Beating Ransomware in the Midgame: Detection Best Practices in 2022

What is Ransomware?

Ransomware (ransom + malware) is a form of malware designed to allow malicious actors to extort money from an organization. This is accomplished by using a variety of encryption techniques that lock an organization’s files to then force the organization to pay for the key to unlock the data.

Ransomware attacks have become increasingly common with attackers targeting organizations with weak security practices. In fact, a recent survey revealed that 85% of organizations have fallen prey to ransomware in the past five years. And this crime pays: The predicted global cost of ransomware attacks has climbed steeply with a more than 4x increase between 2017 and 2021 to an estimated $20 Billion, and may be up to 265 Billion by 2031. Indeed, modern ransomware attacks are so profitable that criminal groups like BlackByte, Conti, and REvil are continually developing new and innovative ways to systematically attack organizations while simultaneously increasing the difficulty of detection and prevention. These tactics have included the use of encrypted protocols to obscure actions such as exploitation, data gathering, and the exfiltration of data for the purposes of extortion.

Unlike early ransomware attacks that focused on targets of opportunity, modern ransomware attacks leverage detailed playbooks that rapidly take advantage of new vulnerabilities to gain access to their victims’ networks. One prominent example is the speed with which the BlackByte ransomware gang began leveraging the Proxy-Logon and Proxy-Shell vulnerabilities as part of their standard attack playbook. The adaptability of these criminal groups and their ability to bypass traditional perimeter defenses serves to underscore the necessity of midgame detection techniques.

Ransomware Prevention Best Practices

Preventing ransomware attacks within organizations requires investment in security tools such as NDR, EDR, firewalls, and SIEM, in addition to good operational security practices and procedures. While attackers are quick to leverage new vulnerabilities and attack avenues, there are a wide variety of compensating controls that security-conscious organizations can leverage to make an attacker’s job more difficult.

No security posture is foolproof—skilled and dedicated attackers with enough time and money can gain access to any environment. However, as with most criminal organizations, ransomware operators are focused on making money, which means picking easy targets for rapid paydays. Every step an organization takes to increase the difficulty in conducting a successful attack decreases the likelihood of attacks by ransomware operators.

Organizations looking to reduce the likelihood of a ransomware attack must constantly evaluate their security posture with an eye toward the changing threat landscape and evolving attacker and defender toolkits. Given the level of adaptivity, attackers have shown it is critically important to extend visibility and security practices to include the midgame. The midgame is where attackers have the most freedom of action and security teams have traditionally had the least visibility.

Some of these best practices include:

  • Continual User Training. This has demonstrable results, preventing users from becoming complacent about security. Continual training should cover topics including:
    • Identifying malicious emails
    • Validating the source of documents before opening
    • Do not click on unknown links
    • Avoid disclosing personal information both in business communications and on social media
    • Do not use USB sticks to transport data in and out of the workplace
  • Evaluating Security Practices and Procedures. As organizations evolve their security posture it is critical to avoid becoming complacent, this requires organizations to constantly re-evaluate their security practices and policies to adapt to organizational and threat landscape changes. Particular points of interest include:
    • Security controls, such as:
    • Least User Privilege controls should apply to employees and partners. Security teams should consider the ability to access organizational data, but also the level of user permissions on local machines and network resources
    • Disable macros and scripts for office documents
    • Disabling PowerShell scripting, or leveraging script signing and Microsoft Best Practices
    • Regular and rapid software updates and patches
    • This should include updates to operating systems such as Windows and Linux, as well as 3rd party applications
    • Deploy and properly maintain security tools including:
    • Antimalware tools such as antivirus or endpoint eetection and response (EDR)
    • Network detection and response (NDR)
    • Logging data to a SIEM
    • Email filtering and attachment malware scanning tools
    • Backups:
    • Keep regular backups of all critical data including disconnected cold storage backups
    • Following vendor best practices:
    • Security vendors typically recommend configuration options that optimize their tools to defend against ransomware
      • A shortlist of some of the most common vendors’ recommended practices can be found at the bottom of this blog

Combating Ransomware in the Midgame

Modern ransomware is now carried out in a three-part playbook: opening (initial access), midgame (post-compromise), and endgame (extortion cycle). Each stage of the playbook consists of a variety of techniques designed to allow attackers to evade security measures and compromise then gain control over additional assets.

  • Initial access is where attackers gain a foothold through a wide range of techniques including phishing, exploitation, and drive-by downloads.
    • Security controls for this phase include firewalls, EDR, email filtering, etc. These tools and controls are designed to prevent the attacker from gaining a foothold in the environment.
  • The midgame begins when the attacker has compromised at least one device and begins pivoting through the target infrastructure. This is where attackers have the most freedom of action. Attackers will begin reconnaissance of the target network, stealing usernames, setting up persistence mechanisms, and compromising additional systems.
    • Security policies for this stage include least-privilege user and device permissions, limiting or disabling PowerShell, and device posture assessment tooling. Network architectures should include segmentation and monitoring with security tooling including EDR, NDR, East/West focused IDS, and NAC.
  • The extortion cycle begins with the launch of the ransomware. At this stage, the attacker has launched their final assault on the target organization. Rapid response at this stage may minimize the damage however it is highly unlikely that mitigation efforts will be entirely successful.
    • Backups, both online and offline, are critical to the success and speed of recovery operations. Backups should be performed as frequently as possible with regular cold storage backups. This ensures that if the attacker compromises one set of backups, cold storage backups are available to restore from.

How NDR Aids in Ransomware Mitigation:

Preventing attackers from gaining a foothold in an environment is not always possible, but network detection and response (NDR) empowers defenders with the ability to interrupt intruders during the midgame—before they do real damage. NDR is designed to monitor network traffic patterns and protocols that attackers leverage during the midgame such as Powershell, WMI, MS-RPC, and more.

