Executing a Ransomware attack on a reasonably defended organisation is not easy, as many activities that lead to success. It required penetration by overcoming all existing defences, establishing a foothold, undertaking extensive surveillance, identifying jewels (high-value information or system), Undertake encryption without leaving keys behind, demanding money with good protection from getting caught by Law Enforcement agencies, getting the money, remove money trail and get enriched.
Therefore, the Ransomeware ware attack was carried out by highly skilled and organised operators. And overcoming normal anti-virus systems was difficult.
In the past few years, things changed dramatically. Ransomware creators became more market savvy and offered Ransomeware-as-a-Service (RaaS). Now a very less expert hacker can buy the service at the starting rate of $ 150 per month and can hope to make it big. Similarly, a competitor or disgruntled employee can use the RaaS to attack the victim. Even the Nation States are using the services of RaaS as a cyber weapon.
With RaaS coming of age, the RaaS developers are far more focused on developing new tricks every day and the normal approaches of anti-Virus and Intrusion Detection/Prevention are not sufficient. Therefore it is necessary to evaluate various other or additional technological options available with the organisations.
The situation got worsened by the Covid-19 protocol of work-from-home and many users connected to the internet via unsecure home WiFi. This has created a unique opportunity for hackers and attackers to breach - infect - propagate. The situation becomes even worse, when these infected machines are back to the office and plugged directly into the corporate network, now inside the firewall thereby giving hackers direct access into the entire network.
Today, many organizations rely on a collection of disparate security tools to identify and mitigate threats. In fact, according to a Ponemon Institute report, the average enterprise deploys 45 cybersecurity-related tools. These siloed security implementations are inherently inefficient and ineffective.
It is surprising how many organizations point to their SIEM and call it their SOC. Tenders are regularly released all over the world requiring a SOC, but take a look inside and they are simply asking for a SIEM. But SIEM is not a SOC. It’s just a tool you need when your network gets big enough to warrant purchasing one. The implementation of a SIEM system does not equal a mature security monitoring capability. In fact, without a well designed SOC, the full benefits of a SIEM implementation will never be realized.
Hackers look at the economics
It is harder to breach, steal data, and launch a ransomware attack against a better-defended target. Those Companies spending on their defence also indicates that the top management of the company is conscious ( if not proactive) about cyber defence and may try all possible avenues to recover from an attack. Even may get after the hackers using their resources or LEAs. Small to medium businesses are under the greatest risk of RaaS attack as most small and medium RaaS user-hackers are using ‘‘spray and pray’ mythology. In recent times, ransomware demands start at $ 50,000 to $ 100,000, even for micro-businesses with just a handful of computers.
These hackers try to infect 10, 50 or 250 small businesses that have rudimentary anti-virus systems and charge them $50,000+ each. That gives them far higher revenue at much lesser risk. According to Infosecurity Magazine, every 10-seconds another victim is infected with ransomware.
It takes significant time and effort to filter out the noise, correlate data, construct timelines and identify the root cause of an issue. Yet the average breakout time — the time it takes an adversary with a foothold in your network to escalate privileges or take other actions to move laterally across your enterprise — is just 92 minutes.
To make matters worse, today’s sophisticated threat actors know where to look for gaps in security silos. They can slip between defences and move laterally across the network, flying under the radar for extended periods, lying in wait and gathering reconnaissance data for future attacks.
It’s easy to get whiplash with the erratic pace of information security; part of what makes it both exciting and difficult to keep up with all of the latest industry trends and terminology. You or your team is trying to put out fires, stay up to date with the newest threats while also balancing other security and IT initiatives.
At the end of the day, it’s your job to protect, defend and respond – and how you do it is what can make a significant difference in how effectively or quickly you can put out those fires. If you’re running lean with a team of one or two splits between both IT and security, you want to know how to consolidate and get visibility over many different security tools. You also need a way to automate the remediation process to contain or block threats.
There are many different tools to achieve these objectives, and they’ve evolved a bit over the years. Therefore necessary to have a reasonable understanding of various technologies to detect malware in your systems. So that you can make an informed decision.
