[BreachExchange] Preventing the Next Ransomware Attack

Audrey McNeil audrey at riskbasedsecurity.com
Tue Mar 27 18:59:32 EDT 2018


https://www.infosecurity-magazine.com/opinions/preventing-next-ransomware-
attack/

2018 is quickly moving by us, and while we have yet to see an attack on the
scale of 2017’s WannaCry or NotPetya, it’s clear that the adversaries are
not letting up on their mission to line their pockets at our expense.
Ransomware has dominated the headlines for the last two years, while 2018
shows a trend towards diversity in attacker methods.

The growing cryptocurrency market is opening up new and tempting
opportunities for hackers to compromise systems for their gain.
Cryptomining attacks leverage ransomware-like tactics to gain access to
machines, but with a payload focused on the machine itself, not its data.

Recently, our security researchers observed hackers utilizing WannaMine, a
cryptomining worm, to steal system resources and mine cryptocurrency.
WannaMine exploits remote systems with the EternalBlue exploit, the same
exploit used in the WannaCry and NotPetya ransomware attacks.

WannaMine and other cryptocurrency mining malware pose a unique threat to
enterprises because the malware is particularly stealthy, enabling hackers
to mooch off of the organization’s power and available resources to fund
illegal activities.

While there is no magic bullet solution for preventing and protecting
organizations from all ransomware attacks, there are a few key tactics that
security teams can take that will boost their organization’s immunity.

Practice good hygiene - patch!
The critical EternalBlue vulnerability was disclosed to the world in March
2017, yet is still being used with good success by adversaries now almost a
year later. Deploying patches are table-stakes in the battle to stop modern
attacks.

Legacy vulnerability scanning may not be enough to get accurate assessment
of your security posture. Many scanners rely on data extracted from the
registry or other repositories, where minor inconsistencies in the patch
installation process may cause the scan to report incorrect patch status.
This leaves organizations with major blind spots that can turn into massive
vulnerabilities.

In the case of WannaCry and EternalBlue, some organizations deployed the
patch and reported success.However, a failed reboot after the patch was
installed resulted in systems that remained dangerously exposed.

To combat this and similar gaps, organizations should ensure their
vulnerability assessment tools leverage deep real-time assessments of the
running system environment, not just a review of meta-data. This visibility
provides a clear and accurate view of the status of patches, and enables
properly prioritization when a threat emerges.

Apply behavioral analytics for better protection
It’s crucial for organizations to shift to proactive cybersecurity
techniques focused on identifying malicious behavior relating to ransomware
even when no signatures or known exploits are present.

Instead of being reactive and tracking Indicators of Compromise (IoCs), a
“known bad,” organizations should track Indicators of Attack (IoAs). IoAs
identify adversary behavior related to ransomware, rather than using
signatures. Behaviors such as deletion of backups or a high volume of file
system activity can be clear indicators of ransomware in the right context.
Behavioral detection enables organizations to prevent, detect and respond
to both known and unknown ransomware.

Augment analytics with artificial intelligence (AI) and machine learning
AI and machine learning are critical capabilities for detecting modern
threats that might otherwise be missed by traditional anti-virus solutions.
Signature-less machine learning that’s combined with behavioral analytics
is able to learn what files and behaviors are malicious without having to
be fed new datasets every day.

This approach is proving far superior when detecting today’s threats, much
of which is unknown variants and ultimately, leads to better classification
of what is malicious or not.

Bolster your defense with proactive hunting
Rather than waiting for ransomware to appear and take hold in your
organization, it is better to spot the problem at inception, before a
breach occurs, and shut down the adversary’s attempt immediately. This is
where proactive threat hunting plays a crucial role.

Skilled threat hunting teams that actively monitor system behavior can help
defenders take control. Threat hunters look for evidence of potential
malicious behavior that might exist in a broad pool of behavioral data, but
may be too subtle to warrant an immediate blocking response by traditional
detection technologies.

Threat hunters leverage experience and intuition to follow faint
suggestions of possible threat activity to put together a picture of
whether an attack is in progress, or if the behavior is irregular but does
not represent malicious cyber activity. Threat hunters ultimately find
damaging attacks in the network faster than automated security tools alone.

It’s never a question of if another crippling cyber-attack will take place,
only a matter of when. As security teams prepare for the next ransomware
epidemic, it’s critical for preventive measures beyond traditional security
to be implemented.

Tactics such as patching, behavioral-based detection, machine learning, and
threat hunting shift the advantage away from the attacker, toward the
defender.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180327/73c8e840/attachment.html>


More information about the BreachExchange mailing list