Even with network monitoring capabilities, decryption is increasingly important for detecting attacks that leverage encrypted protocols. NDR solutions with decryption capabilities provide in-depth monitoring with the historical data needed to detect abuse of protocols such as NTLM and Kerberos, which greatly increases the ability of defenders to detect and respond to the malicious activity starting at initial access, through the midgame, and into the extortion phase of the attack.

 

 

 

By monitoring raw network traffic feeds NDR can identify ransomware actors in the midgame and avoid the difficulties associated with traditional security controls like IAM, SIEM, and EDR. NDR helps defenders uplevel their detection capabilities in critical areas by: * Identifying and alerting on internal reconnaissance and enumeration behaviors * Spotting lateral movement techniques that lead to the compromise of domain controllers and data services * Spotting the exploitation of vulnerable internal services such as PrintSpooler, even when the exploit occurs over encrypted protocols * Isolating intruder and malware C&C, even in noisy DNS traffic * Identifying data staging for exfiltration and encryption activity indicative of ransomware

Announcing Layered Network Intelligence for AWS

Cloud environments are notorious for visibility gaps that weaken security. Unmanaged workloads, serverless environments, and containers that only exist for minutes all combine to create even more blind spots. While agents and perimeter-focused solutions have their place in a cloud security toolset, they also have serious limitations. Perimeter-based security controls can’t keep out all the constantly evolving advanced threats that attackers throw at them, and adding agents to workloads requires buy-in from DevOps, which can be a major point of friction for security teams. Plus, it’s impossible to deploy an agent on every asset you need to secure.

To truly defend cloud environments from advanced threats, organizations need to take a layered approach to security. With the latest technical innovation for Reveal(x) 360, they can do just that.

Reveal(x) 360 now offers continuous visibility based on VPC Flow Logs for securing AWS environments. Organizations can choose flow logs as a standalone option or combine that cloud-native data source with packets to take a multi-layered approach to cloud threat defense.

AWS Lambda function visibility in Reveal(x) 360

Lambda function visibility in AWS unlocked by VPC Flow Logs and available in the Reveal(x) 360 management pane.

The ability to access multiple data sources in the same management pane will be a game-changer for security teams. First, it significantly reduces blind spots with complete and continuous visibility across workloads by combining the breadth of VPC Flow Logs with the depth of network packets. It also offers more coverage by analyzing multiple sources of network telemetry to detect advanced threats like ransomware or software supply chain attacks. Additionally, this multi-layered approach enhances ExtraHop’s already formidable device discovery, threat hunting, and investigation capabilities.

Reveal(x) 360 cloud threat defense offers:

Multi-Layered Analysis and Threat Detection

Data exfiltration attempt in AWS detected by Reveal(x) 360

Data exfiltration attempt in AWS leveraging a Lambda function detected by Reveal(x) 360 using VPC Flow Logs

VPC Flow Logs are popular for cloud security because of their value for compliance, but for many organizations, the value stops there. Or, more precisely, it ends with VPC Flow Logs gathering dust in an S3 bucket. That’s a missed opportunity. Reveal(x) 360 analyzes all forms of network telemetry with advanced AI for comprehensive behavior monitoring across IaaS and PaaS workloads, as well as containers and serverless deployments. What it means for the end user is simple: You can use ExtraHop’s real-time analysis and data visualizations to improve your situational awareness, gain actionable intelligence, and quickly zero in on malicious activity. Additionally, adding VPC Flow Logs to Reveal(x) 360 enhances threat detection capabilities for post-compromise techniques like command and control and data exfiltration.

Breadth and Depth of Visibility

Amazon Relational Database Service shown in Reveal(x) 360

Amazon Relational Database Service (RDS) visibility unlocked by VPC Flow Logs and available in the Reveal(x) 360 management pane.

With the ability to combine VPC Flow Logs with packets in a single platform, Reveal(x) 360 doesn’t force you to choose between coverage that’s a mile wide and an inch deep or very deep but limited in breadth. Analysts can use VPC Flow Logs for broad coverage and packets for deeper visibility and investigation. This complete and continuous coverage in AWS enables security teams to quickly identify and investigate post-compromise behavior like lateral movement as a way to stop attacks before they become breaches.

Frictionless Cloud Threat Defense

Reveal(x) 360 deploys without agents and provides out-of-band analysis of network telemetry, eliminating a major source of DevOps friction and freeing security teams to do their jobs without slowing down innovation, digital transformation, or business. Layered cloud threat defense also helps reduce tool sprawl and complexity. In the past, gaining access to multiple data sources often required using multiple products and user interfaces. By ingesting VPC Flow Logs and packets, Reveal(x) 360 enables analysts, forensic investigators, and incident responders to access layered network telemetry in a single management pane for unified threat visibility, investigation, and response.

Reveal(x) 360 Subscription Tiers

Reveal(x) 360 offers several subscription tiers for multi-layered cloud threat defense in AWS. Every subscription tier leverages ExtraHop’s secure, cloud-hosted services, AI analysis, and record store for frictionless visibility and investigation. Organizations can purchase the new Reveal(x) 360 Standard subscription for continuous visibility in AWS powered by VPC Flow Logs, or they can combine their subscription with Reveal(x) 360 Premium or Ultra packages for deeper visibility, expanded detections, and enhanced investigation. To view Reveal(x) 360 subscription tiers, visit our AWS Marketplace listing.

Practical Steps for Responding to the CISA Warning on Russian Cyber Attacks

On February 25, 2022, two days after Russia began its military invasion of Ukraine, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) issued a rare Shields Up warning for U.S.-based organizations, stating: “Every organization—large and small—must be prepared to respond to disruptive cyber activity.”