AV - Basic Anti-Virus
The primary function of antivirus software is to detect and remove computer viruses. This is typically done by scanning files on your computer and comparing data in the files to a database of known virus signatures. This database is updated regularly, often several times each day, to ensure that your antivirus program has the most up-to-date virus definitions to detect all known virus threats. Most antivirus software can detect viruses both during a scan and in real-time at the point of infection.
Typically, most AV programs will use three different detection approaches:
Specific detection, which identifies known malware;
Generic detection, which looks for known parts or types of malware or patterns that are related by a common codebase; and
Heuristic detection, which scans for unknown viruses by identifying known suspicious file structures.
When the AV program finds a file that contains a virus, it will usually quarantine it and/or mark it for deletion, making it inaccessible and removing the risk to your device.
EDR – Endpoint Detection and Response
EDR (endpoint detection and response) continuously monitors endpoints (desktops, laptops, mobile devices, servers, or any device connected to an organization’s network) to detect malicious behaviour. As the name implies, EDR systems help users respond to threats; with some tools, this process is automated.
EDR is often referred to as a natural evolution of antivirus software because both tools perform similar functions. Traditional antivirus, however, typically relies on signature-based detection to spot known threats. EDR uses behaviour-based detection to detect emerging attacks such as advanced persistent threats (APTs) and fileless malware, whereas traditional antivirus typically does not. EDR software, however, can be a component of next-generation antivirus products.
The basic underlying principle behind the working of EDR software is to protect the endpoint which is the hardware components of a device from real-time cyber threats and attacks. The process starts by collecting data from the respective endpoints and then further analyzing it to make sure that any unusual or unnecessary activity is not taking place, especially something that might cause harm to the device or its internal system. It protects against hacking attempts and theft of sensitive or personal data by cybercriminals.
The software gets installed by the user on their device and there on the device gets monitored continuously. Whatever data is gathered, is stored in a centralized database. The end-user gets almost immediately prompted whenever a threat is found so that necessary actions can be taken by the user to get rid of it. Every EDR performs its unique series of functions and has its own set of capabilities.
However, some functions are common to all EDRs which include working simultaneously in both offline and online modes, responding immediately to real-time threats and attacks, increasing the transparency of the working of the system and database, increasing visibility, storing endpoint information gathered from the centralised database and malware injections. EDRs also create black and white lists equally and continually strive to integrate the system with other emerging technologies to increase the efficiency of the software and keep it updated as and when software is detected.
NGAV - Next-Gen Anti-Virus
The way traditional antivirus also works dramatically damages the endpoint’s performance by its intrusive behaviour. Performing periodic disk and computer memory scans and frequent subscription bank updates consume hardware and network bandwidth when they do not require system-wide reboots, which causes user dissatisfaction.
The next-generation antivirus (NGAV) differs from traditional antivirus solutions by incorporating many extra features, such as the ability to learn the behaviour of the endpoint in which the solution is installed, identifying any anomalous behaviour without querying a signature database or vaccines. Improved environment analysis and unknown threat detection techniques also enable greater efficiency without consuming computing power or requiring frequent update downloads.
Traditional signature-based antivirus is ineffective against advanced threats such as script-based, multi-vector and fileless attacks, as well as advanced ransomware.
Traditional antivirus also has the disadvantage of being unable to detect modern attack methods, such as:
Script-based attack
Multi-vector
fileless attacks
Memory-based attacks
Remote logins
PowerShell scripting language
Macro-based attacks
Because these types of attacks don’t introduce files to a system, they go undetected by traditional antivirus software that looks for file signatures.
A next-gen solution will not just look for file signatures, but also detect attacks by scanning events, processes, and connections to establish whether there’s an inconsistency.
Here are just a few examples of next-gen antivirus characteristics:
Machine learning: Files are analyzed before use using an automated bot that can discover any malicious elements—all without any interruption to the user.
Behaviour analysis: Computer processes can be monitored in real-time and detect any abnormal behaviour, terminating malicious processes.
Threat intelligence: When a device encounters a threat, every other device under the network will be updated to counter the danger without any need for manual input.
