Detecting and Responding to Ransomware
Ransomware attacks may no longer be a media darling since they’ve been around for some time, but they are still going strong, and account for nearly 24 percent of incidents where malware was used according to the 2019 Verizon Data Breach Investigations Report. There’s been a dramatic uptick this year with Forrester reporting that the number of ransomware attacks on enterprises has increased 500% from October 2018 to October 2019.
Forrester also states that ransom attacks are getting more sophisticated and targeting organizations using three main ways to get in: “phishing, brute-force remote access using something like Remote Desktop Protocol (RDP), or hitting a vulnerable server that’s externally addressable”.
Network Detection and Response (NDR) provides visibility into all three of these attack vectors to enable multiple defense strategies that discover and contain ransomware. Let’s have a look at four AI-powered technologies NDR should have to achieve this level of visibility.
Advanced Email Security
Ransomware is most often spread through phishing emails from attackers who are masquerading as a trusted entity to compromise a user’s account credentials to gain access. In 2019, ransomware from phishing emails increased 109 percent over 2017.
McAfee Labs Threats Report: August 2019 reports that there’s a trend for ransomware attacks to use anonymous email services to manage their campaigns versus the traditional approach of setting up command-and-control servers. Bad actors use these emails services to evade your security defenses, leveraging malicious email attachments and malicious links in emails as attack vectors.
As ransomware grows through phishing, the need for NDR to detect and contain sophisticated threats within email becomes critical. Advanced email security should use a combination of static and dynamic analysis to identify ransomware. This solution needs to be able to scan emails for potential ransomware indicators, including looking at links, attachments and the content that is linked to from within the email. Further, advanced email security should include artificial intelligence (AI) algorithms that are specifically trained to catch phishing and ransomware threats.
Sometimes the only way to catch elusive ransomware is to analyze files in a dynamic analysis environment to detect malicious behaviors, even when the file has not been seen previously. File Analysis can detect ransomware attempting to enter your network via email, the web, or file transfers as well as ransomware operating anywhere in your network.
File Analysis deconstructs every malicious behavior engineered into an object and identifies malicious links. It sees all instructions that a program executes, all memory content and all operating system activity. Using File Analysis, you can see unique file behaviors that other tools miss, such as activity observed when executing programs, opening documents, unpacking archives and rendering web content.
Intrusion Detection and Prevention Systems
Since ransomware must communicate with the outside world, having visibility into north/south traffic heading in and out of your network traffic is critical to identify this commonly used threat vector. Intrusion Detection and Prevention Systems (IDPS) as a core component of your NDR platform will inspect north/south traffic for (ransomware) exploits that target a vulnerable server that is externally accessible, communications with known malicious servers, and transmission of data via covert channels.
Network Traffic Analysis
If ransomware successfully gets a foothold inside the network using RDP, a vulnerable server or any other attack vector, it quickly moves laterally to spread to additional computers. Network Traffic Analysis (NTA) is the key to detecting ransomware’s activity and malicious behavior as it moves laterally (east/west) across your network. This visibility enables the fast detection and response you need to contain ransomware before it disrupts your business.
Get the Best Ransomware Protection
Lastline provides an all-in-one NDR platform powered by AI that combines email and web protection, IDPS, NTA, and File Analysis to detect and contain ransomware. Don’t let ransomware put your organization at risk. You can deploy our NDR sensor and be operational in just 30 minutes.
Schedule a demo today!
Latest posts by Teresa Wingfield (see all)
- SANS 2019 Threat Hunting Survey Shows SOCs Relying Too Much on SIEM Alerts - December 16, 2019
- Solved:A Dramatic Reduction in False Positives and False Negatives - November 25, 2019
- Zero-Day Attacks: You Can’t Always Prevent Them, But You Can Detect Them - November 21, 2019