The Shields Up warning is in direct response to increased Russian cyber aggression against Ukrainian and other targets in the region, including recent distributed denial-of-service (DDoS) and malware attacks. In addition to the possibility of disruptive nation-state activities affecting U.S. targets, CISA also warned of an increase in cyber attack activity against U.S. organizations from Russia or hackers acting on Russia’s behalf.

The need for this warning was amplified by recent events, including the hacking of over twenty U.S.-based natural gas companies by Russian Intelligence two weeks before the Russian Army invaded Ukraine. With the CISA warning, this recent evidence, and what we know from past attacks against Ukraine it would be irresponsible for organizations to ignore CISA’s warning.

To help organizations prepare for a possible attack, it’s important to first, understand the types of attacks organizations should be watching for.

Russian Cyber Attacks to Watch Out For

Given the speed at which the war against Ukraine is progressing, in the immediate future, attacks are likely to be fast, hard-hitting, and focused on disruption and destruction.

Here are some of the attacks to watch out for.

Distributed Denial of Service (DDoS)

DDoS attacks aren’t new or particularly sophisticated, but they’re still effective at stopping work at government agencies and commercial enterprises in its tracks. Russia has used these attacks before. For example, in 2008, during the country’s conflict with Georgia, Russia or another party closely affiliated with the Russian government launched DDoS attacks against the Georgian government and Georgian news agencies.

It’s not surprising, then, that on February 15, 2022, DDoS attacks were launched against two of the largest Ukrainian banks as well as the Ukrainian military. More attacks are likely to follow. Targets could expand to include organizations outside of Ukraine.

Ransomware

While the Russian military effort will probably not include Ransomware attacks, the Russian government has unleashed Russian Criminal Cybercrime Enterprises to engage in unrestricted cybercrime activities, including the Conti Gang. The U.S. has already warned companies to be wary of increased ransomware attacks for two reasons. First, Russia might use them to cause trouble for Ukraine. Second, because of rising tensions with the West, the country might become more tolerant of hackers within its own borders. Ransomware gangs that, a year ago, would have feared prosecution by the Russian government might find themselves free to operate as they wish now—provided they target organizations outside of Russia.

One reason why ransomware attacks are still effective: Too many companies are still using protocols such as RDP and SMBv1 that common ransomware variants rely on for traversing networks. For years, vendors and standards organizations have been urging companies to stop using these outdated protocols, some of which were designed without cybersecurity in mind.

For example, recognizing the protocol’s glaring security shortcomings, Microsoft officially discontinued support for SMBv1 nine years ago. But according to a recent survey by ExtraHop, 68% of organizations were still running SMBv1, leaving themselves vulnerable to dangerous malware variants such as WannaCry and NotPetya.

Organizations should assume that if attackers find these protocols active on networks, they’ll take advantage of them.

Russian Wiper Malware

Living up to its name, Russian wiper malware is designed to be destructive, wiping out data rather than encrypting it for ransom. Russia has been accused of wielding this kind of malware before, most famously in the NotPetya malware attacks of 2017, which, incidentally, targeted Ukrainian government agencies, news organizations, and utility companies.

Probably as part of an attempt to paralyze the Ukrainian response to its invasion, Russia unleashed a new wiper malware to attack Ukrainian government ministries and financial institutions in February. Fortunately, Microsoft detected the attack within three hours and worked on a response. They dubbed the malware “FoxBlade,” updated Microsoft Defender to recognize the malware’s signature, and coordinated responses with government agencies and other organizations to block the attack.

Organizations should be wary of similar wiper attacks against a broader range of targets.

Brute Force Attacks

Attackers use brute force attacks to gain credentials that can be used for exploring networks, exfiltrating data, and gaining access to critical systems. One common type of brute force attack is credential stuffing, in which attackers use scripts to automatically feed thousands of compromised username/password combinations into login fields. These attacks succeed a significant amount of the time because, all too often, people reuse email address/password combinations across multiple sites. Billions of compromised username/password combinations are available for little or no money on the dark web.

If a nation state or its affiliates wants to break into organizations, it makes sense for them to take advantage of brute force attacks. Organizations should assume that Russia might do so.

Phishing

As far back as 2018, CISA issued an alert warning that Russian government cyber actors were launching cyber attacks against U.S. government agencies and critical infrastructure companies. Many of these attacks involved phishing email campaigns sent from compromised email accounts. These phishing attempts become more credible when they come from a compromised account of an organization’s leader.

The goal of phishing attacks—then and now—is often to gain access to privileged accounts on applications and servers, which can then be used for exploring networks, gaining access to operational controls, and spreading malware.

Escalations Among Civilian Hackers

Something that’s new in this war is gangs of volunteer hackers declaring loyalty to Ukraine or Russia and unleashing attacks on their preferred country’s behalf. For Ukraine, these hackers are serving as a volunteer cyber army, guarding digital assets and launching attacks against Russia. For Russia, these volunteers offer more manpower and perhaps some new techniques for waging cyberwar against Ukraine.

For organizations in the U.S., the addition of these volunteers increases the uncertainty of the cyber attacks that may follow. More actors and perhaps more varied attack strategies give security teams all the more reason to ensure their defenses are as strong as possible.

Implementing CISA’s Shields Up Guidance to Prevent Cyber Attacks

All organizations, public and private should stay vigilant and prepare for possible intrusions. To do this, security and business leaders alike should review and heed the advice in CISA’sShields Up, which offers guidance to improve overall hygiene and defenses, detect and respond to potential intrusions, and maximize organizational resilience.

