All malware does not immediately trigger a security alert as some new variants are quite stealthy and designed to lay in wait until such time as they are activated. In this section we describe malware and in particular ransomware.
Northeastern University published an interesting piece, “Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks” Between 2006 and 2014, this research team analyzed 1,359 ransomware samples and found that a “close examination on the file system activities of multiple ransomware samples suggests that by… protecting Master File Table (MFT) in the NTFS file system, it is possible to detect and prevent a significant number of zero-day ransomware attacks.”
After looking at 1,359 ransomware samples, the Northeastern University researchers learned that it is possible to stop a large number of ransomware attacks, even those using deletion and encryption capabilities. Significant changes occur in the file system (i.e., large number of deletions in the log) when the system is under attack. By closely monitoring the file system logs and configuring your monitoring solution to trigger an alert when this behavior is observed, you can detect the creation, encryption, or deletion of files. User behavior analytics (UBA) has become an important ransomware prevention measure.
Defending the inside networks where fileshares and critical corporate information resides from legitimate users is just not addressed by perimeter-based security, and attackers are easily able to get around the perimeter and get inside. Attackers enter through legitimate public services (email, web, login) and then gain access as users.
Once in, the attackers have become much better at implementing a ransomware attack that is not spotted by anti-virus software. In fact, to a systems admin who is just monitoring their system activity, the attackers appear as just another user. This makes analyzing user behavior critical, UBA really shines at handling the unknown. In the background, the UBA engines can baseline each user’s normal activity, and then spot discrepancies and variances from typical behavior and alert in real time.
In December 2016, Yahoo! discovered a security breach that occurred in 2014, when hackers breached a billion Yahoo! accounts. Yahoo! reported that the 2014 breach involved manufactured web cookies to falsify login credentials, allowing hackers to gain access to any account without a password. Since 2014, IT Security measures have vastly improved. Strategies that could prevent such a breach include data monitoring, log review, and web application firewall management. Understanding netflow traffic may reveal large data transfers and potential data leakage, similar to the Yahoo! breach.
Most companies have tight budgets and allocating funds for IT security defense often gets put to the side. In addition, companies are experiencing huge data growth that creates challenges when it comes to monitoring the number, variety, and volume of log data and network infrastructure. In the past, this log data would remain in-house, but giant data growth has led many companies to expand to cloud environments increasing the chances for security breaches. Clearpath recommends Alert Logic for its excellence in handling cloud security challenges and security budgeting.
Alert Logic delivers a variety of security solutions depending on your needs. Alert Logic Log Manager is ideal for fighting ransomware that has the potential to fly below the radar. The log manager collects, aggregates and normalizes log data 24/7. All data is available to analyze in the easy and accessible dashboard. Within the dashboard, IT staff can correlate events and set automatic alerts to enable rapid response to security events.
For an all-encompassing managed services solution, Alert Logic provides a SaaS solution that is designed to work in cloud, hybrid and on-premises infrastructures. Alert Logic Threat Manager monitors network traffic and analyzes billions of events - using intelligent multifactor correlation, Alert Logic identifies security events requiring attention. After validation by a SOC analyst, Alert Logic notifies you with recommended actions and responses within 15 minutes for critical issues.
Last piece of advice is to back up your important files, especially files with sensitive data. Backups are your last defense and only hope when all else fails.
Be on the lookout over the next few weeks for parts 4 and 5, listed below:
- Malware Blog Series Introduction
- Part 1 of 5- Detecting and Blocking Malware at the Gateway Before Users are Affected
- Part 2 of 5- Educating the User and Social Engineering
- Part 4 of 5- Complete Endpoint Solutions
- Part 5 of 5- Enabling Secure IT Operations for your Organization