Ransomware on the Rise : How threat Intelligence help to Identify.
Protect, Detect, Recover and safe yourself from ransomware attack.
Ransomware is a growing large problem around the world. It’s one of problem that require preparation. Ransomware has become one of the most serious cyber-threats today, in both frequency and severity.
If you want to deal with it, you must to understand what it is Ransomware.
This article will help you to understand what ransomware is?
Knowing what would be the business impact in advance is not enough to help you prepare, either you need to protect yourself against ransomware threats or to respond against such type of malware attack effectively and recover up after a successful attack. Threat intelligence in advance, however, can help.
Threat intelligence and detection can help you to prepare as best as possible and to respond quickly.
What is Ransomware?
Ransomware is a type of malware. There was a time when worms were i.e StuxNet, CodeRed and Blaster are examples of some highly destructive worms from several years ago.
Today, we don’t hear so much about worms, in spite of the destroyed they have caused. Worms were malicious, but they did not have the goal of making money for their creators. Today, malware has become more of a economy because those developing the malware are business people who are making money in any way they can.
Ransomware is one of those ways.
This is software used for ransom. Commonly, it does this by encrypting the data. The owner of all the files that have been encrypted can no longer access those files.
The concept in play is that the person who owns the files would like to have them back and will pay some amount of money to get the decryption key.
One of the first and best-known pieces of ransomware commonly went after individuals and was called Cryptolocker.
A major concern around ransomware is, what happens if we pay to get the key and the attacker doesn’t provide it?
We have paid and still don’t have our files. Again, it’s important to remember that these are revenue/profit generation transactions. It’s in attacker best interest to provide you the key.
During a malware attack, the easiest thing to do when hit with malware is to wipe the system and rebuild, to ensure that you have completely cleaned the malware off and not missed any artifacts. Since malware is typically in executable, with artifacts stored in the registry on Windows systems or perhaps some system directories on Windows or Linux systems, you can generally safely copy all your documents, pictures, music, and other personal files off prior to wiping the system.
The problem with ransomware is that you can’t copy your files before wiping, although wiping is going to be the best approach for ransomware. The files are encrypted or otherwise inaccessible. You could copy the encrypted files off, but once copied, they would be no more accessible to you than they are on the infected disk. You still need the decryption key to recover the files.
Another consideration that makes ransomware different is that insurance companies get involved. Businesses have been making more use of their cyber insurance policies when hit by ransomware than they have when hit by traditional malware. This is because ransomware directly impacts the revenue going to the organizations behind the attack. The more systems they hit with ransomware, the more money they can demand.
Because of the larger scale of the attack, businesses are more likely to use their insurance policy. And because the insurance companies very quickly go out of pocket by paying either the ransom or the cost of recovery without paying the ransom, they have developed their own policies as to whether or not they are going to pay.
As soon as the attack is noticed, the victim organization can take a number of countermeasures to prevent more systems from getting hit. The way around this, for the attacker, is to infect as many systems as possible without doing anything noticeable. Once the attackers have as many systems as they think they can get, they trigger all the software to start encrypting. This way, the attackers avoid getting caught early and can ask for the maximum ransom.
Once the ransomware has launched and files start encrypting, one of the first things a victim will notice is that their files no longer have the same extensions and cannot be opened.
One thing to note about ransomware is that after it has affected a system, the entire system is not affected. The ransomware will not typically affect .exe or .dll files. A number of directories are also left alone, including the Program Files and Windows directories. If files in those directories were encrypted, the system would become non-functional. Remember, the purpose of a ransomware infection is to get money from the victim. If the victim has to wipe and restore because the operating system is non-functional, paying the ransom doesn’t gain the victim.
How Threat Intelligence can help to protect from ransomware?
How do you guard against ransomware?
It takes a variety of techniques to fight ransomware. This requires understanding how ransomware works? One way to get this knowledge, without going through actual ransomware attacks, is to gain threat intelligence.
Threat intelligence is information about the way attackers work. This can be a general approach like MITRE’s ATT&CK Framework, which is a set of techniques, tactics, and procedures (TTPs) categorized by attack phase.
Ultimately, any attack on systems or networks will follow a pattern. The ATT&CK Framework includes several phases, though all of them will not necessarily be used, depending on the attack. These phases follow another classification called the attack lifecycle. The ATT&CK Framework is a collection of known TTPs that gets updated as new TTPs are identified through investigation of incidents.
There are a large number of adversary groups in the world. Each of them has a set of TTPs they use. In general, tools and practices map to the threat groups. If you can learn the set of specific procedures related to a threat group and you know your organization is a potential target of that threat group, you will know better how to protect yourself.
Refer Attack framework for more details from below link,
https://attack.mitre.org/
How to apply Threat Intelligence?
