Ransomware is one of the most difficult threats for security monitoring and detection services and technologies to identify and protect you from. The reason for this is due to the inherent nature of Ransomware acting quickly and wanting you to know about the infection before you can do anything about it. What good does security monitoring do when your files have already been encrypted and you can see the malware residing on the screen in front of you? By the time your SIEM generates the alert and you can react to it, it’s too late. So how then does your security monitoring service protect you from Ransomware? The key lies in detecting the reconnaissance the hackers do, identifying vulnerabilities, and detecting and preventing the incoming attack vector.
All hackers conduct reconnaissance on potential victims at some level. In a targeted attack, the victim may run scans and manually research your organization looking for weak spots. In an automated attack, botnet or worm reconnaissance may simply be a scan of your public facing network looking for a particular vulnerability. In either case, there are actions being taken that your SOC can detect.
At Security On-Demand we have a series of analytics called Scan Surveillance. These analytics monitor the scanning activity against our customers and classify the scan as a “discovery scan”, “targeted scan”, or “attack”. The latter suggesting that the scan is so specific we expect an attack could be imminent. By observing the scan behaviors and witnessing the evolution from discovery to targeted to attack, we can hone in on the reconnaissance behaviors that will most likely result in a direct attack and help our customers take action to protect themselves.
While most organizations wholly rely on their vulnerability management processes to identify vulnerabilities in software, security operations contribute to the identification of vulnerabilities and weaknesses based on two factors: integrating and correlating vulnerability scan data and observing and analyzing the aspects of the enterprise where attacks are either successful or most targeted.
By integrating vulnerability scan logs into your security monitoring, the SOC can inform you of any vulnerabilities that currently exist and continue to exist over a period of time. The real added value is then generating alerts based on those vulnerabilities. If there is a gap between the time of discovery and a patch being applied, specific real-time monitoring for any activity targeting the vulnerability itself or vulnerable devices increases security and decreases the likelihood of a successful compromise. The SOC can also go back and review logs and alerts over a given period of time to determine if any exploitation was missed while the vulnerability went undetected.
As reported in many ransomware attacks, ransomware often will exploit a known vulnerability – not the least of which was the EternalBlue SMB vulnerability that was exploited by both WannaCry, NotPetya, and others. Integrating your vulnerability scans into your security operations provides significant value in protecting yourself until the patch is applied.
Detecting the Incoming Attack
The third benefit is being able to detect and mitigate an incoming attack. Hackers scan networks to look for vulnerabilities that can be exploited. Once they discover a vulnerability, they will then prepare an exploitation plan and package and then launch the attack. It is in this attack phase that the SOC can provide significant protection against ransomware attacks.
Understanding what exploits there are in the wild for known vulnerabilities, having detection rules in place for your SOC, and blocking rules in place on your firewall and IPS are critical. By feeding in your security device logs to your SOC for correlation and also applying threat intelligence by monitoring for known threat indicators as well as modeling attacker behaviors into detection strategies, the SOC is able to detect and respond quickly to incoming attacks. Detection at the point of attack may give you just enough time to mitigate the attack before the ransomware executes and starts encrypting files.
Additionally, when we talk about vulnerabilities and attacks, people are just as susceptible to vulnerability and attack as software can be. A majority of successful data breaches occur through phishing emails and employees clicking on the bad link or opening an infected attachment. Having an email security tool that can identify and mitigate phishing is critical. It is then important to send those logs and findings in real-time to the SOC to allow them to quickly review what happened, identify if any attack got through, and take remedial actions on users’ devices that may have become infected.
Furthermore, sending all of your email security logs to the SOC, not just those that were blocked or fired an alert, allows the SOC to build alerts and analytics looking for anything that your email security appliance may have missed (and they will miss some as no solution successfully catches 100% of bad things). Thus, the SOC adds an additional layer of monitoring and defense beyond your security appliances.
In any attack a layered security strategy that includes security monitoring and detection is critical; ransomware is no exception. The goal of security operations is not just identify and protect you from exploitation that is occurring at the time, but to identify threats across the lifecycle of the hack, from initial reconnaissance all the way through to data exfiltration. Ransomware execution is fits right in the middle of that lifecycle, so optimizing your security operations to detect attacks in the early stages is the best strategy for your SOC to protect you from a ransomware attack.
About Security On-Demand
Security On-Demand is an industry pioneer and recognized innovator within the managed security space. We are leading the industry in threat detection through behavioral analytics and machine learning. We employ a variety of rules, alerts, and strategies to help our customers stay protected from ransomware attacks.