Charles Leaver – Your Organization Needs To Be Aware Of The Dangers Of Ransomware

Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver

Ransomware that is customized to business attack projects has actually emerged in the wild. This is an obvious development of consumer-grade ransomware, fueled by the bigger bounties which businesses are able to pay out paired to the sheer scale of the attack surface area (internet facing endpoints and un-patched software applications). To the attacker, your business is an appealing target with a huge fat wallet simply begging to be knocked over.

Your Company is an Attractive Target

Basic Google queries might currently have determined unpatched internet-facing servers by the scores across your domain, or your credulous users may already be opening “spear phishing” e-mails crafted just for them probably authored by individuals they are familiar with.

The weaponized invoices go to your accounting department, the weaponized legal notifications go to your legal department, the weaponized resumes go to your personnels department, and the weaponized trade publication articles go to your public relations firm. That must cover it, for starters. Add the watering hole drive-by’s planted on market websites often visited by your staff members, the social networks attacks targeted to your crucial executives and their families, the contaminated USB sticks strewn around your facilities, and the compromises of your providers, clients, and company partners.

Enterprise compromise isn’t really an “if” however a “when”– the when is consistent, the who is legion.

Targeted Ransomware Is Here

Malware analysts are now reporting on enterprise-targeted ransomware, a natural advancement in the money making of enterprise cyber invasions. Christiaan Beek and Andrew Furtak explain this in an excerpt from Intel Security Advanced Threat Research study, February 2016:

” Throughout the past few weeks, we have gotten info about a brand-new project of targeted ransomware attacks. Instead of the typical modus operandi (phishing attacks or drive-by downloads that result in automatic execution of ransomware), the cyber attackers acquired relentless access to the victim’s network through vulnerability exploitation and spread their access to any linked systems that they could. On each system, numerous tools were used to find, secure, and delete the initial files as well as any backups.”

Mindful reading of this citation immediately exposes actions to be taken. Initial penetration was by “vulnerability exploitation,” as is often the case. A sound vulnerability management program with tracked and imposed exposure tolerances (measured in days) is obligatory. Considering that the cyber attackers “spread their access to any linked system,” it is also requisite to have robust network segmentation and access controls. Think about it as a water tight compartment on a warship to prevent sinking when the hull is breached. Of unique note, the hackers “delete the original files along with any backups,” so there should be no delete access from a jeopardized system to its backup files – systems need to just have the ability to append to their backups.

Your Backups Are Not Up to Date Are They?

Obviously, there should be current backups of any files that should endure an enterprise intrusion. Paying the ransom is not a reliable alternative considering that any files developed by malware are naturally suspicious and should be considered polluted. Business auditors or regulators can decline files excreted from some malware orifice as lawfully legitimate, the chain of custody having been totally broken. Financial data might have been changed with fraudulent transactions, configuration data may have been interfered with, viruses may have been planted for later re-entry, or the malware file controls might merely have actually had errors or omissions. There would be no chance to place any confidence in such data, and accepting it as legitimate might even more jeopardize all future downstream data reliant upon or stemmed from it. Treat ransomware data as garbage. Either have a robust backup strategy – frequently checked and verified – or prepare to suffer your losses.

What is Your Plan For a Breach?

Even with sound backups privacy of affected data need to be presumed to be breached since it was read by malware. Even with detailed network logs, it would be unwise to show that no data had actually been exfiltrated. In a targeted attack the cyber attackers generally take data stock, reviewing a minimum of samples of the data to assess its potential value – they could be leaving cash on the table otherwise. Data ransom demands might simply be the final monetization phase in an enterprise breach after mining all other worth from the invasion since the ransom demand exposes the compromise.

Have a Thorough Remediation Plan

One must assume that qualified enemies have organized several, cunningly-concealed avenues of re-entry at various staggered time points (well after your crisis team has stood down and costly specialists flown off to their next gig). Any roaming proof left behind was thoroughly staged to misinform investigators and deflect blame. Costly re-imaging of systems should be exceedingly extensive, touching every sector of the disk across its entire recording surface and re-creating master boot records (MBR’s) and volume boot records from scratch. Some ransomware is understood to jeopardize MBR’s.

Likewise, do not assume system firmware has not been compromised. If you can upgrade the firmware, so can hackers. It isn’t really difficult for hacking groups to explore firmware hacking options when their business targets standardize system hardware configurations, allowing a little lab effort to go a long way. The industrialization of cyber crime enables the development and sale of firmware hacks on the dark web to a wider criminal market.

Help Is Readily available With Good EDR Tools

After all of this negativity, there is an answer. When it comes to targeted ransomware attacks, taking proactive steps instead of reactive clean-up is far less unpleasant. A great Endpoint Detection and Response (EDR) tool can assist on both ends. EDR tools are good for identifying exposed vulnerabilities and active applications. Some applications have such a notorious history of exposing vulnerabilities that they are best removed from the environment (Adobe Flash, for instance). EDR tools are also good at tracking all substantial endpoint events, so that detectives can identify a “patient zero” and track the pivot activity of targeted enterprise-spreading ransomware. Attackers rely on endpoint opacity to assist with concealment their actions from security staff, but EDR is there to make it possible for open visibility of noteworthy endpoint incidents that could indicate an attack in progress. EDR isn’t really limited to the old antivirus convict-or-acquit design, that enables newly remixed attack code to evade AV detection.

Excellent EDR tools are constantly vigilant, always reporting, constantly tracking, available when you require it: now or retroactively. You wouldn’t turn a blind eye to business network activity, so don’t turn a blind eye to business endpoint activity.


