Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert hunting, research and content.
Defend brute force attacks, active intrusions and unauthorized scans.
Protect assets from ransomware, trojans, rootkits and more.
Intelligence and visibility across AWS, O365, DevOps and more.
Configuration escalations, policy and posture management.
Detects malicious insider behavior leveraging Machine Learning models.
Join Tiff Cook, eSentire's Sr. Director of Incident Response and Bill…
eSentire will be participating in ILTA LegalSEC Summit.
Join eSentire as they explore how to build a comprehensive training and…
Ransomware is a form of malware, which is software used to get unrestricted access to a victim computer or device. Ransomware is a type of malware which is used by cyber criminals to hold their victims’ important data hostage in order to extort money. Typically, this is done by encrypting the victims' data so that they cannot access it again until they pay the cybercriminals for a decryption key. Over the past few years, there have been various strains of ransomware in use by cybercrime groups. They have varied in the details, but their overall approach has generally stayed consistent over time.
Ransomware has become more advanced over the years. The earlier implementations (e.g. Cryptolocker) were good but ransomware as a whole has increased its effectiveness and complexity over time. The most recent variants have the ability to encrypt more file types, utilize stronger and proper encryption implementations, delete system restore content, and have the ability to propagate via multiple channels (e.g USB Keys) within an environment.
Malware infection is typically attributed to drive-by downloads and/or social engineering.
A drive-by download is the unintentional download of computer software from the internet. This includes activity where the user’s browser downloads and installs content without their knowledge or results in unintentional actions. With a drive-by download, the download and installation of the malicious software often happens invisibly in the background, so the user is not even aware of it. The following are some examples of drive-by download scenarios which result in the download of unintentional software:
Social engineering is the manipulation of people to perform actions or divulge confidential information. Ransomware is most commonly delivered via email attachments (Office documents, ZIP archives, etc.), often referred to as spear-phishing. The aim of the social engineering is to entice the victim to click on a link, open an attachment, or perform some other action that will result in the installation and execution of malicious software on their machine. Social engineering is the most widespread method used by cybercrime groups to deliver ransomware to a large number of victims.
As most security professionals understand, there is no specific technology that is the silver bullet to stopping all malware-related incidents. Each technology, platform, and implementation has its own weaknesses and strengths. For the purposes of this blog, there are three main layers that should have some protection mechanisms associated with them:
The network security layer is an ideal option because it’s a pro-active solution that protects the whole network when deployed properly. It does not utilize any agents and usually intercepts or has visibility into the traffic. The weakness of the network layer protection is apparent when cryptography is used to encrypt identifiable information, limiting the layer’s capability to detect and interrupt based on the characteristics of an attack.
Host-based protection is equally important but often requires an attack hitting the host or originating from the host itself. While it’s ideal to stop an attack from reaching the host altogether, in some cases this cannot be prevented. If it’s assumed the network layer will be bypassed, it’s ideal to layer the host level with additional protection.
The human layer is the most susceptible layer to attack. But it’s not always the fault of the person who ends up compromised. When a user is browsing the web and hits a site that is legitimate but hosts bad ad content, resulting in a malicious redirection, this ends in compromise. In that case, the Network Layer / Host Layer should be responsible for interrupting and defending against attacks. Social engineering is the greatest threat to the human layer. When exploited, it results in the execution of malicious code.
One main method of preventing malicious content from being download or executed within a corporate environment is through content filtering.
Content filtering is defined as a program/appliance that is used to screen and exclude anything that is not deemed to fit a specific security policy. At the network level, this can be applied to specific traffic or a relay system such as a mail server. At the host level, there are many ways to apply specific controls that prevent the execution of undesired content.
Content filtering includes but is not limited to:
Email filtering can be done at a high level utilizing content inspection as it relates to attachments that are included within a message. The recommended action is to block anything that is not strictly required by the company. As threat actors generally need to deliver a malicious file to the end user, the easiest method is to attach it to a fake email. If that file does not meet a specific, and strict, policy it will be blocked before reaching the end user.
Recommended attachments that should be blocked include:
Ad blocking is one of the best ways to prevent malicious advertising that can lead to end user compromise. Implementing ad blocking at the network-level generally utilizes a proxy or next-gen firewall. Often, this can make webpages appear broken but that is due to the web browser expecting ad content which has been blocked. If you can forego aesthetically pleasing webpages, you gain the reassurance of not being redirected to bad content via rogue advertisements.
This can also be accomplished at the host-level by utilizing browser plugins. Browser plugins have the ability to block ad content on load. They also have the ability to give you control by dynamically blocking content with a simple right click.
Application control from a network perspective is key to limiting applications that are called through the browser. Proxies are probably the best technology that provide ways to filter based on the application that is being requested. This effectively stops malicious code from targeting vulnerable applications that are run within browsers. eSentire recommends blocking all flash-related content as it is prone to exploitation.
Controlling applications that are called through the browser can also be implemented at the host level. All major browsers support a feature called ‘click to play’ which prevents applications from auto-executing. This stops random attacks from landing as it requires the user to click the application in order to run the content. As recommended above, flash content should be both disabled and blocked in exchange for HTML5.
Executable control at the network layer is key to limiting what is downloaded. In most cases, these types of features are available on inline devices and allow you to control what files can be downloaded onto the network. It is important to remember that these controls can be bypassed if someone has encrypted or encoded the specific content that they are attempting to download.
Execution control at the host layer is very important for stopping code that is not authorized to run in an environment. This relates directly to threat actors who bypass specific network controls and get some form of malicious code onto the victim's machine. Stopping the execution of this code will prevent an attack from getting unrestricted access to that host. Recommended actions include:
SSL visibility is required to protect against threats that communicate and originate over encrypted channels. It provides context and identifiable characteristics that are needed for most security technologies to be effective. However, like most security technologies, it can be bypassed by encrypting the communications / malicious content via another encryption standard other than SSL. It also carries some potential regulatory issues for industries that deal with personally identifiable information (PII).
When technology and security controls fail, all that is left is the human layer. The human layer is the hardest layer to secure because it’s challenging to teach people the dangers of hackers. Education and training are the only ways to ensure users do not click and execute malicious content. But with changing attack methods, this still remains difficult. It is recommended that organizations continuously educate and test employees to harden them against these types of attacks. Security awareness training and phishing campaigns are great to keep employees educated and up-to-date on the latest attack techniques.
In conclusion, content filtering and configuration hardening are important components in the prevention of malicious code execution. The best way to protect against ransomware is to be proactive in your defense strategy. Utilizing technologies and processes at the network and host layers provide a defense in depth strategy which will be more resilient to attack. Educating your users to prevent the initial chain of potentially malicious events is just as key as layered technology. As the security is ever changing eSentire will continue to publish related content via web series and security advisories.
Kurtis is a Senior Security Strategist at eSentire, where he focuses on securing client networks, vulnerability research and exploit development. In addition to ongoing research efforts, Kurtis regularly speaks at industry conferences.