To break down the CISA Shields Up guidance further and help organizations understand what steps they should take to to reenforce their security posture, ExtraHop has released A Practical Guide to Shields Up, a complete analysis of the Shields Up recommendations with detailed expert advice.

Practical Steps for Responding to the CISA Warning on Russian Cyber Attacks

On February 25, 2022, two days after Russia began its military invasion of Ukraine, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) issued a rare Shields Up warning for U.S.-based organizations, stating: “Every organization—large and small—must be prepared to respond to disruptive cyber activity.”

The Shields Up warning is in direct response to increased Russian cyber aggression against Ukrainian and other targets in the region, including recent distributed denial-of-service (DDoS) and malware attacks. In addition to the possibility of disruptive nation-state activities affecting U.S. targets, CISA also warned of an increase in cyber attack activity against U.S. organizations from Russia or hackers acting on Russia’s behalf.

The need for this warning was amplified by recent events, including the hacking of over twenty U.S.-based natural gas companies by Russian Intelligence two weeks before the Russian Army invaded Ukraine. With the CISA warning, this recent evidence, and what we know from past attacks against Ukraine it would be irresponsible for organizations to ignore CISA’s warning.

To help organizations prepare for a possible attack, it’s important to first, understand the types of attacks organizations should be watching for.

Russian Cyber Attacks to Watch Out For

Given the speed at which the war against Ukraine is progressing, in the immediate future, attacks are likely to be fast, hard-hitting, and focused on disruption and destruction.

Here are some of the attacks to watch out for.

Distributed Denial of Service (DDoS)

DDoS attacks aren’t new or particularly sophisticated, but they’re still effective at stopping work at government agencies and commercial enterprises in its tracks. Russia has used these attacks before. For example, in 2008, during the country’s conflict with Georgia, Russia or another party closely affiliated with the Russian government launched DDoS attacks against the Georgian government and Georgian news agencies.

It’s not surprising, then, that on February 15, 2022, DDoS attacks were launched against two of the largest Ukrainian banks as well as the Ukrainian military. More attacks are likely to follow. Targets could expand to include organizations outside of Ukraine.

Ransomware

While the Russian military effort will probably not include Ransomware attacks, the Russian government has unleashed Russian Criminal Cybercrime Enterprises to engage in unrestricted cybercrime activities, including the Conti Gang. The U.S. has already warned companies to be wary of increased ransomware attacks for two reasons. First, Russia might use them to cause trouble for Ukraine. Second, because of rising tensions with the West, the country might become more tolerant of hackers within its own borders. Ransomware gangs that, a year ago, would have feared prosecution by the Russian government might find themselves free to operate as they wish now—provided they target organizations outside of Russia.

One reason why ransomware attacks are still effective: Too many companies are still using protocols such as RDP and SMBv1 that common ransomware variants rely on for traversing networks. For years, vendors and standards organizations have been urging companies to stop using these outdated protocols, some of which were designed without cybersecurity in mind.

For example, recognizing the protocol’s glaring security shortcomings, Microsoft officially discontinued support for SMBv1 nine years ago. But according to a recent survey by ExtraHop, 68% of organizations were still running SMBv1, leaving themselves vulnerable to dangerous malware variants such as WannaCry and NotPetya.

Organizations should assume that if attackers find these protocols active on networks, they’ll take advantage of them.

Russian Wiper Malware

Living up to its name, Russian wiper malware is designed to be destructive, wiping out data rather than encrypting it for ransom. Russia has been accused of wielding this kind of malware before, most famously in the NotPetya malware attacks of 2017, which, incidentally, targeted Ukrainian government agencies, news organizations, and utility companies.

Probably as part of an attempt to paralyze the Ukrainian response to its invasion, Russia unleashed a new wiper malware to attack Ukrainian government ministries and financial institutions in February. Fortunately, Microsoft detected the attack within three hours and worked on a response. They dubbed the malware “FoxBlade,” updated Microsoft Defender to recognize the malware’s signature, and coordinated responses with government agencies and other organizations to block the attack.

Organizations should be wary of similar wiper attacks against a broader range of targets.

Brute Force Attacks

Attackers use brute force attacks to gain credentials that can be used for exploring networks, exfiltrating data, and gaining access to critical systems. One common type of brute force attack is credential stuffing, in which attackers use scripts to automatically feed thousands of compromised username/password combinations into login fields. These attacks succeed a significant amount of the time because, all too often, people reuse email address/password combinations across multiple sites. Billions of compromised username/password combinations are available for little or no money on the dark web.

If a nation state or its affiliates wants to break into organizations, it makes sense for them to take advantage of brute force attacks. Organizations should assume that Russia might do so.

Phishing

As far back as 2018, CISA issued an alert warning that Russian government cyber actors were launching cyber attacks against U.S. government agencies and critical infrastructure companies. Many of these attacks involved phishing email campaigns sent from compromised email accounts. These phishing attempts become more credible when they come from a compromised account of an organization’s leader.

The goal of phishing attacks—then and now—is often to gain access to privileged accounts on applications and servers, which can then be used for exploring networks, gaining access to operational controls, and spreading malware.

Escalations Among Civilian Hackers

Something that’s new in this war is gangs of volunteer hackers declaring loyalty to Ukraine or Russia and unleashing attacks on their preferred country’s behalf. For Ukraine, these hackers are serving as a volunteer cyber army, guarding digital assets and launching attacks against Russia. For Russia, these volunteers offer more manpower and perhaps some new techniques for waging cyberwar against Ukraine.

For organizations in the U.S., the addition of these volunteers increases the uncertainty of the cyber attacks that may follow. More actors and perhaps more varied attack strategies give security teams all the more reason to ensure their defenses are as strong as possible.