SIEM – Security Information and Event Management
SIEM monitors an organization's IT environment, relaying actionable intelligence and enabling security teams to manage potential vulnerabilities proactively. SIEM is a centralized log management tool that integrates with your different applications, systems, servers, etc. This software provides valuable insights into potential security threats through a centralized collection and analysis of normalized security data pulled from a variety of systems. SIEMs are used for real-time security event analysis to help with an investigation, early threat detection and incident response.
It’s no secret that security threats are increasing, and they can come from both internal and external sources. To address these issues, IT organizations have put various systems in place to protect against intrusion and a host of different threats. The downside of these safeguards is they generate so much monitoring data that IT teams are then faced with the problem of interpreting it all to pinpoint actual problems. For example, Syslog servers ping with every security notification, which can number in the thousands, or even millions depending on the size of the environment. Security teams can feel as though they are drowning in a sea of security warnings.
With SIEM software, IT professionals have an effective method of automating processes and centralizing security management in a way that helps them simplify the difficult task of protecting sensitive data. SIEM tools give these experts a leg up in understanding the difference between a low-risk threat and one that could be determinantal to the business. A modern SIEM should be able to centralize log data including from assets in the cloud and detect malicious behaviour such as lateral movement or privilege escalations. A modern SIEM includes:
Automated threat detection with pre-tuned rules to reduce alert fatigue
The ability to investigate and respond to a potential threat — from initial discovery to resolution — with one tool, rather than relying on multiple solutions
Correlate findings with multiple risk intelligence feeds to pinpoint new and evolving threats
Network Detection and Response (NDR)
Network detection and response (NDR) solutions are designed to detect cyber threats on corporate networks using machine learning and data analytics. These tools build models of normal behaviour by continuously analyzing network north/south traffic that crosses the enterprise perimeter as well as east/west lateral traffic, and then use these models to identify anomalous or suspicious traffic patterns.
NDR is distinct from EDR in that it does not use an agent to gain insight into malicious activity, relying instead on a network or virtual tap for analysis of traffic across on-premises and cloud workloads.
NDR evolved from network traffic analysis (NTA), a category of security product that uses network communications as the primary data source to detect and investigate threats. Over time, it became clear that detection and investigation were the beginning, not the end, of what was possible with network-based security analytics. Network security tools not only detect threats but enable confident and rapid responses.
NDR solutions support the rapid investigation, internal visibility, intelligent response, and enhanced threat detection across on-premises, cloud, and hybrid environments. Detecting attacks at the network layer works so well because it's extremely difficult for threat actors to hide their activity. While they might switch off or evade endpoint or log data, attackers can't tamper with network information, and they have no way of knowing if they're being observed. Any device that communicates across the network can be immediately discovered.
The four main types of cybersecurity risks identified by NDR solutions include:
Unknown Malware: External attackers that leverage undetectable malware to compromise and control host(s) on your network
Targeted Attacks: External attackers that leverage social engineering, exploits, brute force attacks or other techniques to compromise applications or endpoints, steal legitimate user credentials, establish command and control, move laterally and steal, manipulate or destroy data.
Insider Attacks: Employees or contractors engaged in a range of behaviour including accessing, stealing, manipulating files and data, changing access permissions, installing malware, and more.
Risky Behavior: Well-meaning but reckless employees can expose organizations to attack. Risky behaviour includes sharing user accounts, exposing sensitive data to unauthorized users, enabling remote access to endpoints, and more.
What's more, while attackers may be able to fool firewalls and traditional IDS by masquerading as legitimate users and services and avoiding signature-based detection, they can't escape NDR. That's because it's almost impossible for them to avoid certain key activities on the network, which NDR can detect. It enhances rules-based detection with machine learning technology to model the behaviours of entities on the network and contextually identify anything that resembles known attack techniques. That means even legitimate-seeming processes may be flagged if their appearance seems unusual.
NDR solutions provide powerful attack detection capabilities for both internal and external attackers.