Charles Leaver – The Same Things Highlighted In The New Verizon DBIR Report

Written By Dr Al Hartmann And Presented By Charles Leaver, Ziften CEO

The Data Breach Investigations Report 2016 from Verizon Enterprise has been launched examining 64,199 security incidents leading to 2,260 security breaches. Verizon defines an event as compromising the stability, confidentiality, or availability on an info asset, while a breach is a confirmed disclosure of data to an unauthorized party. Because avoiding breaches is far less agonizing than withstanding them Verizon provides numerous areas of controls to be used by security-conscious enterprises. If you don’t care to check out the full 80-page report, Ziften provides this Verizon DBIR analysis with a focus on Verizon’s EDR-enabled suggested controls:

Vulnerabilities Suggested Controls

A solid EDR tool carries out vulnerability scanning and reporting of exposed vulnerabilities, including vulnerability exposure timelines illustrating vulnerability management efficiency. The direct exposure timelines are important because Verizon stresses a systematic technique that highlights consistency and coverage, versus haphazard expedient patching.

Phishing Advised Controls

Although Verizon advises user training to prevent phishing vulnerability, still their data shows almost a third of phishes being opened, with users clicking the link or attachment more than one time in ten. Bad odds if you have at least 10 users! Provided the inescapable click compromise, Verizon recommends putting effort into detection of unusual networking activity a sign of rotating, C2 traffic, or data exfiltration. A sound EDR system will not just track endpoint networking activity, however likewise filter it against network threat feeds recognizing malicious network targets. Ziften exceeds this with our patent-pending ZFlow innovation to enhance network flow data with endpoint context and attribution, so that SOC personnel have essential choice context to quickly solve network alerts.

Web App Attacks Suggested Controls

Verizon recommends multi-factor authentication and monitoring of login activity to avoid compromise of web application servers. A solid EDR service will monitor login activity and will use anomaly inspecting to discover unusual login patterns a sign of jeopardized credentials.

Point-of-Sale Invasions Advised Controls

Verizon advises (and this has actually also been highly suggested by FireEye/Mandiant) strong network segmentation of Point of Sale devices. Again, a solid EDR solution should be tracking network activity (to identify anomalous network contacts). ZFlow in particular is of excellent worth in supplying important decision context for suspicious network activity. EDR solutions will also address Verizon’s suggestion for remote login tracking to Point of Sale devices. Along with this Verizon advises multi-factor authentication, but a strong EDR capability will enhance that with additional login pattern abnormality monitoring (since even MFA can be beaten with MITM attacks).

Insider and Privilege Abuse Advised Controls

Verizon recommends “monitor the heck out of [employee] authorized everyday activity.” Continuous endpoint monitoring by a solid EDR system naturally offers this capability. In Ziften’s case our software tracks user presence time periods and user focus activities while present (such as foreground application usage). Anomaly monitoring can recognize unusual deviations in activity pattern whether a temporal anomaly (i.e. something has altered this user’s normal activity pattern) or whether a spatial anomaly (i.e. this user behavior pattern differs substantially from peer behavior patterns).

Verizon likewise advises tracking use of USB storage devices, which strong EDR systems provide, given that they can serve as a “sneaker exfiltration” route.

Miscellaneous Errors Advised Controls

Verizon suggestions in this area focus on maintaining a record of past mistakes to serve as a warning of errors to avoid in the future. Strong EDR systems do not forget; they keep an archival record of endpoint and user activity going back to their first deployment. These records are searchable at any time, perhaps after some future occurrence has revealed an intrusion and response groups have to return and “discover patient zero” to unravel the incident and determine where mistakes might have been made.

Physical Theft and Loss Recommended Controls

Verizon recommends (and numerous regulators need) full disk file encryption, specifically for mobile phones. A proper EDR system will confirm that endpoint setups are certified with enterprise file encryption policy, and will inform on violations. Verizon reports that data assets are physically lost one hundred times more often than they are physically stolen, however the effect is essentially the exact same to the impacted business.

Crimeware Suggested Controls

Once again, Verizon stresses vulnerability management and constant thorough patching. As noted above, correct EDR tools recognize and track vulnerability exposures. In Ziften’s case, this keys off the National Vulnerability Database (NVD), filtering it against process image records from our endpoint monitoring. This reflects a precisely upgraded vulnerability evaluation at any point in time.

Verizon likewise suggests recording malware analysis data in your own business environment. EDR tools do track arrival and execution of new binaries, and Ziften’s product can get samples of any binary present on enterprise endpoints and send them for in-depth static and dynamic analysis by our malware research study partners.

Cyber-Espionage Recommended Controls

Here Verizon specifically calls out usage of endpoint threat detection and response (ETDR) tools, describing the security tool section that Gartner now terms endpoint detection and response (EDR). Verizon also advises a number of endpoint setup hardening steps that can be compliance-verified by EDR tools.

Verizon likewise recommends strong network defenses. We have currently gone over how Ziften ZFlow can greatly improve conventional network flow monitoring with endpoint context and attribution, providing a blend of network and endpoint security that is really end-to-end.

Finally, Verizon recommends monitoring and logging, which is the first thing third party event responders demand when they get on-scene to assist in a breach catastrophe. This is the prime function of EDR tools, because the endpoint is the most frequent entry vector in a major data breach.

Denial-of-Service Attacks Suggested Controls

Verizon recommends handling port access to prevent business assets from being utilized to participate in a DoS attack. EDR systems can track port usage by applications and utilize anomaly checks to recognize unusual application port use that could show compromise.

Enterprise services migrating to cloud companies likewise require defense from DoS attacks, which the cloud supplier may provide. Nevertheless, taking a look at network traffic tracking in the cloud – where the business may not have cloud network visibility – options like Ziften ZFlow offer a method for collecting improved network flow data directly from cloud virtual servers. Do not let the cloud be your network blind spot, or else cyber attackers will exploit this to fly under your radar.