Implementing CISA’s Shields Up Guidance to Prevent Cyber Attacks

All organizations, public and private should stay vigilant and prepare for possible intrusions. To do this, security and business leaders alike should review and heed the advice in CISA’sShields Up, which offers guidance to improve overall hygiene and defenses, detect and respond to potential intrusions, and maximize organizational resilience.

To break down the CISA Shields Up guidance further and help organizations understand what steps they should take to to reenforce their security posture, ExtraHop has released A Practical Guide to Shields Up, a complete analysis of the Shields Up recommendations with detailed expert advice.

Shields Up: A CEO’s Guidance for Corporate Leaders on Cybersecurity Readiness

War is one of humanity’s oldest and most merciless, dehumanizing, and abhorrent acts. In the modern age, war is also now publicly documented, with a constant, unmoderated stream of updates on social media taking us right to the place events are unfolding, throwing into stark relief the individual and personal impacts of war as it happens. We are seeing this now with the war on Ukraine. Perhaps this shared experience will make the world reflect on the impact and implications of war—and will give nations and their leaders pause in the future. I hope for peace, for the safety of the Ukrainian people, and for the continuation of a free and independent Ukraine.

Another lesson of the war between Russia and Ukraine is that the parameters of the battlefield have evolved tremendously in the last 20 years. Wars are fought on battlefields and oceans and in the skies above us. Increasingly, they are also fought on the network, as combatants seek to weaken their enemies by compromising systems, data, and critical infrastructure.

Earlier this week the Cybersecurity & Infrastructure Security Agency (CISA), in conjunction with the FBI issued a new Shields Up warning based on the Russia/Ukraine conflict, advising organizations to adopt a heightened security posture and prepare for the likelihood of an attack.

With its Shields Up warning, CISA provides concrete guidance about where organizations should focus their efforts at this moment of crisis. The warning also offers clear, straightforward, and actionable recommendations for corporate leaders and executives around how they can best support security teams and prepare their organizations for a worst-case scenario. This includes ensuring visibility and support for CISOs and SecOps teams, lowering reporting thresholds for threat activity, and testing plans and capabilities around incident response and business continuity.

As a CEO, I hope corporate and organizational leaders take this guidance to heart and implement it, to the greatest extent possible, for the duration of this heightened alert period and in the future. As leaders, it is essential that we trust the people we hired, and to empower them to succeed in the role for which they were hired. Now is the time to reinvigorate a critical relationship between our cyber defense teams and the rest of the businesses. What CISA is asking on behalf of every CISO and every security practitioner is this: Cybersecurity is essential to your business, and we have reached a moment when it is at incredibly high risk. Give your security teams your full support by resourcing them, and then let them do what they do best—defend your systems, your data, and your organization.

To help leaders like you establish that communication, I’d like to offer some lessons I’ve learned throughout my career, and some advice that I’ve taken to heart on my leadership journey.

  1. Take the time to get briefed on your current security posture, both immediately and on an ongoing basis moving forward. Understand your organization’s overall security posture, including areas of strength and weakness. Understand the challenges your security teams face and get them the resources they need to be successful in the modern threat landscape. Many executives and boards have governance structures that require periodic readouts, but building a strong relationship as a baseline can ensure that your organization is prepared for a real event.
  2. Ensure that executive leadership is fully briefed on incident response, crisis management, and business continuity plans. This helps leadership refresh their understanding of the role they and their organizations play if events unfold. Incident response plans should include assessment of each executive’s departmental response readiness, and the results should be reported back to the full executive team. Taking these steps will help uncover issues that need to be resolved quickly, strengthening your overall security posture.
  3. Assess the security infrastructure protecting your organization. At minimum you should understand:
    • How often software is updated, including vulnerabilities commonly exploited by Russian threat actors (See CISA’s Shields Up Guidance for a list). You should also understand your organization’s policies regarding automatic updates, which are generally a best practice but increase the risk of a software supply chain attack.
    • How frequently critical systems and data are backed up, how the backups are protected from compromise, and how readily systems can be restored in the event of a breach.
    • What identity management and multifactor authentication tools and processes are being used, and ensuring that they are fully operational.
    • How your organization monitors, manages, and protects endpoints, including both traditional endpoints like servers and computers, as well as IoT and employee devices.
    • How you are managing the risks associated with the use of public cloud applications and infrastructure, and your organization’s areas of responsibility versus those of the cloud provider.
    • How your network is secured, including your ability to detect, remediate, and investigate threat activity on the network.

As you start a discussion with your security and technical teams, also keep in mind that systems integrators, managed services providers, channel partners, and technology vendors have expertise and services that can help organizations scale up defenses during times of high alert, and help assess organizational readiness to defend against advanced threats.

At ExtraHop, we are standing by to help our customers with any concerns or questions. At this critical moment for so many organizations, we are dedicating resources to ensure that organizations get the support they need to effectively defend their networks from attack. To learn more about how we can help assess your security posture (including identifying devices still vulnerable to Log4Shell), contact us at shieldsup@extrahop.com. We also have new recommendations for how to implement and mature CISAs Shields Up guidance for organizations.

CISA’s Shields Up warning and associated guidance is a reminder that we are united in a common mission: To defend our organizations, our customers, our employees, and our data, against advanced attacks. That mission is more important now than ever, and you have our full support.

Accelerate Cybersecurity Investigations with Reveal(x) Threat Briefings

When threat investigation and response take too long, attackers have decisive advantage as they steal data, encrypt it for ransom, or both. Accelerating investigations is a top priority for security operations teams, but it is made difficult by ongoing staffing challenges and rapidly evolving advanced threats. Reveal(x) threat briefings offer a path for faster investigation and response for enterprise SecOps teams.