Broad Attack Visibility to Avoid False Negatives
Early Detection to Mitigate Attacks Before the Damage Is Done
Avoid the Inefficiencies of Garbage In, Garbage Out Analytics
Broad Analytical Data Inputs to Increase Accuracy
Out-of-the-box detection without extensive tuning
Zero network footprint with cloud-delivered analytics
SOAR – Security Orchestration, Automation and Response
Traditional SIEMs often require a lot of manual work. Teams need to regularly fine-tune rules to prevent false positives and alert fatigue, a process that is often time-consuming. Other manual tasks include data correlation, which involves searching through logs and comparing data from different sources to determine if there’s a credible threat. SOAR tools then analyze this disparate data through a combination of human and machine learning to understand and prioritize incident response activities.
SOAR solutions evolved as a way to help SOC analysts become more efficient, allowing for more automated prioritization and processing of security events and incidents.
SOAR solutions can define your incident response procedures for you, by combining a variety of data tasks including:
Data gathering
Case management
Standardization
Workflow
Analytics
The key capabilities of SOAR solutions include:
Orchestration or flexible integration:
Orchestration is the act of integrating a wide array of technologies and connecting security tools, both security-specific and non-security specific, in order to make them work together while improving security incident response times.
That means SOAR solutions can perform much more than ingesting and analyzing alerts from your SIEM system. SOAR solutions can also ingest and analyze alerts from:
User and entity behaviour analytics (UEBA)
Threat intelligence platforms
Incident response platforms
A whole host of others
Having multiple input sources often from multiple vendors may improve the overall security of your data. Yet it often results in more alerts, including false alerts, as well as the time spent by dedicated and highly-trained staff to investigate each one.
Integrating disparate tools such as firewalls, SIEM platforms, endpoint detection and response (EDR) and external threat intelligence feeds in an attempt to bring all cybersecurity platforms into a single pane of glass
Pre-built automated workflows to streamline the process of responding to an alert
Automation and process workflows:
Automation is the machine-driven execution of security operations-related tasks. Tasks that were previously performed by humans can be performed and standardized by SOAR solutions:
Automation steps
Decision-making workflow
Enforcement actions
Status checking
Auditing capabilities
With SOAR, these tasks are no longer a drain on manual resources.
Playbooks — guides for response procedures and threat analysis — are a key component of automation in SOAR platforms and can automatically trigger responses, which helps reduce the amount of manual investigation and decision-making during stressful times.
Evidence stacking, or automatically searching for all relevant data to provide more useful and actionable context for a responder. For example, a platform can point users towards an affected IP address or host that they should investigate.
Incident management:
Now, security orchestration is pulling in and analyzing alerts from across your IT infrastructure. Repetitive manual tasks are automatically designed and handled.
SOAR use cases often include post-incident response, with capabilities such as reporting, analysis and case management.
Automated containment actions, such as a dynamic blocklist
A few examples of the most common use cases for SOAR are:
Phishing emails
Malicious network traffic
Streamlining vulnerability management
Meeting service level agreements
Case management
SOAR tools are often used to enhance traditional SIEM platforms that lack these types of capabilities. However, many modern SIEMs are blurring the lines of SOAR vs. SIEM by offering many of the capabilities listed above in one integrated solution. The difference between SOAR and SIEM has become less distinct as the cybersecurity market matures and converges.
UEBA - User and Entity Behavioral Analytics
User and Entity Behavior Analytics, or UEBA, defines a cyber security process that enables IT, security teams, to monitor and respond to suspicious behaviour across the network. The term “user behaviour” encompasses the full range of activities by human and non-human entities in the cloud, on mobile or on-premise applications, and endpoints.
Rather than relying strictly on predefined rules for what kind of behaviours are acceptable, UEBA allows the IT security team to measure and determine what should be considered normal behaviours. This gives them a baseline to help spot abnormal activity when it occurs and respond accordingly. Thus, UEBA provides situational awareness for tracking user activity that deviates from the norm and assists analysts in knowing what to look for in the event of a breach.
Casting a broad net, UBEA goes beyond tracking events or devices to monitor all users on the network along with servers, applications, and devices. It has proven particularly useful for identifying insider threats from employees who may be abusing their privileges or had their credentials compromised. This includes contractors and third parties that have access to sensitive data. Some of the use cases are:
Identify Malicious Insider Threats: Malicious insiders cause damaging, headline-making cyber breaches, and acts of sabotage. Monitor for data exfiltration, policy violations, and other dangerous activity.
Expose Privilege Abuse and Misuse: Your privileged users have the keys to the kingdom, presenting a greater risk to your organization. Track how these privileges are being used by monitoring for unauthorized new account creation, privilege escalation, abnormal access, and other risky activity.
Identify New Privileged Accounts: It can be challenging to ensure appropriate access rights and keep track of super users. LogRhythm automatically monitors and reports on newly created privileged accounts and unauthorized elevation of permissions.
Uncover Compromised Accounts: Attackers use compromised account credentials in an overwhelming number of breaches. Distinguish between legitimate account activity and compromised account activity through deep behaviour profiling and anomaly detection. Discover the imposter before a damaging breach occurs.
Spot Brute-Force Attacks: Attackers will programmatically target your cloud-based infrastructure and external authentication systems. Advanced monitoring and alerts keep you one step ahead of attackers. Know when you’re a target and quickly implement countermeasures to block access.
Track Unauthorized Data Access & Exfiltration: When a compromised user account or a rogue insider finds sensitive data, you need to know. Our full-spectrum analytics and file integrity monitoring (FIM) can help you detect when a user inappropriately accesses protected data — in real-time.
XDR – Extended Detection and Response
Extended detection and response (XDR) tools are often considered as a successor to EDR. Rather than just detecting threats at the endpoint level, XDR tools are more holistic, gathering information from endpoints, networks, servers, cloud applications, and more. While similar to SIEM and SOAR tools, XDRs are differentiated by their level of integration at deployment and ability to address threat detection and incident response use cases, according to Gartner.
XDR products evolved to solve challenges that organizations have with traditional SIEMs – failed, incomplete or immature SIEM deployments (only using SIEM for log storage and compliance).
XDRs centralise normalized data, mostly focusing on products from their ecosystem. They provide correlated data and alerts into security incidents, and they provide an incident response functionality that can be carried out via security policies.
It is not recommended to replace SIEM with XDR, as it doesn’t meet the needs of all of the different SIEM or security analytics use cases today, including compliance, reporting, long-term forensics, triage, patching and vulnerability management.
XDR uses cases include real-time threat hunting, in-queue alerts, helping determine what’s real or not in attack scenarios, indicators of compromise (IoCs), and deeper investigation and response.
While XDR and SIEM are considered complementary and can work well together. Some XDR vendors may only provide platforms that work natively with that vendor’s suite of tools, while others provide hybrid options to integrate with third parties.
Unlike a repurposed point product, a full-function XDR solution:
Enables real-time threat detection, hunting and investigation across multiple technologies and domains
Gathers, aggregates and normalizes threat data associated with endpoints, cloud workloads, network infrastructure and email
Uses artificial intelligence and machine learning to transform massive volumes of raw alert and event data into meaningful and actionable information
Eliminates swivel-chair management, providing a single, unified console for the entire security ecosystem
Enables automated workflows to orchestrate and accelerate responses
Extended detection and response (XDR) is a promising security solution that amalgamates several functions of SIEM, EDR, and NDR into a single platform. It adds advanced analytics, user entity and behaviour analytics (UEBA), and automation into the mix. By doing so, XDR promises to break down the aforementioned siloes and improve the functionalities of the three core components that comprise it.
SOC – Security Operations Center
A security operations centre or SOC (pronounced as ‘sock’) consists of a team of security experts who focus on providing situational threat awareness and managing the business’ overall security posture. A SOC serves as a correlation point, taking in data from an organization’s IT assets, including infrastructure, networks, cloud services, and devices. Using the data, SOC activities focus on managing, monitoring, analyzing, preventing, and responding to existing and potential threats and ensuring the business is protected from attack.
