New-generation ransomware attacks are difficult to prevent and often go unnoticed for weeks or even months. Attackers use this time to infect as many systems as possible to get their hands on your data and intellectual property. The encryption, followed by the attempted extortion, only occurs at a later point. This is exactly where a continuous compromise assessment comes into play: it is considered the most dependable and efficient way to identify compromised systems, because it discovers artifacts left behind by security breaches and enables countermeasures to be taken before encryption occurs. Continuous compromise assessments can be used to complement and increase the maturity level of IT security.

Minimizing the damage caused by today’s ransomware attacks

How to handle security breaches

The previous generation of ransomware attacks involved sending a link in an email attachment, phishing, or links on dubious websites to trick users into downloading malicious code. Once this code was executed, the computer would be encrypted immediately. Shortly thereafter, a message appeared on the user’s screen demanding payment to decrypt and restore access if the user wanted to continue using the computer or system normally again. Home users in particular were the most common targets, because they usually neglected to make backups and could only regain control over their computers by paying the ransom.

This type of ransomware attack was less of a problem for companies, however, because they had more options than simply starting from scratch or paying the ransom. Companies have more professional configurations than the average home user and usually make regular backups of their systems. It was easy to defend against blackmailers, because they could simply restore systems from backups.

But apparently the tide has turned, with today’s ransomware attacks adopting a different strategy: once the malicious code has infected the system, it does not encrypt it right away. Instead, the malware attempts to spread and infect other systems and devices, as well as the backups. If the user is unaware that the system has been infected, even recent backups are useless, as they will have been compromised as well. Malicious code can run unnoticed in this way for weeks or months, spreading and siphoning off data. The attacker decides when to pull the encryption trigger – and even if the company has backups, they will no longer be very helpful. That’s why makes ransomware 2.0 poses such a hazard to companies. The extortion has two components: decrypting the encrypted data and restoring access to the systems, and refraining from publishing potentially stolen data.

In the case of first-generation ransomware attacks, it was not practical or possible to detect the attack, since the encryption occurred immediately and there were no options for action anyway. Because the latest attack vector waits before encrypting infected systems, however, it is possible to detect these attacks before they cause serious harm.

Uncovering traces of attacks with compromise assessments 

The best way to identify these breaches is with compromise assessments, as offered by the Berlin-based cyberdefense experts SECUINFRA. SECUINFRA’s assessment service includes the same Advanced Persistent Threat (APT) scanner that it uses for its forensic investigations. Unlike conventional virus scanners, the APT scanner doesn’t scan the system for malicious code signatures. Because these are constantly changing, virus scanners can no longer protect against new threats like APTs, for example. APTs employ their own tools with unknown signatures, which aren’t recognized by intrusion prevention or detection systems either. In contrast, the compromise assessment involves a forensic analysis to detect the artifacts that hackers or intruders always leave behind. These are referred to as indicators of compromise (IOCs) and include registry entries, log entries, manipulated data, newly created users and changes to user permissions.

The APT scanner uses a set of rules that includes these indicators of compromise, applying these rules to artifacts in the system, such as files and folder structures, running processes and RAM contents. Analyzing and collecting these artifacts creates evidence that makes it possible to identify IOCs.

“The APT scanner we use for our compromise assessment services exists thanks to the international cyberdefense community, whose members analyze cyberattacks, identify new IOCs and translate them into rules for the APT scanner,” explains Ramon Weil, CEO of Berlin-based IT security specialist SECUINFRA.  This makes it possible to constantly improve the precision of the APT scanner and increase detection rates.

The IOCs detected by the APT scanner are evaluated by specialists – and the analysts need a large breadth of knowledge to do this. While the tools and underlying set of rules in the scanner provide the basic trajectory, the information must be interpreted correctly. In the end, a definitive conclusion can be drawn as to whether the systems have been compromised or can be given a clean bill of health. In other words, compromise assessments allow companies to rid their systems of malicious code before attackers are able to encrypt them.

Speeding up attack detection

Studies have shown that it usually takes two to three months before an attack is discovered. The long period between the initial infection and encryption in modern attacks can be used to perform a compromise assessment, ideally at intervals. A scanning window of one week can identify an infected system easily before any greater harm can occur. “Continuous Compromise Assessment enables companies to shorten the time it takes to reliably detect compromised systems – through an ongoing, forensic analysis of critical IT systems,” added Weil.

The initial analysis is, of course, complex and takes several days, because there are potentially millions of forensic artifacts to be examined. However, subsequent scans can then work from this baseline and simply look for changes after that. As a result, the second scan requires less effort but still offers added value, since the system baseline can simply be updated on a regular basis.

Compromise assessments therefore provide a quick overview of the status of the infection, indicating which systems are affected and in what way, and the countermeasures that should be taken.

Increasing the IT maturity level

Many companies rely on traditional methods of vulnerability management and penetration testing to identify and manage their system vulnerabilities. However, these methods do not provide any information on whether a system has already been compromised. Continuous compromise assessments offer a way to further improve cyber-resilience and defensive strength because “instead of simply managing vulnerabilities, compromise assessments address the broader question of whether these vulnerabilities have already been exploited.”

Conclusion

Continuous compromise assessments are one of the most dependable and effective ways of minimizing the damage caused by today’s ransomware attacks. They are an ideal tool for detecting current or past attacks, analyzing them and preventing them in the future. The method examines the entire infrastructure, while also providing a historical overview.

 

Ramon Weil · Author

CEO & Founder

Ramon Weil ist Gründer und Geschäftsführer der SECUINFRA GmbH. Seit 2010 hat er SECUINFRA zu einem der führenden Unternehmen im Bereich der Erkennung, Analyse und Abwehr von Cyberangriffen in Deutschland entwickelt.

Ramon Weil ist Gründer und Geschäftsführer der SECUINFRA GmbH. Seit 2010 hat er SECUINFRA zu einem der führenden Unternehmen im Bereich der Erkennung, Analyse und Abwehr von Cyberangriffen in Deutschland entwickelt. Vor der Gründung von SECUINFRA war Ramon mehr als 20 Jahre im Bereich IT & IT-Security tätig. Unter anderem hat er bei Siemens im Security Operation Center (SOC) gearbeitet, den Back Level Support für IT-Security Produkte bei Siemens aufgebaut und weltweit IT- Security Projekte umgesetzt und geleitet. Von 2006 bis zur Gründung von SECUINFRA hat Ramon das IT-Security Geschäft für Siemens und später Nokia Siemens Networks (NSN) in der Region Asia Pacific (APAC) aufgebaut. Neben zahlreichen IT-Security Produkt-Zertifizierungen ist er seit 2006 CISSP und seit 2010 CISM.

CEO & Founder

Ramon Weil is founder and managing director of SECUINFRA GmbH. Since 2010, he has developed SECUINFRA into one of the leading companies in the field of detection, analysis and defense against cyber attacks in Germany.

Ramon Weil is founder and managing director of SECUINFRA GmbH. Since 2010, he has developed SECUINFRA into one of the leading companies in the field of detection, analysis and defense against cyber attacks in Germany. Before founding SECUINFRA, Ramon worked for more than 20 years in the field of IT & IT security. Among other things, he worked at Siemens in the Security Operation Center (SOC), established the back level support for IT security products at Siemens and implemented and managed IT security projects worldwide. From 2006 until the foundation of SECUINFRA, Ramon built up the IT Security business for Siemens and later Nokia Siemens Networks (NSN) in the Asia Pacific (APAC) region. In addition to numerous IT security product certifications, he has been a CISSP since 2006 and a CISM since 2010.
Beitrag teilen auf: