on Posted on Reading Time: 4 minutes
There are many locations and hundreds of ways in which cybersecurity breaches are likely to have occurred, despite best intentions and defenses. It’s not surprising that breaches occur. The Zero Trust principle states that you should assume that a breach has occurred, and the enemy has penetrated your system. The question is: “Now What?” Yes, it matters how breaches occur but more importantly that they be detected before they enable ransomware attacks—causing business disruption and organizational chaos such as disabling systems, data exfiltration or corruption. Until now little focus has been given to this important issue.
Why This Matters Now
This problem is getting much worse with nation states basing economies on extracting ransoms. A new FBI report6 published at the end of April 2025 revealed 256,000 attacks on U.S. businesses alone cost ransomware victims $16.6bn—and that’s just the tip of the iceberg.
This Changes Everything
This is where circumstances have come together enabling service providers to play a new and pivotal role to protect their customers from ransomware. What this blog describes is a potential game-changing opportunity in the cyberwar being conducted by nation state adversaries.
Here’s What’s Happening
Almost every ransomware attack is developed using an off-the-shelf platform known as Ransomware as a Service. These sophisticated attacks consist of many connected pieces. There’s all manner of AI-based phishing, identity theft and social engineering methods that allow threat actors to get inside the system. They then begin the process of hiding malware inside legitimate software, discovering vulnerabilities and the systems that house intellectual property, customer and system data, critical software etc. This is all well documented but even thousands of defensive solutions struggle to stop this happening.
In order to achieve their goals, techniques called Elevation of Privilege, Lateral Movement and Beaconing are the tools used to find sensitive data, including organizational finances to see if victims have money to pay. This—termed an Advanced Persistent Threat (APT) attack—is ransomware’s killer app.
Here’s What’s New
Here’s the opportunity for service providers. Given today’s ecosystem of distributed connections and attack surfaces almost every important attack must traverse the service provider’s network. This is good news.
Why Implement Solutions Based on MEF’s Zero Trust Work?
This is where the deployment of the Zero Trust Framework defined in MEF 118.12, the security functions described in MEF 1383, and the service implementation described in MEF 1171 can come together to detect and disable ransomware by verifying that transactions traversing the Network are legitimate.
Figure:1 Network Ecosystem
The kind of service deployments that apply here include:
- The SASE Service Framework and Attributes in MEF 117.
- Network as a Service implementations that include managed services, Platform as a Service etc.
- Services that deploy MEF SD-WAN and IP services.
Zero Trust De-mystified
For many who are unfamiliar with Zero Trust or are put off by the marketing hype, here’s how the MEF specifications guide the implementation to ensure that transactions will only be allowed if they continue to conform to the policies in place.
- Identity & access management authenticating users, software and devices, to conduct transactions—as both subject and target actors of a transaction.
- Managed access control that specifies what is allowed and not allowed for that actor (level of privilege, location, task type, time, duration, etc.).
- Policy management, authorizing, or blocking and reporting requested transactions based on the points 1 and 2 above and implementing threat detection security functions, data inspection, etc.
- Policy enforcement distributes the decision making to where the transactions take place in the ecosystem.
- Continual monitoring and verification to ensure compliance to policies as they change and notification of all events.
Tools such as network detection and response software can also augment these by targeting some specific security functions. Care is required to verify their exact functions. The diagram below shows how these Zero Trust pieces fit together.
Figure 2: Zero Trust Implementation Flow
Final Word
It is hoped that this blog has introduced the possibility for providers to bring new and valuable services that significantly reduce their customer/clients’ risks. This blog is based on the article, Assume Breach—Now What?, published in the Spring 2025 edition of ISE magazine and a much extended version published at cybyr.com/assumebreach.
References
- MEF 117 SASE Service Attributes and Service Framework (2022) Editor Neil Danilowicz (MEF)
- MEF 118.1 Zero Trust Framework (2024) Editor Ralph Santitoro (Ciena)
- MEF 138 Security Functions for IP Services (2024) Editor Bill Bjorkman (MEF, recently retired)
- NSTAC The President’s National Security Telecommunications Advisory Committee Zero Trust 5 Step Implementation Plan (2022)
- Cybyr.com’s CyberPedia page covers all cybersecurity terms (2025)
- FBI Internet Crime 2024 Report published April 2025
Learn More
- About MEF’s Cybersecurity Service Standards with SASE and Zero Trust.
- Learn more about MEF’s SASE certification program.
- Read Mark Fishburn’s full article, published in the Spring 2025 edition of ISE magazine, Assume Breach – Now What?
- Also read the much extended version of Mark’s article at cybyr.com/assumebreach
