An integrated approach to protection against targeted attacks and extortionate software such as Ransomware

annotation

Over the past few years, the issue of protection against automated targeted attacks has become acute in the information security market; however, in the general sense, a targeted attack at first appeared to be the result of a long and professional work by an organized group of cybercriminals in order to obtain expensive critical data. Currently, against the background of the development of technologies, popularization of open-source forums (for example, Github, Reddit) and Darknet, which provide source codes of malicious software and describe step-by-step how to modify it (to make it impossible to detect it with signature-based analysis) and infect hosts. simplified. For the implementation of a successful attack, accompanied by disastrous consequences for the owners of automated and information systems, a rather unqualified user and enthusiasm in parsing the material provided on the Internet / Darknet.

The motive for such criminal activity is profit. The easiest, and therefore most common way, is to infect network hosts with malware such as Ransomware. Over the past 2 years, its popularity is growing rapidly:

• in 2016, the number of known types (families) of ransomware Trojans increased by 752%: from 29 types in 2015 to 247 by the end of 2016 (according to TrendLabs);
• thanks to extortion viruses, malefactors for 2016 “earned” $ 1 billion (according to CSO);
• in the first quarter of 2017, 11 new families of ransomware Trojans and 55,679 modifications appeared. For comparison, in the 2-4 quarters of 2016, 70,837 modifications appeared (according to the Kaspersky Lab).

In early 2017, the leading manufacturers of information security products (Kaspersky Lab, McAfee Labs, SophosLabs, Malwarebytes Labs, TrendMicro, etc.) called Ransomware one of the main threats to information security for government and commercial organizations of various fields of activity and scope. And as history shows, they were not mistaken:

• January 2017. Infection of 70% of video surveillance cameras of public order in Washington on the eve of the inauguration of the president. To eliminate the effects of the camera were dismantled, reflashed or replaced by others;
• February 2017 Disable all Ohio County (US) municipal services for more than one week due to massive data encryption on users' servers and workstations (over 1000 hosts);
• March 2017 Disabling the systems of the Pennsylvania State Capitol (USA) due to the attack and blocking access to information systems data;
• May 2017 A large-scale attack of the cipher virus WannaCry (WanaCrypt0r 2.0), affecting more than 546 thousand computers and servers based on Windows operating systems in more than 150 countries on 06/26/2017. In Russia, computers and servers of such large companies as the Ministry of Health, Ministry of Emergency Situations, Russian Railways, Ministry of Internal Affairs, Megafon, Sberbank, Bank of Russia were infected. There is still no universal data decoder (there were published ways to decrypt data on Windows XP). According to experts, the total damage from the virus exceeds $ 1 billion;
• A large-scale attack of the XData encryption virus in May 2017 (one week after the launch of the WannaCry attack), which uses the same WannaCry vulnerability (EternalBlue) in the SMBv1 protocol and infects the corporate segment of Ukraine (96% of infected computers and servers are in Ukraine) whose propagation velocity is 4 times faster than WannaCry. At the moment, the encryption key is published, descramblers for the ransomware victims are released;
• June 2017 The network of one of the largest universities in the world, Univercity College London, was attacked by the Ransomware extensive attack. The attack was aimed at blocking access to shared network storage, an automated student management system. This was done in the pre-examination and graduation period, when students who keep their theses on the university's file servers are more likely to pay fraudsters to get their work. The amount of encrypted data and the victims are not disclosed.

There are a lot of cases of targeted attacks to infect Ransomware. The main purpose of the attackers are systems based on the Windows OS family, however, there are various versions of Ransomware for the OS of UNIX / Linux families, MacOS, as well as iOS and Android mobile platforms.
')
With the development of ransomware appear and means to counter them. First of all, this is an open project No more Ransom! (www.nomoreransom.org), which provides victims of attacks with means to decrypt data (in the event of an encryption key being opened), and secondly, specialized open-source means of protection against encryption viruses. But they either analyze the software behavior by signatures and are not able to detect an unknown virus, or block malware after it affects the system (encrypting a part of the data). Specialized Open-source solutions applicable by Internet users on personal / home devices, large organizations that process large amounts of information, including critical ones, need to provide comprehensive proactive protection against targeted attacks.

