Why Faster Ransomware Detection Requires Blended Security

From Accenture’s six terabyte data breach to the Colonial Pipeline hack and the Shutterfly ransomware infection, these (and other) headline-grabbing cyber attacks have one thing in common: threat detection came too late. 

“We identified irregular activity in one of our environments […] and immediately contained the matter,” said an Accenture spokesperson after news of the firm’s 2021 data breach became public. Yet cybercriminals still managed to make away with an enormous amount of proprietary information—some of which was leaked to the public. At the Colonial Pipeline company, no one was aware that one of the largest pipeline operators in the US was attacked until an employee discovered a ransom note. At this point, the only way forward was to shut down the entire operation and, eventually, pay a ransom. And at Shutterfly, all seemed well—until attackers deployed ransomware, locking employees out of their systems and stealing data. It was only then that the photography and image sharing company realised they had been compromised. 

These attacks all show that ransomware attacks are not only getting more frequent (they doubled in the UK in 2021) but also more stealthy. With hackers increasingly turning to advanced tools and fileless malware, spotting and stopping cyberattacks before damage is done is becoming harder. Describing ransomware as a “national security threat,” lead minister for cybersecurity Steve Barclay recently urged firms to share ransomware incidents with the National Cyber Security Centre to “strengthen […] individual and collective resistance.” 

For individual organisations, nipping ransomware in the bud means fighting back with the right combination of anti-ransomware tools. A self-driving cyber defence platform, SenseOn blends multiple methods of detection to identify unusual activity, allowing organisations to stop an attack before it can have a significant business impact.

Early Detection Is Vital

First, some good news: ransomware dwell time is now only four days. The bad news? This probably has more to do with ransomware operators moving faster than ever than reduced threat detection and response times. The profit-hungry FIN12 ransomware group, for example, now spends less than three days in targets’ networks before they encrypt data and send victims a ransom demand. 

In addition, although the time it takes external sources (including cybercriminals themselves) to let victims know they’ve been breached has dropped, the global median dwell time for incidents discovered internally has increased. This means that attackers are getting better at hiding. But with ransom demands skyrocketing, decryptions being “atrociously slow,” and the number of organisations that had their files exposed on leak sites rising by a whopping 935% in 2021, early detection has never been more critical. 

Ransomware Detection Techniques That Help Spot Ransomware Early

To avoid downtime, reputational damage, and remediation costs (as well as legal costs in cases of leaked customer data), security teams need to be able to recognise and stop ransomware before it encrypts and/or steals data.

To do this, different security solutions, such as endpoint detection and response (EDR) or security information and event management (SIEM), use different detection techniques. SenseOn uses all of the following: 

Rules and signatures 

Signature-based detection, which uses a list of indicators of compromise like IP addresses or file hashes to detect malware, is a great first line of defence against ransomware. 

However, security products like antivirus solutions that rely on signatures can only identify threats that act like threats someone has already seen before. 

Unfortunately, new and evolved threats keep emerging. According to SonicWall, there were 185,945 never before seen malware variants in 2021. That’s an increase of 54% year-to-date. 

Because the threat landscape is evolving and attackers are always tweaking or releasing new forms of malware, ransomware frequently slips past signature-based detection controls. In Q1 of 2021, more than two-thirds of malware was undetectable by signature-based tools. 

Rule-based detection, which defines a profile for non-malicious activity and then issues an alert when a behaviour doesn’t match that, can overcome the limitations of signature-based detection. However, since anomalous behaviour (for example, someone logging into their device at a weird time) happens all the time in a typical enterprise, rule-based detection can create alert fatigue among security staff. To stop this from happening, SenseOn uses threat triangulation, which applies multiple detection methods to provide data-driven hypotheses mapped to the MITRE ATT&CK framework, in order to only surface genuine threats.

User and entity behaviour analysis

Behavioural detection security processes observe the normal behaviour of users and entities and then look for and flag activities that deviate from this average behavioural baseline. For instance, if a user suddenly accesses files they’ve never accessed before, then this would be flagged to security teams as suspicious behaviour. 

With user and entity behavioural analysis (UEBA), security teams can identify insider threats, brute-force attacks, compromised accounts, unauthorised access to sensitive data, permission changes, and more. 

Deception-based detection

Deception technology aims to trick attackers by distributing traps (decoys) and/or lures across a system that resemble actual assets but that, when interacted with, trigger an alert.

For example, an unused SQL server, not part of regular operations, might be set up as a honey pot. Because normal users won’t go near traps or lures, alerts from deception technology are a good indication of an ongoing attack. 

Supervised and unsupervised machine learning

Whereas supervised machine learning uses labelled datasets to train algorithms to classify data, unsupervised machine learning is capable of clustering unlabelled datasets. In other words, unsupervised machine learning doesn’t require human input. 

SenseOn uses unsupervised machine learning to detect outliers and anomalies, i.e., exploits or new ransomware techniques. It then uses supervised learning to automate the explanation of why suspicious activity was flagged as such, making investigation and remediation quicker and more effective. 

Making Sense of It All with SenseOn

Each of the above methods has its pros and cons. But in reality, no single technique is capable of reliably detecting a ransomware attack alone. 

That is why SenseOn uses what we call “Detections-in-Depth,” a blend of detection methods that are continuously updated and that consist of rules and signatures, user and entity behavioural analysis, deception techniques, and supervised and unsupervised machine learning. Using multiple ransomware detection techniques improves security teams’ ability to detect and remediate attacks before anything happens. 

Rather than bringing every single suspicious event to analysts’ attention, SenseOn uses threat triangulation, an automated investigation engine, to separate the signal from the noise. 

With SenseOn, no observation is analysed alone. Instead, logs from every detection method used by SenseOn are compared together alongside other observations about users and devices from other detection methods and matched to real-world hypotheses.

SenseOn is able to combine multiple observations to create a threat “case” (mapped to MITRE ATT&CK techniques) and provide actionable alerts for security teams to investigate. This happens regardless of whether related observations happen minutes or weeks apart. What’s more, SenseOn has established feedback loops, which means that its detections improve over time as it makes new observations for particular users and devices. 

Because SenseOn is able to not only detect and investigate ransomware activity but also respond, it can automatically isolate infected devices in real time. Critically for time-sensitive ransomware attack situations, SenseOn can stop attacks without human input, leaving ransomware infections stuck out in the cold.

Previous
Previous

MITRE ATT&CK Lateral Movement Techniques: How Threat Actors Move Within a Network

Next
Next

Zero-Day and Fileless Threats Are Beating AV, but Advanced Endpoint Protection Can Give Firms a Fighting Chance