The National Institute of Standards and Technology (NIST) has a Cybersecurity Framework that can be useful to consider when thinking about how you will protect your organization. If we can put up enough security control, we can either prevent attackers from getting in or make it so difficult that they move on. This is not the way attackers work. If you have something they want, a few hurdles aren’t going to discourage them. They will find a way around these hurdles.
Refer NIST cyber security framework from the below link,
https://www.nist.gov/cyberframework/online-learning/five-functions
The Cybersecurity Framework breaks down cybersecurity into five different functions — identify, protect, detect, respond, and recover.
If you spend all your time on the protect phase, you’re liable to miss detecting or responding to an attack.
A better approach is to not only use protective controls but also institute detective controls. This way, if your protections fail, you can catch the attack quickly and respond to keep it under control. To do that, you need to identify what it is you are looking for. This is where threat intelligence is useful.
Attack groups need ways to communicate with victim systems, for example, when ransomware is being placed and needs to be control when to start encrypting. Attacker need systems on the Internet to communicate with victim systems. The actual system doing the remote management, through a set of infrastructure commonly called command and control center.
When attackers install malware that communicates with command and control center, they use host-names for this, since the actual IP address may be unknown at the time or may change a lot.
The question is, how do you get this information?
You get it by using the threat intelligence that is capable of getting this type of information.
what can be the Source of Threat Intelligence?
Fortunately, a lot of places exist where you can get threat intelligence that is this detailed. So-called next-generation firewalls may already have the ability to receive threat information. This information may be used to add rules for protection and detection.
Another source is Threat intelligence feed, This may include about what threat actors are doing as well as analysis about latest trends. Additionally, you should also get pieces of data that can be used in prevention and detection rules. These pieces of data, which may be IP addresses, email addresses, domain names, or similar, are commonly called indicators of compromise, IOCs.
There are many places you can get open-source threat information as well. There are platforms like the MISP Project that can be used to aggregate feeds from these open-source locations. Using a platform like this may require a lot of work, as you would need to curate the information yourself to determine what is reliable and what isn’t.
A common place to store information coming from these feeds is a Security information and event management (SIEM) system. These systems usually take in log data coming from your systems and network devices, as well as data from a threat feed. Using the information from the threat feed, you can quickly and easily create rules to cause alerts, based on data found in the logs being ingested by the SIEM.
is Decrypting Ransomware can help?
You might attempt to brute force the key. Here’s the problem with that.
Each family of ransomware is probably going to use a different cipher type. One common encryption algorithm is the Advanced Encryption Standard (AES). Another one you may run across is Blowfish. Blowfish is effectively outdated, as it’s nearly 30 years old and has been superseded by the Twofish cipher. Try every possible key of these ciphers would take a while.
Ruling out brute force leaves us with some other means to acquire the key or some other way to decrypt the files. Threat intelligence services may provide you with pointers to decryptors. In some cases, pieces of software are available to perform the decryption for you. It’s important to keep in mind that it should comes from a reputable source. Some of the anti-malware software vendors have decryptors available.
How to Protect Yourself from Ransomware?
First we need to understand Protection Vs Remediation function.
Recalling the NIST Cybersecurity Framework, you need to be able to identify threats against your organization so you can protect against them. Identify and protect are the first two phases according to NIST.
Unfortunately, you won’t be able to completely protect against all attacks. This means attackers will be able to find their way into your systems and network. You’ll handle that with the next phase of a security program — detection, according to NIST.
When something bad happens, you want to know about it as quickly as possible. This is why you perform tasks like logging data and creating alert rules, so you can know the moment something gets through your protections.
You need to be able to respond to the alert so you can remove the attacker from the environment as quickly as possible. You will also want to fix whatever problem allowed the attacker into the environment. This is remediation.
Both response and remediation take planning to do effectively. Planning can help ensure success. You can take a number of steps on the protection side to try to keep the bad guys out of your environment and you can also take a number of steps on the response-and-remediation side, for when you are hit with ransomware and need to recover as quickly and efficiently as.
1. Threat-Informed Email Protection
Today’s attacker knows that the most effective technique is Phishing, to use email. Email is always allowed through whatever firewall you have in place. The easiest way into an environment is likely going to be by sending an email to a user. The attacker may be able to easily gather credentials or get a user to open an attachment that executes a malicious payload.
Anti-malware isn’t going to be able to protect you from everything, as noted previously. However, there are other ways to protect your users from these email-based attacks. One way is to use a threat-based email protection solution. This is similar to using a next generation firewall that gets regular threat updates. Threat information related to email is going to include email addresses, source IP addresses, subject lines, and even some content. You could use something like Mimecast, Proofpoint, or Microsoft’s Advanced Threat Protection. Each of these investigates inbound emails. It could reject, block, or quarantine messages that look suspicious.