Proactive protection against targeted attacks and ransomware

Consider the possible vectors of access to the protected information located on the server or the automated workplace of the user:

• The impact on the perimeter of the local area network from the Internet is possible through:
• corporate email;
• web traffic, including webmail;
• perimeter router / firewall;
• third-party (unincorporated) Internet access gateways (modems, smartphones, etc.);
• secure remote access systems.
• Impact on servers, users' workplaces over the network:
• uploading malware to endpoints / servers upon request from them;
• use of undocumented features (vulnerabilities) of system / application software;
• downloading of malwares via an encrypted VPN channel uncontrolled by IT and information security services;
• connection to the local network of illegitimate devices.
• Direct impact on information on servers, users' workplaces:
• connecting external storage media with malware;
• Malware development right on the endpoint / server.

To reduce the likelihood of threats for each type of access to protected information, it is necessary to ensure the implementation of a set of organizational and technical measures to protect information, a list of which is shown in the figure (see Figure 1)


Figure 1. Proactive protection measures against targeted attacks and ransomware

Organizational protection measures against targeted attacks and ransomware

The main organizational measures for proactive protection against targeted attacks and Ransomware include:

• Raising awareness of employees in the field of information security.
  It is necessary to regularly conduct training of employees and inform them about possible threats to information security. The minimum and necessary measure is the formation of the principles of working with files and mail:
  o do not open files with double extension: configure the display of extensions for users in order to identify malicious files with double extensions (for example, 1Record.xlsx.scr);
  o do not include macros in untrusted Microsoft Office documents;
  o check the addresses of the senders of mail messages;
  o do not open links to web pages, email attachments from unknown senders.
• Evaluation of the effectiveness of protection both within the organization and with the involvement of external specialists.
  Evaluating the effectiveness of staff training is necessary with the help of attack modeling, both internal and with the participation of external specialists - to carry out penetration tests, including using the method of social engineering.
• Regular updating of system software (Patch Management).
  To prevent malware attacks on target systems through known vulnerabilities, it is necessary to ensure timely testing and installation of system and application software updates, taking into account the prioritization of the degree of criticality of updates.
• Systematization of data backup.
  It is necessary to regularly back up critical data of servers of information systems, data storage systems, user workstations (if critical data storage is expected). Backups should be stored on tape storage system libraries, on removable storage media (provided that the storage medium is not permanently connected to the workstation or server), as well as in cloud backup systems, storage facilities.

Technical measures for protection against targeted attacks and ransomware

Technical measures of proactive protection against targeted attacks and Ransomware are taken at the network level and at the host level.

Network Proactive Protection Measures

• Using email filtering systems that analyze email traffic for unwanted emails (spam), links, attachments, including malicious ones (for example, blocking JavaScript files (JS) and Visual Basic (VBS), executable files (.exe), files screensavers (SCR), Android Package (.apk) and Windows shortcut files (.lnk)).
• Using content-filtering systems for web traffic , which differentiate and control user access to the Internet (including by parsing SSL traffic using server certificate spoofing), streaming traffic analysis for malicious programs, and delimiting user access to web content .
• The use of protection systems against targeted attacks , zero-day attacks (Sandbox, sandbox), providing heuristic and behavioral analysis of potentially dangerous files in an isolated environment before sending a file to the protected information systems. Protection systems against targeted attacks should be integrated with content systems filtering web traffic, e-mail filtering to block malicious attachments. Also, protection systems against targeted attacks are integrated with information systems within the network perimeter to detect and block complex attacks on critical resources and services.
• Providing control of access to the corporate network at the wired and wireless level using 802.1x technology. Such a measure excludes unauthorized connection of illegitimate devices to the corporate network, provides the ability to perform a check for compliance with corporate policies when accessing an organization’s network (availability of anti-virus software, current signature databases, availability of critical Windows updates). Access control to the corporate network using 802.1x is provided by NAC (Network Access Control) class systems.
• Eliminating direct interaction of external users with corporate information systems resources using intermediate access gateways with overlaid corporate information protection tools (terminal server, VDI desktop virtualization system), including the ability to capture external users' actions using video or text session recording. The measure is implemented using terminal access systems, PUM (Privileged User Management) class systems.
• Segmentation of the network according to the principle of sufficient sufficiency to eliminate redundant permissions of network interaction, limiting the possibility of malware distribution in the corporate network in the event of infection of one of the servers / user workstations / virtual machines. It is possible to implement such a measure using firewall policy analysis systems (NCM / NCCM, Network Configuration (Change) Management), which provide a centralized collection of firewall policies, firewall settings and further processing for the purpose of automatically issuing recommendations for their optimization, monitoring changes in policies firewall shielding.
• Identify network interaction anomalies using specialized NBA & NBAD class solutions (Network Behavior Analysis, Network Behavior Anomaly Detection), which allow collecting and analyzing information about data streams, traffic profiling for each network host to detect deviations from the “normal” profile. This class of solutions will reveal:
  
