Ransomware is one of the most difficult threats for SIEM, SOC, and MDR technologies and services to identify. This is due to the inherent nature of ransomware acting quickly and its threat actors only wanting you to discover the infection after everything is encrypted. What good does an alert or SOC monitoring do when your files have already been encrypted and you can see the malware residing on the screen in front of you? By the time your SIEM/MDR solution or SOC generates the alert and you can react to it, it’s too late.
So how does a Threat Analytics and Detection service like Security On-Demand’s ThreatWatch technology protect you against ransomware better than a traditional SIEM, MDR or SOC combination? The key lies in detecting the reconnaissance the hackers do, identifying vulnerabilities, and detecting and preventing the incoming attack vector. Through our patented Unsupervised Anomaly Detection, we can quickly identify and flag suspicious behavior that has never before been seen in your environment.
4 Ways Managed Security can help with Ransomware:
- Detecting Reconnaissance
- Identifying Vulnerabilities
- Detecting the Incoming Attack
- Finding the Anomalies in the Data
1. Detecting Reconnaissance
All hackers conduct reconnaissance on potential victims at some level. In a targeted attack, the victim may run scans and manually research your organization looking for weak spots. In an automated attack, botnet or worm reconnaissance may simply be a scan of your public facing network looking for a particular vulnerability. In either case, there are actions being taken that your SOC can detect.
At Security On-Demand we have a series of analytics called Scan Surveillance. These analytics monitor the scanning activity against our customers and classify the scan as a “discovery scan”, “targeted scan”, or “attack”. The latter suggesting that the scan is so specific we expect an attack could be imminent. By observing the scan behaviors and witnessing the evolution from discovery to targeted to attack, we can hone in on the reconnaissance behaviors that will most likely result in a direct attack and help our customers take action to protect themselves.
2. Identifying Vulnerabilities
While most organizations wholly rely on their vulnerability management processes to identify vulnerabilities in software, security operations contribute to the identification of vulnerabilities and weaknesses based on two factors: integrating and correlating vulnerability scan data and observing and analyzing the aspects of the enterprise where attacks are either successful or most targeted.
By integrating vulnerability scan logs into your security monitoring, the SOC can inform you of any vulnerabilities that currently exist and continue to exist over a period of time. The real added value is then generating alerts based on those vulnerabilities. If there is a gap between the time of discovery and a patch being applied, specific real-time monitoring for any activity targeting the vulnerability itself or vulnerable devices increases security and decreases the likelihood of a successful compromise. The SOC can also go back and review logs and alerts over a given period of time to determine if any exploitation was missed while the vulnerability went undetected.
As reported in many ransomware attacks, ransomware often will exploit a known vulnerability – not the least of which was the EternalBlue SMB vulnerability that was exploited by both WannaCry, NotPetya, and others. Integrating your vulnerability scans into your security operations provides significant value in protecting yourself until the patch is applied.
3. Detecting the Incoming Attack
The third benefit is being able to detect and mitigate an incoming attack. Hackers scan networks to look for vulnerabilities that can be exploited. Once they discover a vulnerability, they will then prepare an exploitation plan and package and then launch the attack. It is in this attack phase that the SOC can provide significant protection against ransomware attacks.
Understanding what exploits there are in the wild for known vulnerabilities, having detection rules in place for your SOC, and blocking rules in place on your firewall and IPS are critical. By feeding in your security device logs to your SOC for correlation and also applying threat intelligence by monitoring for known threat indicators as well as modeling attacker behaviors into detection strategies, the SOC is able to detect and respond quickly to incoming attacks. Detection at the point of attack may give you just enough time to mitigate the attack before the ransomware executes and starts encrypting files.
Additionally, when we talk about vulnerabilities and attacks, people are just as susceptible to vulnerability and attack as software can be. A majority of successful data breaches occur through phishing emails and employees clicking on the bad link or opening an infected attachment. Having an email security tool that can identify and mitigate phishing is critical. It is then important to send those logs and findings in real-time to the SOC to allow them to quickly review what happened, identify if any attack got through, and take remedial actions on users’ devices that may have become infected.
Furthermore, sending all of your email security logs to the SOC, not just those that were blocked or fired an alert, allows the SOC to build alerts and analytics looking for anything that your email security appliance may have missed (and they will miss some as no solution successfully catches 100% of bad things). Thus, the SOC adds an additional layer of monitoring and defense beyond your security appliances.
4. Finding the Anomalies in the Data
The Unsupervised Anomaly Detection (UAD) layer ingests raw log data rather than alert data to identify pattern anomalies. The UAD model allows us to detect advanced threats that would require human labor efforts ten times our current SOC staffing level to find.
Recently, the UAD system was tested to analyze an advanced attack against one of our large financial clients. The UAD system identified six additional attack vectors not previously found by the forensics team examining the incident. Two of the discovered attack vectors, were determined to be persistent and involved in attempts at lateral-movement within the customer environment.
Most security product vendors including SIEM and SOAR solutions depend upon finding pre-determined patterns, events, signatures or correlations generated from the data. These systems typically use rules, behavioral analysis, and/or machine learning in combination with other defined use cases to identify threats from the data. All of these approaches identify threats and IOCs based on a preconceived understanding, patterns, and formats.
UAD is unique in the fact that it can find anomalies within the data without any prior understanding of security relevance or context of the data. UAD is therefore quite powerful in its ability to detect unknown threats (unknown, unknowns) that can slip by the defenses in many of today’s commercial security products. Security On-Demand is the first and only company in the industry that has used this technology approach for detection.
Conclusion
As with any attack, a layered security strategy that includes both security monitoring and threat detection is critical and ransomware is no exception. The goal of security operations is not just identify and protect you from exploitation that is occurring at the time, but to identify threats across the lifecycle of the hack, from initial reconnaissance all the way through to data exfiltration. Ransomware execution fits right in the middle of that lifecycle, so optimizing your security operations to detect attacks in the early stages is the best strategy for your SOC to help protect you from a ransomware attack. A layered detection approach with AI, Machine Learning, Behavioral Analytics, rules, and anomaly detection all available to your SOC, will make you one of the most well-protected environments against ransomware and other advanced cyber attacks.
About Security On-Demand
Security On-Demand (SOD) provides full-spectrum threat management and advanced cyber threat detection services for hundreds of businesses and government agencies globally. SOD’s patented, behavioral-analytics ThreatWatch technology enables the detection of advanced threats to protect brand value and reduce the risk and mitigate the impact of a data breach. SOD is headquartered in San Diego, CA with international R&D offices and a Security Operation Center in Warsaw, Poland.