Reveal(x) threat briefings are collections of correlated, contextualized data about specific cyber attacks or attack techniques that deserve elevated attention due to recent events or new information. The contextualized insights in these briefings help security analysts quickly assess and mitigate their organization’s past and current exposure to emerging threats so that they can reduce their mean time to respond (MTTR) and confidently eradicate intruders. Reveal(x) threat briefings are presented directly in the Reveal(x) user interface, and may contain:

  • Threat research findings about a recent attack or vulnerability
  • Security industry information
  • Threat detections with correlated contextual data gathered and analyzed by Reveal(x)

When new zero-day vulnerabilities are disclosed, speed is of the essence for protecting businesses. With PrintNightmare, Log4Shell, SolarWinds SUNBURST, and Kaseya/REvil, the potential damage and blast radius was so high that every business was forced to evaluate and mitigate their own exposure. For security operations teams to move on to mitigation, remediation, and recovery, they must quickly answer these complex questions:

  • Were we attacked in the past? Are we already compromised?
  • Are there vulnerable devices in our environment? (In the case of PrintNightmare, that meant nearly any Windows device, so the answer was “yes” for virtually all enterprises.)
  • Have any exploits been attempted against devices on our networks?
  • Can we detect whether any devices have already been compromised and used for subsequent attacker activity?

Fortunately, Reveal(x) threat briefings can answer all of the above and more at a glance. Reveal(x) threat briefings are displayed in the upper left corner of the main security overview page of Reveal(x) as soon as you log in. You can click each threat briefing to get more details. Each threat briefing focuses on a specific threat or vulnerability and includes such vital information as:

  • A list of devices that are vulnerable to the threat
  • Detections of communications with known indicators of that compromise
  • Behavioral detections of exploit attempts
  • Detections of related behavior that is likely to follow successful exploitation
  • Background data on the threat, with links to the relevant CVE, MITRE ATT&CK page, or other security research sources.

To learn more, watch our short video showing Reveal(x) threat briefings. It explains how you can use them to gain a rapid understanding of your organization’s exposure to a threat, allowing you to move quickly to stay secure.

IT in the Crosshairs of Modern Ransomware

The days of smash-and-grab cyberattacks are over. Instead, headline-making hits on Acer, JBS Foods, and Colonial Pipeline make it clear: We’ve entered a new, more sophisticated modern era of ransomware tactics.

Ransomware gangs have expanded their playbooks to adopt advanced east-west maneuvering to amplify damage and halt business operations to improve their payment calculus. Today’s modern ransomware is exploiting IT infrastructures to move stealthily and persist for longer periods of time before springing its trap, putting security and IT teams at a disadvantage to prevent large-scale incidents.

Evolution of the Ransomware Three-Act Playbook

We like to think we already know how ransomware works—but ransomware crews have added a new act to their playbooks. They now expand their blast radius through the use of advanced land-and-pivot-style tactics to ensure a handsome payout from companies clamoring to regain operations without significant data leakage or reputational damage. Modern ransomware is carried out as a three-act playbook: initial access, midgame, and extortion. Each act has its unique specialization and tooling.

“The midgame is comprised of the stages of the kill chain where attackers pivot through your IT infrastructure, enumerate targets, escalate privileges, phone home, and compromise assets and network data stores to compel payment.”

Initial access is where they gain a foothold through a wide range of techniques proven effective over time, including phishing emails. The midgame is where the attacker pivots through your infrastructure, accumulating assets and compromising data before springing their extortion trap. The extortion cycle is when it’s too late and the damage is done.

Conventional wisdom says that access management and backup strategies are the remedies—but these haven’t slowed the ransomware-as-a-service (RaaS) industry. Unfortunately, initial access prevention relies on 100% efficacy, and because gangs are moving beyond mere encryption by exfiltrating and exploiting sensitive information, once backup comes into play, the damage is done regardless of how you handled the extortion demand. The crippling business damage is proportional to the ransomware campaign duration—specifically the midgame duration, as shown in the diagram. If you’re watching inside the network, the midgame is where you can stop intruders before they set their extortion trap.

Ransomware Playbook Chart

Act 1: Initial Access – Foothold

Initial access is how the attacker breaks into the infrastructure––and they have countless ways to get in.

Conversations around ransomware defense tend to gravitate toward preventing initial access. While ransomware prevention is, on the surface, a logical strategy, when put to the test, motivated attackers have consistently proven that they can gain a foothold. Like any good pen tester, a persistent attacker will find a way into our porous hybrid perimeters. With today’s specialized RaaS ecosystem, even a lazy extortion-motivated attacker can buy a jumpstart foothold from initial access brokers.

If that isn’t alarming enough, phishing continues to be a favorite access technique for ransom-driven intruders. Troubling research from Knowbe4 points out that 4.7% of the 6.6M people participating in a years-long phishing training will still take the clickbait.

The battle for access prevention has proven to be, at best, a deterrent to script kiddies and other easily deterred attackers, making it more of a fence than a wall. Likewise, the perimeter seems to be better approached as the ground for skirmishing than as the point of eradication for intruders—contrary to how most organizations’ allocate their security spending.

Act 2: Midgame – Optimize Collection Calculus

The midgame is the stage of the kill chain where attackers pivot through your IT infrastructure, enumerate targets, escalate privileges, phone home, and compromise assets and network data stores to compel payment. This is where modern ransomware operators get to work on their tour-de-force pain maker, causing outsized damage, leveraging game theory to compel you to pay.