  o scanning the infected host of its environment;
  o infection vector;
  o state of the host: “scanned”, “infected and scans others”;
  o unidirectional flows;
  o abnormal flows;
  o viral epidemics;
  o distributed attacks;
  o picture of existing threads.
• Disconnecting infected hosts (workstations, servers, virtual machines, etc.) from the network. This measure is applicable in the event of infection of at least one of the hosts on the corporate network, however, it is necessary to localize and prevent a virus outbreak. Jobs from the network can be disconnected both by IT and IB administration personnel, and automated when threats are detected on the protected host (by correlating security events, setting up automated actions to block all network activities on the host / disconnect the host from the network at the switch level, etc. .).

Host level proactive security measures

• Providing protection from unauthorized access of workstations, servers, virtual machines through enhanced user authentication, monitoring the integrity of the operating system, blocking the system from external media to prevent intruders from infecting the corporate network with violators inside the network perimeter. This measure is implemented by the solutions of the GIS from the NSD / Endpoint Protection.
• Ensuring anti-virus protection on all network nodes of the organization. Anti-virus software should detect the facts of virus infection of RAM, local storage media, volumes, directories, files, as well as files received via communication channels, electronic messages at workstations, servers, virtual machines in real time, heal, remove or isolate threats. Anti-virus signature databases should be regularly updated and up to date.
• Ensuring monitoring and control of software actions on protected hosts by monitoring launched services and services, heuristic analysis of their functioning. Such a measure is implemented solutions class HIPS (Host Intrusion Prevention).
• Controlling the connection of external devices , blocking unused ports on protected hosts to exclude connections to protected hosts of unauthorized devices: both storage media with potentially malicious programs and external Internet access gateways (for example, 4G modem) providing an unmonitored and unprotected access channel in Internet. This measure is implemented by the solutions of the GIS from the NSD / Endpoint Protection.
• Providing advanced protection of hosts using behavioral analysis of the functioning of processes on protected hosts, machine learning, heuristic file analysis, application control, protection against exploits to detect and block unknown threats (zero-day threats) in real time. This measure is implemented by solutions of the NGEPP (Next Generation Endpoint Protection) class.
• Using agent-based anti-ransomware security solutions that encrypt data on an infected host. These include:
  o Effective systems of protection against targeted attacks, zero-day attacks with a client-server architecture. The client software is installed on the protected host, protects in real time from zero-day threats, viruses encrypting data in the system, decrypts encrypted data (if there is an agent — before attempting to infect), removes the ransomware trojan, protects against phishing attacks. The client software provides control of all access channels to the host: web traffic, alienable media, email, LAN access, malware in encrypted traffic (VPN).
  o Client systems for protection against zero-day threats (sandboxes) in open access (sandboxie, cuckoo sandbox, shadow defender, etc.).
  o Microvirtualization-based zero-day client protection systems (Bromium vSentry), which provide behavioral analysis of potentially harmful files in a hardware-isolated environment (micro-virtual infrastructure).
• Providing firewalls at the host level using software firewalls to limit access to corporate network resources, limit the spread of malware in the event of a host infection, block unused network ports, protocols.

