Interrupting Ransomware

Interrupting Ransomware

The threat landscape is ever expanding. In the past, threats were limited to minor attacks that would cause a small amount of damage to an organization. As time has progressed, far more advanced attacks have surfaced, such as complex phishing attacks and ransomware, resulting in extensive damage to organizations.

Today, cyberattacks have become more prevalent, and much more difficult to prevent, which has increased the number of major, targeted attacks on businesses—I’ve seen many smaller and less experienced cybercriminals gain access to incredibly advanced hacking technologies. Take a look, for example, at how easy it is to gain access to ransomware as service (RaaS).

The fact is, ransomware is only one type of threat in the wild. Organizations need to look beyond the payload and pay closer attention to the exploit as well. If an organization’s security stack fails to block an exploit, then the payload, ransomware in this case, has a much higher likelihood of being successful.

The continuing rise of mobile usage also presents newer threats. Using our mobile devices for so many different tasks and having them constantly connected makes them perfect targets for cyberattacks. Once attackers gain access to your mobile device, they have access to an unprecedented amount of personal and professional information.

The Internet of Things has also contributed to the rise in cyberattacks, as more devices than ever are now connected to the internet.

So, how can organizations stop attacks sooner and prevent them?

A few years back, Lockheed Martin coined the term “Cyber Kill Chain.” The seven steps of this kill chain provide visibility into an attack methodology.

Step 1: Reconnaissance. The attacker gathers information on the target before the actual attack starts. He can do this by looking for publicly available information on the Internet.

Step 2: Weaponization. The attacker uses an exploit and creates a malicious payload to send to the victim. This happens on the attacker side, without contact with the victim.

Step 3: Delivery. The attacker sends the malicious payload to the victim by email or one of the many intrusion methods the attacker can use.

Step 4: Exploitation. The exploit is actually executed. (This step is only relevant if the attacker uses an exploit.)

Step 5: Installation. Malware is installed on the infected computer. This step is relevant only if the attacker used malware as part of the attack, and even when there is malware involved, installation is just one point in time within an elaborate attack process that takes months to complete.

Step 6: Command and control. The attacker creates a command-and-control channel in order to operate internal assets remotely. This step occurs throughout the attack, not only when malware is installed.

Step 7: Action on objectives. The attacker performs the steps to achieve his goals inside the victim’s network. This is an elaborate process that takes months and involves thousands of small steps.

While the cyber kill chain doesn’t take into account insider threats, it does a fairly decent job of summarizing the chain of events for cyberattacks.

Most of the products in the market today focus on step 7 of the kill chain (action on objectives). While I agree that solutions such as threat analytic platforms and UEBAs are needed, I also believe we should be able to stop threats before exploits deliver their payloads to client systems.

If we change our thinking, and focus more on step 2 (weaponization), step 3 (delivery), and step 4 (exploitation), then we can stop cyberthreats sooner.

In the past few years, we have seen a number of threat feeds surface; however, over time most of these have lost value as they don’t provide context for threats that are specific to an enterprise. What if we took those threat feeds and augmented them with an active geographically distributed crawling technology net to gather even more data on malicious URLs, exploits, malware, and ransomware? What if you could use this same technology within an enterprise to gather zero-day threats that are specific to that enterprise—and in in real time? Such an approach would arm organizations with solid contextual knowledge about the threat surface specific to them.

This isn’t where we should stop. Now that have thousands of valid threats per hour they need to be distilled down.

Security teams could take the captured exploits along with malware or ransomware and replay them against a virtualized replicate of their security architecture and assets from their environment, right down to specific operating systems, applications, firmware, signatures, and behavioral technology. This would allow organizations to know which security solutions (layered or not) are actually protecting them. Now stack that with visualization of the exploit chain of events and indicators of attack from any exploit against the environment and you have one powerful solution.

Since we’ve gathered the exploits and payload in the process, the PCAP, SAZ and shell code is available with the IOAs. Such IOAs can be consumed via an API, which allows for automated threat mitigation with endpoint detection and response technology. This will help organizations protect against such threats through new signatures, adjustments in behavioral algorithms, and even patches.

Combining the NSS CAWS Cyber Threat Protection Platform and Contextual Threat Analysis (CTA) product with SIEM, threat analytics platforms, endpoint, and incident response platforms would drastically decrease the likelihood of a successful cyberattack.

Follow us on Twitter @NSSLabs to keep informed as new research is released.

Follow us on Twitter (@NSSLabs) to keep informed as new research is released.

TAGS: Blocking Ransomware, Exploits, Malware, NSS Labs, Ransomware, Ransomware in the cloud, Remediation