If you are not protected against the recent (and unsophisticated) ransomware attacks, you are missing the basics! To all non-technical executives who are increasingly concerned about cyberattacks, it is very important to note the difference between these recent bush-league ransomware attacks and the increasingly sophisticated nation-state attacks such as the Solarwinds attack by APT-29 (a.k.a. Cozy Bear).
Let’s start with the basics…
First, you have to assume breach! Preventing the breach from happening in the first place is essential, but unfortunately, it is not sufficient. For the purposes of this article, we will focus on what you need to do if/when all your perimeter protection fails.
Second, focus on the network! Software agents can be very effective in helping spot known threat signatures and behavioral anomalies on the devices in which they are installed, but what about the exponential growth of unmanaged devices on your network? You cannot load software agents on devices such as video cameras, HVAC systems, smart TVs and the myriad other IoT devices, so network protection is essential to securing them.
Now, let’s focus on the threat. It is either known (meaning it has been seen and catalogued before) or it’s not (also known as a zero-day attack). Ransomware attacks are overwhelmingly conducted by criminals who are motivated by economic gain and have very little resources, patience and well…talent. Because of this, they often leverage known malware code, common tooling and Tactics, Techniques, and Procedures (commonly referred to as TTPs).
If the threat has been seen before, any reputable Network Threat Detection and Response (NDR) solution should spot the malware’s signature within seconds of it hitting the network. If it has not been seen before (zero-day attack), sophisticated AI/ML approaches can help detect resulting anomalies and remediation can quickly be applied to prevent the attackers’ ability to encrypt your data and hold it hostage. According to CrowdStrike’s 1:10:60 challenge, once malware lands on your network, you have 1 minute to detect, 10 minutes to determine its intent and 60 minutes to remediate. In other words, time is of the essence.
The article below was posted on May 7th, 2021 in response to the Colonial Pipeline attack and it is just as germane for the latest (and likely future) ransomware attacks. It details 5 different ways ThreatWarrior can quickly detect zero-day anomalies most typically associated with common ransomware attacks to help you achieve the 1:10:60 challenge.
Bottom Line: You cannot protect that which you cannot see! If you have critical infrastructure and sensitive data, you can no longer afford NOT to have network threat detection and response capabilities!
— Forword by Jonathan Bumba
Ransomware is growing at an alarming rate — up 150% in 2020 and spiking even higher in 2021, with more than half of infected businesses paying the ransom. The list of high-profile ransomware attacks grows almost daily, affecting government agencies, critical infrastructure, health organizations, schools, and more.
In the wake of these continued cybersecurity catastrophes, President Biden recently issued an Executive Order aimed and improving the nation’s cybersecurity. Additionally, given the rise in volume, velocity and maliciousness of criminal ransomware, the U.S. Department of Justice is elevating the investigation of ransomware attacks to a similar priority as terrorism.
Cybersecurity professionals have been warning about an explosion in the number of high-profile ransomware attacks for years, with the public and private sectors at-large not heading their warnings.
It’s time for that to change.
Stop Ransomware Attacks with ThreatWarrior
While not necessarily as sophisticated as some attacks organizations face today, ransomware poses a serious and growing threat. This form of malware encrypts a victim’s files and the group responsible demands a ransom payment before restoring the victim’s access to its data. Some also threaten to release a victim’s private data if they are not paid off, a situation the Washington D.C. police department is currently enduring.
Ransomware attacks in general are easy for ThreatWarrior to detect, as there are many opportunities for anomaly detection across the Tactics, Techniques, and Procedures (TTPs) involved in the crime. And because these attacks are carried out by criminals, not nation-state actors, they use well known, off-the-shelf Command and Control (C2) tools to coordinate their probes, and they rely primarily on tried-and-true known vulnerabilities instead of zero-day attacks.
After ransomware gangs find a way past perimeter security, they have to move laterally until they gain a foothold where they can escalate privileges. Then, they have to fan out over the network to find valuable data. With data in hand, they have to exfiltrate the pristine, readable copy for blackmail. Finally, they pull the trigger to encrypt the data for ransom. At each step, there are ways for ThreatWarrior’s multiple engines to detect the incursion.
- Threat actors using ransomware must enter the perimeter somewhere, and many organizations still rely on signature-based detection and perimeter defense. This leaves them completely vulnerable once an attack is already inside. ThreatWarrior delivers complete visibility across your entire digital estate. Once bad actors are inside, ThreatWarrior would see unusual external communication from C2 agents on impacted devices, as well as have opportunities to perform deep packet inspection and match that traffic against signatures of C2 systems known to the threat intel community. Put simply, ThreatWarrior would quickly identify any suspicious activity that looked like ransomware, whether known or unknown.
- Privilege escalation provides even more opportunities for ThreatWarrior to detect anomalous traffic and match packets against known vulnerabilities.
- Once ransomware gangs control the ground, the reconnaissance stage involves many unusual connections between devices on the network as well as IP scans, offering even more opportunities for anomaly detection.
- Data exfiltration involves large volumes of data being sent to external IPs from devices which do not usually do that, creating yet more opportunities for anomaly detection.
- Finally, when encryption is triggered, there is a flurry of activity as the command is sent to all the compromised devices. ThreatWarrior would find and alert to this anomalous activity from a ransomware attack.
All of these opportunities are missed if no one’s looking. That’s why the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, along with the Multi-State Information Sharing & Analysis Center, urge all organizations to follow best practices to prevent ransomware:
- “Detect command and control activity and other potentially malicious network activity that occurs prior to ransomware deployment.”
- “Baseline and analyze network activity over a period of months to determine behavioral patterns so that normal, legitimate activity can be more easily distinguished from anomalous network activity.”
ThreatWarrior not only excels at both of these best practices — they are core capabilities of the platform.
It is only a matter of time before another attack like this happens. If the SolarWinds and Colonial Pipeline attacks or other major hacks haven’t woken you up yet, it’s time. Organizations must step up to the plate and put cybersecurity at the forefront, or risk suffering the same fate.
Contact ThreatWarrior to learn how we can help and, as always, stay vigilant.