Webinar: 'What are the Ransomware Intrusion Routes Exploiting Structural Weaknesses in Large Enterprises?'

■ Large enterprises face complex branch, ID, and privilege management, making Zero Trust hard to achieve
Ransomware damage continues at a high level, and reports from domestic companies show no signs of stopping throughout the year. Most infections occur through VPN devices or remote desktops, where attackers exploit vulnerabilities at these network boundaries, steal ID and authentication credentials, and spread horizontally inside the organization.
Large enterprises, in particular, have a large number of branches and group companies, which increases the number of VPN devices and authentication bases, often complicating ID and privilege management. It is not rare for large companies to fail to accurately grasp the versions of their VPN devices or to immediately identify vulnerable devices when a vulnerability is discovered. In environments where security policies and operational levels differ by branch, achieving Zero Trust is difficult, and attackers perceive this as a 'structural weakness.'

■ Failure to detect and block lateral movement leads to organization-wide damage
In ransomware attacks, 'lateral movement'—moving horizontally within the network after initial entry—determines the scale of damage more than the initial intrusion itself. After gaining a foothold via VPN or remote desktop, attackers repeatedly steal privileged IDs and escalate privileges to reach critical servers and databases. Unless this lateral movement is detected and blocked, an intrusion into one branch can lead to system shutdowns and information leaks across the entire organization.
However, while many companies have introduced point solutions like EDR, they lack mechanisms to comprehensively monitor internal movement after intrusion. In environments where ID management, network monitoring, and endpoint protection are siloed, threat information detected in one area is not immediately reflected in other defense layers, risking lateral spread. To stop lateral movement, a 'mechanism to contain damage' that links the ID, network, and detection layers is essential.

■ Concrete measures to contain damage and prepare for the SCS assessment system
In this webinar, we will introduce a three-layer defense approach to contain ransomware damage: 'ID management/authentication enhancement,' 'network segmentation,' and 'post-intrusion detection/response (XDR).'
For the first layer, authentication enhancement, we use Cisco's cloud-based authentication platform, 'Cisco Duo.' Cisco Duo provides Multi-Factor Authentication (MFA), device health assessment, and adaptive access policies to prevent ID theft and unauthorized access at the entrance. For the second layer, network segmentation, we logically divide the network to contain the attacker's range of movement within specific segments even if an intrusion occurs. For the third layer, post-intrusion detection and response, we use 'Cisco XDR.' Cisco XDR is an integrated platform that detects threats across network, endpoint, email, cloud, and identity domains to automatically block lateral movement.
Also, in the SCS (Security Countermeasures for Supply Chain Strengthening) assessment system, which the Ministry of Economy, Trade and Industry plans to start operating, measures to prevent damage expansion are important evaluation items, and the measures introduced in this seminar will also lead to preparations for this. We encourage those considering building a mechanism to contain damage to participate.