In addition to moving laterally through your infrastructure, ransomware crews share a common focus on exploiting Active Directory (AD). Targeting domain admin privileges like exploited AD allows attackers to speed up asset collection operations. Because of this, ransomware trends now include shockingly short average dwell times—just five days, according to Fireeye-Mandiant’s 2021 M-Trends report. Gaining domain admin privileges gives intruders keys to the kingdom, where they can automate malware distribution through Group Policy (GPO) or escalating privileges to own Exchange, databases, and filesystems service. Numerous post-mortem advisories on ransomware gangs such as REvil and BlackMatter (rebrand of Darkside) point to AD as the preferred fast path toward ransom collection.

Famously, Cisco Talos translated the Conti playbook which had been dumped by a disgruntled insider. The playbook notably instructed Conti RaaS platform affiliates to use AD exploit tools like Cobalt Strike, ADFind, and Kerberoasting.

The midgame concept isn’t new: It’s represented as a subset of techniques in the last 11 tactics of the MITRE Framework. We refer to the modern ransomware playbook as three parts because a different set of attacker specialization is applied at each phase, and an appropriate response is required from the defending team.

The Midgame Represented in the Mitre Framework

Act 3: Extortion Cycle – Houston, We Have a Problem

The last item on the playbook is the extortion cycle. With the global cost of ransomware reaching $20B in 2021, it’s fair to say that, at this stage, it’s too late for you to do much of anything. At this stage, the enterprise is in recovery mode, not security mode.

Availability of backups is a critical part of the payment calculus. Unfortunately, the ransom payment has little bearing on the total financial damage that the attack will inevitably cause. Research suggests that ransom payments account for 10% of the actual damage to victims. The other 90% is a byproduct for the victim, regardless of how profitable the exchange was for the attacker.

The True Cost of Ransomware
Payment data source: Sophos State of Ransomware 2021

Modern Ransomware Kill Chain in the Midgame

Your best chance to protect your customers and organization, avoid paying the ransom, and maintain your reputation is to build defenses that interrupt attackers in the midgame.

The number one resource that advanced attackers have on their side is the ability to slink around your environment, just out of sight. Therefore, a defensive strategy in the midgame must include the ability to shine a light on the dark corners where they’re hiding and living off of the land.

The good news is, attackers are not the type to stay in place. Their shameless drive for profit means that they’re regularly moving around, looking for meaty data to steal and dangle over you. Hidden in their greed is your opportunity. They’re walking around your network. You have ownership and visibility over your environment, and if you’re watching for the midgame tactics, you’ll find your guy.

Detection and Response Options

Stopping intruders is the function of detection and response, which is why Gartner calls for the use of endpoint data, logs, and the network the SOC Visibility Triad.

Traditionally, security operations centers (SOCs) have relied heavily on endpoint detection and response (EDR) and security information and event management (SIEM) tools for incident management and response. But those tools don’t provide the real-time visibility into east-west traffic that is essential for spotting ransomware midgame.

EDR has come a long way from an easily evaded anti-virus tool and plays an important part in preventing initial access. But as the leaked Conti playbook reminds us, attackers evade EDR or avoid managed endpoints altogether. The exclusive dependence on EDR leads to extensive coverage gaps across servers, IoT, 3rd-parties, and other unmanaged endpoints. Equally, SIEM technology offers essential security controls, including alerting, compliance, and dashboarding, but the fuzzy view from logs present limited actionable insight to respond to laterally moving intruders.

The network, specifically network detection and response (NDR) solutions, is the missing piece of the triad, with the data available to stop a ransomware attack in the midgame before they spring their trap.

The Efficacy of Midgame Defense for Ransomware

Extrahop Reveal(x) 360 NDR

Preventing initial moves by ransomware actors may not be possible, but with Reveal(x) 360, defenders can stop intruders in their midgame before they can do real damage. Reveal(x) 360 detects ransom-driven intruders as they pivot through the victim’s IT infrastructure, enumerating targets, escalating domain privileges and phoning home—before they compromise network data stores to demand ransom.

With Reveal(x) 360 integrated forensics workflow—built on 90 days of continuous traffic record lookback and a modularly scalable PCAP repository—defenders can quickly pinpoint the root cause and scope all exploited assets and compromised data. With these ground-truth packet insights, defenders can eradicate intruder residue, close security gaps to prevent ransomware recurrence, and move on to recovery confidently.

When They’re Already Inside the Walls: How to Detect and Stop Lateral Movement

You already have security tools meant to prevent attackers from getting into your environment, but what happens after they compromise one of your systems? It could happen many ways, and wise security professionals know that good defenses must include methods to detect and stop advanced threats.

The good news is that in many cases, attackers’ beachhead isn’t in the part of the network where they need to be. They must move laterally within the environment to access valuable data, jumping from system to system until they reach their target.

Tactic: Intitial Access
ExtraHop Reveal(x) detects lateral movement behavior on the network, like an attacker escalating their network privileges.

Stopping Lateral Movement

Last year, it was disclosed that a national space agency’s Jet Propulsion Lab suffered a data breach. The report on the incident noted that network segmentation would have helped to prevent the attackers from moving laterally within the environment. That’s absolutely true, but it’s also true that network segmentation is difficult to set up and maintain, and it can be a hindrance to doing business.

Besides stopping lateral movement with segmentation, organizations should also be trying to detect this type of post-compromise activity. Privilege escalation, discovery, and lateral movement are all stages of the MITRE ATT&CK framework that necessarily require attackers to communicate on the network. This gives you many opportunities to detect attackers as they reconnoiter your network, move from system to system, and attempt to escalate their privileges.

Tactic: Intitial Access
Many of the techniques in the MITRE ATT&CK framework rely on network communications inside the network. ExtraHop Reveal(x) maps detections to the MITRE ATT&CK framework, including those for lateral movement.

To evaluate how well you are stopping lateral movement in your environment, ask yourself these questions:

  • What network controls do I have in place to discover and limit device activity?
  • What percentage of my environment is covered by log and endpoint data?
  • How do I track normal and abnormal account activity?