There are five key technical roles in a well-run SOC:
incident responder,
security investigator,
advanced security analyst,
SOC manager
security engineer/architect.
The primary duty of the SOC is to protect the organization against cyberattacks. SOC teams must fulfil a number of responsibilities to effectively manage security incidents. Investigating Potential Incidents: SOC teams receive a large number of alerts, but not all alerts point to real attacks. SOC analysts are responsible for digging into a potential incident to determine if it is a real attack or a false positive.
Triaging and Prioritizing Detected Incidents: Not all security incidents are created equal, and an organization has limited incident response resources. Once an incident has been identified, it needs to be triaged and prioritized to optimize resource utilization and minimize enterprise risk.
Coordinating an Incident Response: Responding to an incident requires engagement with multiple stakeholders and the use of a variety of different tools. SOC analysts must orchestrate this process to ensure that oversights do not result in delayed or incomplete remediation.
Maintaining Relevance: The cyber threat landscape is constantly evolving, and SOC teams need to be able to manage the latest threats to the organization. This includes keeping up with new and trending attacks and ensuring that security systems have an updated set of rules to help detect such attacks.
Patching Vulnerable Systems: Exploitation of vulnerabilities is a common attack vector for cybercriminals. SOC teams are responsible for identifying, applying, and testing patches for vulnerable enterprise systems and software.
Infrastructure Management: As the cyber threat landscape changes and the enterprise network evolves, new security solutions are required. SOC teams are responsible for identifying, deploying, configuring, and managing their security infrastructure.
Addressing Support Tickets: Many SOC teams are part of the IT department. This means that SOC analysts may be called upon to address support tickets from an organizations’ employees.
Reporting to Management: Security is part of the business, and SOC teams need to report to management like any other department. This requires the ability to effectively communicate security costs and return on investment to a business audience.
The major asset of SOC, humans, is also its biggest challenge. Many SOCs expend more energy battling politics and personnel issues than they do identifying and responding to cyber-attacks. All too often, SOCs are set up and operate with a focus on technology, without adequately addressing people and process issues. Thus SOC may be a solution for Critical Information Infrastructure, Intelligence Agencies and Armed Forces but others should move to Managed Security Service or Managed Detection and Response. Qualification, training and retaining of scarce manpower is also a serious challenge.
MDR – Managed Detection and Response
Many organizations can’t afford to keep an in-house SOC or SecOps team on staff, as it requires extensive training and hiring in a time of talent shortage. The infosec industry has responded by creating managed detection and response (MDR) services that are meant to enhance or replace a SOC.
MDR is a managed service that often combines technology with outsourced analysts to detect and respond to malicious behaviour on a network. MDR providers offer technology that covers endpoints, networks, cloud services, operational technology and the internet of things (IoT), as well as collecting other sources like logs and data, according to Gartner’s Market Guide for Managed Detection and Response Services.
The premise of MDR is similar to MSSP (managed security service provider) in that both solutions offload cybersecurity tasks to a third-party provider. However, MDR and MSSPs have a few key differences:
MSSPs typically do not weed out false positives. They simply forward alerts to the in-house IT team who must then determine how to respond to them. In general, MSSPs do not focus on the response component of cybersecurity; they use firewalls, antivirus, and other tools to prevent threats.
Threat analysis and intelligence is often a component of MDR. MSSPs generally work with a rule-based system to identify known threats and focus less on analysis.
MSSPs may mainly focus on helping their clients meet compliance. Using an MDR platform can inadvertently achieve compliance, but it is not the main priority.
Some traditional MSSPs now offer MDR services as part of their portfolios, through acquisitions and building their services.
MDR can help provide containment actions as part of incident response to help customers without internal security operations centres (SOC) functionality to provide immediate action. MDR also can pitch in additional functionalities and services such as virtual Honey-pots and Dark-web surveillance.
The best MDR will be where well-trained humans are supported by Artificial Intelligence and Machine learning continually updating systems with Virtual Honeypot and Darkweb intelligence.
Coming Soon : How to make decision?
Personal Note: We provide Counter-Ransomware-as-a-Service, please contact us on this website itself.
Bình luận