Other measures to protect against ransomware viruses

In addition to the measures listed above, the following can help prevent a targeted attack in the corporate network:

• Providing regular analysis of IT infrastructure security - scanning network nodes to find known vulnerabilities in system and application software. This measure ensures the timely detection of vulnerabilities, allows them to be eliminated before the moment they are used by attackers. Also, the security analysis system solves the tasks of monitoring network devices and devices connected to users' workstations (for example, a 4G modem).
• The collection and correlation of events allows a comprehensive approach to the detection of ransomware in the network based on SIEM systems, since this method provides a complete picture of the company's IT infrastructure. The effectiveness of SIEM is to handle events that are sent from various infrastructure components, including information security, based on correlation rules, which allows you to quickly identify potential incidents associated with the spread of the ransomware virus.

Prioritization of protection measures against ransomware viruses

Reliable comprehensive protection against targeted attacks is provided by a set of organizational and technical measures, which are ranked in the following groups:

• The basic set of measures necessary for all organizations to protect against targeted attacks and ransomware.
• Expanded set of measures applicable for medium and large organizations with high cost of information processing.
• An advanced set of measures applicable to medium and large organizations with advanced IT and IB infrastructure and high cost of the information being processed.

Figure 2. Prioritization of protection measures against the ransomware Trojan

Ransomware protection measures for end users

The threat of infection with an extortioner virus is also relevant for end-users of the Internet, for whom individual measures to prevent infection are also applicable:

• timely installation of system software updates;
• use of antiviruses;
• timely update of anti-virus signature databases;
• using freely available anti-malware tools that encrypt data on a computer: RansomFree, CryptoDrop, AntiRansomware tool for business, Cryptostalker, etc. Installing this class of protection is applicable if critical non-reserved data are stored on your computer and reliable anti-virus protection is installed .

Vulnerability of mobile devices (Android, iOS)

“Smart” mobile devices (smartphones, tablet computers) have become an integral part of life: the number of activated mobile devices, mobile applications and the volume of mobile traffic increases every year. If earlier mobile phones stored only a database of contacts, now they are storage of critical data for the user: photos, videos, calendars, documents, etc. Mobile devices are increasingly being used in the corporate sector (annual growth of 20-30%). That is why the interest of intruders is growing towards mobile platforms, in particular, from the point of view of extorting money with the help of Trojans. According to Kaspersky Lab, in the first quarter of 2017 extortionists accounted for 16% of the total number of malware (in the fourth quarter of 2016, this value did not exceed 5%). The largest percentage of Trojans for mobile platforms is written for the most popular mobile operating system, Android, but for iOS there are similar ones.

Protection measures for mobile devices:

• For corporate sector:
  o use of Mobile Device Management (MDM) class systems, which provide control over the installation of system software updates, application installations, and control of the presence of superuser rights;
  o to protect corporate data on the user's mobile devices — Mobile Information Management (MIM) class systems, which store corporate data in an encrypted container that is isolated from the operating system of the mobile device;
  o use of Mobile Threat Prevention class systems, which provide control of permissions granted to applications, behavioral analysis of mobile applications.
• For end users:
  o use official stores to install applications;
  o timely update of system software;
  o exclusion of transition by untrusted resources, installation of untrusted applications and services.

findings

The simplicity of implementation and the low cost of cyber-attack organization costs (ransomware, DDoS, attacks on web applications, etc.) leads to an increase in the number of cybercriminals while reducing the average technical level of an attacker. In this connection, the likelihood of the realization of threats to the security of information in the corporate sector and the need for providing comprehensive protection increase dramatically.

Therefore, we at Informzaschita focus on modern challenges of information security and ensure the protection of the client's infrastructure from the latest, including unknown threats. Creating and implementing complex adaptive models of countering information security threats, we know how to predict, prevent, detect and respond to cyber threats. The main thing is to do it in a timely manner.

Author: Evgeny Borodulin, Chief Architect, Informzaschita
e.borodulin@infosec.ru