Some of these email protection solutions can also perform actions based on any attachment that may be included in a message. Some enterprises will choose to prevent any attachments of configured file extensions from being delivered. This may be things like executable (.exe), compressed files (.zip), or even more commonly emailed documents like Microsoft Office documents (.docx, .xlsx). Office documents may include macros, which are small executable fragments that are stored in the document and can be used to attack systems.
2. Security Awareness and Training
Keeping in mind that the primary avenue for attacks today is social engineering, where the individual is used against the organization, the first line of defense is always going to be the user. Unfortunately, a lot of organizations see technology as the best way to protect the organization. But this is simply not the case.
While technology to protect the business is a good approach, it should always be paired with arming the first line of defense with enough knowledge to protect the business when attacks get through the (email) protection technology and to give a fast alert to warn other users.
These training raise awareness between the users for the following security measures as
1) Avoid giving out personal information, it help attacker to send you a phishing email.
2) Think twice before clicking any suspicious hyperlinks.
3) Refrain from opening attachments that look suspicious i.e Phishing emails.
4) Only download from sites you trust.
5) Add applications to Allowed Lists.
6) Use strong passwords etc.
3. Updating software and operating systems with the latest patches.
4. Follow safe practices when using devices with internet connections.
5. Other best practices include creating strong passwords, choosing secure networks and keeping software current.
6. Zero-trust Architecture:
This modern approach is must use, Zero-Trust security. In this paradigm, every user has a limited and granular set of permissions, and every action must be authenticated and authorized before it is allowed. A zero-trust architecture makes it much more difficult for attackers to successfully deploy malware within a system, even if they were to somehow gain access to it.
Remediation strategy for after an attack
1. Backup Strategy as Remediation Plan
We all know that backups are important. You have data stored digitally; you should also keep copies in other places to ensure you will continue to have access in case something goes wrong. Having backups allows you to restore the now-gone information.
Backups are a good way to recover from a ransomware attack. This requires planning, however. You need to think about,
what your backup strategy will be.
— How often are you going to back up data?
— Where are you going to back it up?
— What data are you going to back up?
Once you have a backup solution in place, it’s essential to educate all your staff to place business-critical information in places where it will be backed up.
It’s also important to consider what you are going to do with the backups. If you keep the backups in an online state, so they are always available quickly, you are also leaving them available to attackers.
Ransomware attacks do not target only individual systems and the files/data stored on them. Attackers also go after any backup that’s available across the network. They will encrypt your backups, preventing you from using them as an easy way to recover from the ransomware attack. Always make sure you have a way to keep your backed up data somewhere that attackers can’t get to it, unless they have physical access to the facility where the backups are stored.
Don’t assume that backups are always reliable. Sometimes backup software fails. There are a lot of reasons for this. Make sure you monitor your backups and know whether a backup succeeded or failed. You should also periodically do restoral tests to be certain that the software is telling you the truth and the media you are using to store your backups is reliable. Media, whether it’s a disk or tape or something else, may not be guaranteed.
2. Network Segmentation
When you connect a lot of systems together over a shared media, you have a network. Networks are typically segmented, meaning that all of your systems are not on the same network. Often, this is done using virtual local area networks (VLANs), where switches get configured to put some systems together on one network while other systems go onto another network.
Designing your network to use VLANs is a great way to manage your network. Effective segmentation occurs when you can control the flow of traffic from one network segment to another. This may mean a firewall between the different VLANs, or it may mean access control lists.
The best way to implement segmentation is to connect all of your VLANs to a firewall or firewalls, which will perform the routing from one VLAN to another. The firewall will take care of which VLAN the traffic is on and apply rules based on source and destination traffic. This gives you far more control over what is happening on your network.
3. Isolation and Containment
When any malware attack occurs, including a ransomware attack, one strategy to keep in mind that is containment. Goal of containment is to keep the malware or ransomware from infecting other systems. The malware may have a component that can identify other systems on the network and use the same techniques to infect those other systems as was used to infect the original entry point.
One way to accomplish the containment is to use endpoint detection and response. Some software does this by preventing the system from communicating with other parts of the network. Another way to accomplish this isolation and containment is to introduce firewall rules or access control lists. This works if you want to isolate or contain an entire network segment.
Conclusion
Ransomware is one of the most serious threats on the Internet today. The attacks are growing more frequent, and there are many ways that an attack can succeed.
At the end of the day, ransomware attacks will not easily go away. Attackers are using new techniques and they are adapting new technologies in every day. But there are security best practices and steps you can take to protect your organization and help ensure that you are not the next victim of ransomware. The multi-layered and defense in depth approach described above will help to create a security posture far better than what many organizations currently have.
