How to handle security breaches
The previous generation of ransomware attacks involved sending a link in an email attachment, phishing, or links on dubious websites to trick users into downloading malicious code. Once this code was executed, the computer would be encrypted immediately. Shortly thereafter, a message appeared on the user’s screen demanding payment to decrypt and restore access if the user wanted to continue using the computer or system normally again. Home users in particular were the most common targets, because they usually neglected to make backups and could only regain control over their computers by paying the ransom.
This type of ransomware attack was less of a problem for companies, however, because they had more options than simply starting from scratch or paying the ransom. Companies have more professional configurations than the average home user and usually make regular backups of their systems. It was easy to defend against blackmailers, because they could simply restore systems from backups.
But apparently the tide has turned, with today’s ransomware attacks adopting a different strategy: once the malicious code has infected the system, it does not encrypt it right away. Instead, the malware attempts to spread and infect other systems and devices, as well as the backups. If the user is unaware that the system has been infected, even recent backups are useless, as they will have been compromised as well. Malicious code can run unnoticed in this way for weeks or months, spreading and siphoning off data. The attacker decides when to pull the encryption trigger – and even if the company has backups, they will no longer be very helpful. That’s why makes ransomware 2.0 poses such a hazard to companies. The extortion has two components: decrypting the encrypted data and restoring access to the systems, and refraining from publishing potentially stolen data.
In the case of first-generation ransomware attacks, it was not practical or possible to detect the attack, since the encryption occurred immediately and there were no options for action anyway. Because the latest attack vector waits before encrypting infected systems, however, it is possible to detect these attacks before they cause serious harm.
Uncovering traces of attacks with compromise assessments
The best way to identify these breaches is with compromise assessments, as offered by the Berlin-based cyberdefense experts SECUINFRA. SECUINFRA’s assessment service includes the same Advanced Persistent Threat (APT) scanner that it uses for its forensic investigations. Unlike conventional virus scanners, the APT scanner doesn’t scan the system for malicious code signatures. Because these are constantly changing, virus scanners can no longer protect against new threats like APTs, for example. APTs employ their own tools with unknown signatures, which aren’t recognized by intrusion prevention or detection systems either. In contrast, the compromise assessment involves a forensic analysis to detect the artifacts that hackers or intruders always leave behind. These are referred to as indicators of compromise (IOCs) and include registry entries, log entries, manipulated data, newly created users and changes to user permissions.
The APT scanner uses a set of rules that includes these indicators of compromise, applying these rules to artifacts in the system, such as files and folder structures, running processes and RAM contents. Analyzing and collecting these artifacts creates evidence that makes it possible to identify IOCs.
“The APT scanner we use for our compromise assessment services exists thanks to the international cyberdefense community, whose members analyze cyberattacks, identify new IOCs and translate them into rules for the APT scanner,” explains Ramon Weil, CEO of Berlin-based IT security specialist SECUINFRA. This makes it possible to constantly improve the precision of the APT scanner and increase detection rates.
The IOCs detected by the APT scanner are evaluated by specialists – and the analysts need a large breadth of knowledge to do this. While the tools and underlying set of rules in the scanner provide the basic trajectory, the information must be interpreted correctly. In the end, a definitive conclusion can be drawn as to whether the systems have been compromised or can be given a clean bill of health. In other words, compromise assessments allow companies to rid their systems of malicious code before attackers are able to encrypt them.
Speeding up attack detection
Studies have shown that it usually takes two to three months before an attack is discovered. The long period between the initial infection and encryption in modern attacks can be used to perform a compromise assessment, ideally at intervals. A scanning window of one week can identify an infected system easily before any greater harm can occur. “Continuous Compromise Assessment enables companies to shorten the time it takes to reliably detect compromised systems – through an ongoing, forensic analysis of critical IT systems,” added Weil.
The initial analysis is, of course, complex and takes several days, because there are potentially millions of forensic artifacts to be examined. However, subsequent scans can then work from this baseline and simply look for changes after that. As a result, the second scan requires less effort but still offers added value, since the system baseline can simply be updated on a regular basis.
Compromise assessments therefore provide a quick overview of the status of the infection, indicating which systems are affected and in what way, and the countermeasures that should be taken.
Increasing the IT maturity level
Many companies rely on traditional methods of vulnerability management and penetration testing to identify and manage their system vulnerabilities. However, these methods do not provide any information on whether a system has already been compromised. Continuous compromise assessments offer a way to further improve cyber-resilience and defensive strength because “instead of simply managing vulnerabilities, compromise assessments address the broader question of whether these vulnerabilities have already been exploited.”
Continuous compromise assessments are one of the most dependable and effective ways of minimizing the damage caused by today’s ransomware attacks. They are an ideal tool for detecting current or past attacks, analyzing them and preventing them in the future. The method examines the entire infrastructure, while also providing a historical overview.