Detecting Post-Compromise Activity

Once attackers compromise an initial system and steal credentials, they can use native functionality to stealthily reconnoiter the environment and move from computer to computer until they find their target. To detect this type of stealthy lateral movement inside the east-west corridor, cybersecurity teams need to be able to examine—at great detail and with tremendous skepticism—seemingly legitimate activity from their internal systems.

 

 

ExtraHop Reveal(x) specializes in detecting post-compromise activity like network reconnaissance, privilege escalation, and lateral movement.

Reveal(x) can:

Watch the video above to see how, then try our demo to see how Reveal(x) can detect threats like lateral movement that other tools miss.

ExtraHop Introduces New Proactive Threat Hunting and Network Assurance Services

Expanded Reveal(x) Advisor services help organizations proactively manage cybersecurity hygiene and accelerate incident response

SEATTLE – October 5, 2021 – ExtraHop, the leader in cloud-native network detection and response (NDR), today announced expanded Reveal(x) Advisor services that provide threat detection and hunting capabilities alongside network assurance analysis. Reveal(x) Advisor provides dedicated ExtraHop threat analysts and security advisors that deliver timely and precise analysis of priority detections, hunt the network for indicators of current or future compromise, and continually probe for vulnerabilities, such as outdated protocol use or shadow IT.

Security teams are overwhelmed by threat volume and staff shortages. They barely have time to respond to priority alerts, let alone think proactively about their cybersecurity hygiene strategy. The Ponemon Institute shared that 60% of organizations that had a breach found the root cause to be a known vulnerability with a patch available. Reveal(x) Advisor addresses these challenges by helping customers assess their cybersecurity maturity, clear their alert queues, and proactively hunt for threat activity across workloads.

The sophistication of attacks combined with fierce competition for security talent has convinced many organizations to turn to professional and managed services. Services like Reveal(x) Advisor from ExtraHop can help organizations increase their cybersecurity maturity, especially when combined with customizable network assurance and threat hunting, as well as proactive advisory services around security posture and approach,” said Christina Richmond, Program Vice President for Security Services, IDC.

“Reveal(x) Advisor accelerates threat readiness and response through enhanced identification, protection, detection, and network preparation,” said Mark Bowling, VP of Security Services, ExtraHop. “It prevents network intrusions and compromises by working with the enterprise to take action before the first alert to provide threat-free network assurance. If there are indications of intrusion, Reveal(x) Advisor provides a near-immediate response based on network indicators.”

New services include:

  • Network assurance: Proactive analysis and review of critical assets to identify known vulnerabilities, SSL hygiene, exposure risks, unauthorized devices, shadow applications, and anomalous network behaviors that could be exploited.
  • On-demand expertise from Security Advisors: Custom working sessions with ExtraHop Security Advisors teach users to reduce attack surfaces, identify high-risk protocols, and optimize system efficiency while maturing cybersecurity posture.
  • Proactive threat hunting: ExtraHop threat analysts, using the MITRE ATT&CK framework, search and explore the network, system alerts, and transmission data to identify malicious, suspicious, and at-risk actions that have, thus far, avoided detection.

ExtraHop’s Reveal(x) 360 SaaS NDR offering combined with Advisor services help organizations around the world improve their security posture, modernize cyber defenses, and address the talent shortage in cybersecurity. All Reveal(x) Advisor services are available today.

Additional Resources

Things That Go Bump in the Network: Part II

Just When You Thought it was Safe to Fly

Airplanes seem like magic: a giant metal bird launching itself off the ground with powerful jets. They travel faster than anything on the ground and allow us to navigate a globe with ease and reliability. But with giant metal power comes giant metal responsibility. For one company, the responsibility came in the form of selling tickets for humans who wish to travel.

One day, this organization learned that the dream of filling seats can turn into a nightmare in an instant.

Humans aren’t the only “people” who wish to travel. The organization discovered, to their horror, that their searches were getting consumed from the inside by automated horrors. Bot domination was upon us!

These robots move faster than humans. They’re capable of performing hundreds of searches in a single minute, vastly outpacing a regular, carbon-based traveler. These clanky tinkerers searched the ticketing site at record speeds, and not just for themselves. They’d search for one, two, and three “people.” Tickets tomorrow, for next week, for… ever!

The organization was lost in a robotic maelstrom. Even when they managed to block offenders by IP, these evil enigmas would simply pop up somewhere else and in greater numbers, like a metal hydra growing more and more heads.

The company tried sniffing out the influx of attackers, but the robots were clever enough and fast enough to sneak past manual log analysis and continue their proliferation. The company was trapped, forced to choose between “send all traffic in the clear” or to “just deal with it.” They were facing the losing end of the bot’s quest for global takeover. Luckily for them, there was a better plan.

The company sought help from ExtraHop, who holds one of the most powerful metal detectors in the world: Reveal(x). At first, they started by manually identifying unwanted “people” from their search, but the robots were swift and evasive. The ticketing site regrouped and transformed Reveal(x) into a bigger, bot-annihilating weapon: They automated their hunt by integrating Reveal(x) into the organization’s load balancer.

Once inside, Reveal(x) was able to see everything in real time, and could simply dump inbound requests from any bot searching more than 100 times per minute. Humans prevailed! The robotic takeover was halted at last!

Before Reveal(x), the company paid a high price for the influx of robots. These metal monsters were filling searches without paying, which caused actual bookings to plummet, costing the org its bottom line. But once they armed themselves with Reveal(x) to fight the vast and ever-growing army of robots, they reclaimed the advantage and defeated their foe.

Got a scary story of your own you’d like to share? Thrill us with your tale and get a treat sent your way!