[BreachExchange] Crypto Malware: Responding To Machine-Timescale Breaches

[Audrey McNeil]

http://www.darkreading.com/vulnerabilities---threats/crypto-malware-responding-to-machine-timescale-breaches/a/d-id/1326456

The thousand-fold increase in crypto-malware highlights a profound change
in the cyber-landscape: Previously, an attacker seeking to steal
intellectual property, personal identifiable information or payment card
information would need to successfully breach and persist on one or more
endpoints, carefully research the network, stealthily exfiltrate data, and
finally process it in order to sell it on the dark web – a lot of effort
for an uncertain payout. But crypto-malware is a clear signal that hackers
have changed the game.

With crypto-malware – ransomware that encrypts files until a ransom is paid
– every compromised device, whether company or personally owned, can be
quickly monetized. If money isn’t the goal, attackers can use it to cripple
a target for political or military advantage because it’s quick, precise
and lethal, and much simpler and more effective than a messy kinetic
weapon.  For organizations whose missions depend on availability of
computer systems, including hospitals, law enforcement and military
targets, this new form of attack is a nightmare.

A crypto-malware attacker avoids the risk of post-breach detection or
interrupted exfiltration by leaving data in place, but encrypting it
without being detected. The attacker also maximizes fear and impact in a
shocking way: via the ransom notice. That is, a personalized victim ransom
page usually containing the initial ransom amount, instructions for how to
purchase Bitcoins, and a countdown clock, which adds pressure to the victim
by letting them know how much time they have to pay up before the ransom
doubles or the data is deleted.

The attacker doesn’t even have to decide what data is valuable. Encrypting
all data forces the victim to decide. Being both fearful and unsure, the
victim is very likely to pay the ransom. Likewise, rather than having to
sell stolen data at a discounted black-market price, encrypting it in place
allows the attacker to directly demand top dollar from the victim, who
values the data most.

Most importantly, crypto-malware breaches occur at machine speed, meaning
there is no need for a remote human attacker to carefully dig deeper
searching for valuable data. As soon as the endpoint is compromised the
attack inflicts maximum damage.  And since most such malware is
undetectable by design, legacy AV suites offer scant assurance that you
will be protected.  Enterprise security teams have no opportunity to detect
and respond to a breach as they do with traditional attacks.

Lest you think that crypto-malware is consumer focused, or that paying to
decrypt your files is a simple way out, think again:

● Attacks have rapidly evolved to incorporate traditional breach
techniques. Enterprise variants can propagate through the network to other
devices and encrypt file shares and cloud storage to maximize impact.

● Following the classic approach of extortionists, attackers can charge
different amounts to decrypt different parts of your data, or demand
regular payments to keep data from being re-encrypted.

● It won’t be long before encrypted data is exfiltrated so the bad guys get
to keep a copy too.

“Sorry, you’re going to be pwned”
Sadly, the security industry was already failing to protect its customers
from traditional manual adversaries before attackers realized the benefits
of machine-speed breaches.  Vendors continue to peddle “maybe”
technologies, like “next-gen antivirus” (NG-AV), that try to “detect to
protect.” They tout their unbelievable ability to detect yesterday’s
attacks – when in fact 99 percent of today’s malware morphs into new,
undetectable variants in under a minute, according to the latest Verizon
Data Breach Investigations Report. And they fail to protect against threats
at the time of infection, instead offering remediation instead of
prevention. Once the damage is done it’s too late.

Security vendors dodge responsibility for their failures, glibly
encouraging their customers to continually look for signs of a breach they
missed. But if you try to secure your organization assuming you will be
breached by an adversary who operates on a human timescale, whose stealthy
theft of data you must detect post-breach, you will undoubtedly be
devastated by a machine-speed attack that cripples your organization before
the first alert, then drains your bank account to “help” you back on your
feet.

Protection at Machine-Speed
Today’s NG-AV tries to detect attacks and protect each endpoint
individually, using signatures and heuristics updated by vendors on a human
timescale. With absolute certainty this approach will fail, giving an
attacker the foothold he needs to breach the enterprise at machine-speed.

To protect the entire enterprise at machine speed, you cannot rely on
detection. The only solution is to protect “by design” -- architecting your
environment to be resilient to attack.  For a start, you ought to segment
your network according to privilege or “need to know:” PCs that only access
web applications need never be fully trusted on the enterprise network.
Instead isolate them on their own VLAN or network subnet, and make users
jump through authentication “gates” to get to high value applications or
back-end services.

Don’t give users access to file shares that are not necessary, and keep
database access limited to database applications. This concept of
micro-segmentation of the enterprise network is being promoted by vendors
of private and public cloud infrastructure, and the concepts apply on end
user PCs through micro-virtualization.  Ensure that users that need
administrative access to corporate infrastructure are only able to elevate
their privileges on a separately managed, VDI-based backend that can only
be accessed from the enterprise intranet. Prohibit privilege escalation
without forcing the user to log in under a different identity.

Rigorous separation of duties, with enforcement using tools from
virtualization -- VDI, micro-segmentation and micro-virtualization -- are
fundamental to building an enterprise infrastructure that is inherently
more resilient to machine timescale attacks. Rigorous infrastructure-based
enforcement of the principle of least privilege is a fundamental
requirement for a resilient enterprise infrastructure architecture.

It is time to move beyond a model where we bet the security of the
enterprise on the security of a single endpoint and human-timescale
detection tools. The only way to defeat machine-timescale attacks is to
embrace virtualization-enforced isolation to help enterprises protect
themselves by reducing the enterprise attack surface.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160801/c09a24e1/attachment.html>