clouds and data centers to a critical asset. Currently, there is a lack of emphasis in many organizations on protecting legacy infrastructure from ransomware attacks due to a poor selection of tools to prevent the attacks. Unfortunately, most modern tools overlook legacy infrastructures and focus on securing the newest systems.

The Role of Lateral Movement in an Attack

It is vital to limit an attacker’s ability to move around undetected in the network as devastating attacks like ransomware cannot exist without lateral movement. Cybercriminals first penetrate the "perimeter" and then work their way deeper into the network -- also known as lateral movement -- to access desirable data, deploy malware, and more. As attackers learn about the environment, they often make parallel efforts to steal credentials, identify software vulnerabilities, or exploit misconfigurations that may allow them to move successfully to their next target node. The volume of east-west traffic within the infrastructure now outsizes north-south perimeter traffic by a wide margin thanks to changing data center management approaches and the broad adoption of public cloud infrastructure. This growing sea of east-west traffic is notoriously difficult for IT teams to observe and assess, making it an adequate cover for attackers attempting lateral movement. Overall, reduce lateral movement, reduce the attack surface.

Many organizations make the mistake of forgetting about legacy systems when they think about their entire IT ecosystem. However, since legacy systems are the most vulnerable, it is vital to ensure they are included. The most straightforward and most effective approach to protect legacy infrastructure is zero trust and segmentation. These techniques will reduce the attack surface and lessen the impact.

What Can I Do to Protect My Business? 

There are five areas enterprise security leaders should focus on to fortify legacy infrastructure from cyberattacks:

1. Visibility is the first important step: Security teams should gain complete visibility into the entire network to identify legacy servers, interdependencies, and communications and control the risks.
2. Reduce the attack surface: Since it is hard to protect and patch legacy machines, organizations must reduce the attack surface. This can be done through foundational processes such as using strong authentication policies and segmenting the network.
3. Implement Zero Trust: Only allow connections to the infrastructure that are necessary. Implementing zero trust requires all users to prove their identity and the security of their devices to access the resources.
4. Turn off unneeded services. These provide unnecessary opportunities for vulnerabilities.
5. Monitor for patches regularly. When monitoring regularly, organizations are more likely to catch an attack early on and stop it before it spreads.

Photo credit: wsf-s / Shutterstock

Ariel Zeitlin co-founded Guardicore after spending eleven years as a cybersecurity engineer and researcher at the Israeli Defense Forces (IDF), where he worked closely with co-founder Pavel Gurvich. In his last position at the IDF, Ariel led a team of 30 engineers and researchers to successfully achieve some of the most challenging and cutting-edge technological projects of the Israeli Intelligence Corps. Prior to that, Ariel worked as a software engineer at Intel Corporation. Ariel holds a Bachelor of Arts (BA) degree in Computer Science from the Technion, Israel Institute of Technology.