This site uses cookies to enhance your experience.  By continuing to visit this website, you consent to the use of these cookies. Click here to learn more about our privacy policy.

Sanfor Technologies Blog Background Image

Ransomware Attacks | A Waking Nightmare | Sangfor NDR Cyber Security

2021-09-01
50
Threat Hunting article

Did you know that malicious emails, or those containing malware or ransomware are up 600% due to the COVID pandemic? The past few years have shown us just how much of a nightmare ransomware attacks can be, operating 24/7 and hiring the most accomplished black hat hackers to achieve their lofty goals. Ransomware is a type of malware designed for the simple purpose of stealing data from victims, but the route ransomware takes to steal data and encrypt files is anything but simple. Businesses are finding an urgent need for better and more powerful threat hunting tools, and they are finding them in network detection and response, or NDR. Let’s explore some of the ways ransomware is being made more powerful, and the EDR, NDR and incident response techniques being used to combat it.


Are you prepared for Ransomware?

The answer is most often, no. Ransomware has been quietly evolving to be more dangerous and invasive than ever before. There are several ransomware improvements being implemented to make it more powerful and destructive.


  • Ransomware now targets entire systems for damage and theft, including back-up files, databases and company web pages.
  • Ransomware is being programmed to seek out security vulnerabilities in the most used solutions, and exploit them to increase the chances of success.
  • Ransomware has incorporated new methods to increase their payday, including selling stolen data on the dark web, even after a ransom has been paid.
  • Ransomware operators are now communicating directly with victims through chat rooms, email and through dark web sites to negotiate ransom payments and amounts.
  • Ransomware has incorporated more powerful and stealthy encryption methods and has improved methods of detection exponentially.
  • Ransomware has adapted to target enterprise networks and PCs along with any IoT or smart devices.

What is Endpoint Detection and Response – EDR

The types of devices ransomware is now targeting are also referred to as endpoints. Endpoints are any remote computing device that allows communication via the internet when connected, and includes desktops, laptops, smartphones, tablets, servers and any other IoT device. In 2018 there were 3.96 billion endpoints operating around the globe, growing to 4.81 billion devices by 2019. These shocking numbers are eclipsed only by the 21% increase in endpoints in 2020 – and the number is only getting higher. Ransomware operators have seen the writing on the wall and taken steps to grasp this unique opportunity.


In response to this record growth, the network security industry has been developing as well. Endpoint detection and response (EDR) is an endpoint security solution that works in real-time to continuously monitor and collect endpoint data, based on rules set by administrators that determine what traffic or endpoints are safe, and which ones have the potential to be malicious or threat actors.


Endpoint Detection and Response Benefits

There are several principals that endpoint detection and response solutions follow to maintain their upper hand over ransomware trying to access an enterprise network through endpoints. Let’s drill down into the functions and benefits of EDR.


  • Prevention-First: It's cheaper and easier to set up protection before an attack occurs, and EDR solutions are being deployed to identify and block potential ransomware or cyber threat before it’s able to reach its goal or execute within the network or system.
  • AI-Driven Security: EDR is enabled by AI for faster, multi-layered inspection of all potential threats.
  • Post-Infection Incident Response: No cyber security solution is 100% effective, and a rapid response to the incident, a process otherwise known as incident response (IR) is an important element of most modern EDR solutions.
  • Threat Hunting and Machine Learning: EDR tools make use of regularly updated threat intelligence to stay abreast of all potential threats they might face, using it to perform threat hunting activities within the network. Machine learning is the process of the program teaching itself to recognize previously undetected or uncategorized threats and stopping as quickly as possible.
  • Cloud-Based Management: EDR solutions make use of cloud-based management to simplify and unify their operations, and scale as needed to enable productivity or protect the organization.

What is Network Detection and Response – NDR

With EDR protecting the endpoints, we turn to network detection and response, or NDR, to protect the network from the threat of ransomware. NDR is a security solution designed to detect and prevent malicious network activity, like those due to ransomware, and also investigate and perform forensics on any potential threat, to determine the root cause, entry point (compromised endpoint) and then respond and mitigate the issue.


One of the biggest benefits of a network detection and response solution is the improved visibility into all areas of the network. While legacy security systems can potentially protect you from an attack in progress, there  could still be malware or ransomware lurking in your system, lying dormant and waiting to attack when you least expect it. NDR solutions let security personnel look beyond the perimeter and concentrate on bringing that knowledge to provide inward security. One such way is through incident response, or IR.


Why is Incident Response Critical

Incident response is a term used to describe the way an enterprise responds to a data breach, cyber-attack or threat. The goal is to detect the incident fast, and manage it to limit the amount of damage it causes. In addition, IR is critical to recovery and recovery time, keeping it to a minimum. Organizations should always have an incident response plan ready, to determine who is to take what action in the event of an attack, and to set up automatic responses to any attacks that might occur outside business hours.


A SANS whitepaper lays out all the critical steps for a world-class incident response plan, including:


  1. Preparation: How ready are you to respond to a security breach, and how are policies, strategy, communication, documentation, access, controls and tools handled before, and in the event of an attack?
  2. Identification: Have IT staff gather data from logs, monitoring tools, errors, false positive alerts, intrusion detection systems and firewalls, to quickly detect and determine what the attack entails and how broad the scope of the attack.
  3. Containment: Includes planning for long and short-term containment and system back-ups.
  4. Eradication: Includes removal of the attacking virus or ransomware is a crucial step, followed by resorting to affected systems and getting back to business.
  5. Recovery: Includes the testing and monitoring done after an attack to get programs back online and verify that there aren’t any viruses still lurking within the system, waiting for the time to strike again.
  6. Lessons Learned: Involves planning for the future and setting up security controls to ensure you don’t fall victim to the same type of attack again, and can use machine learning and AI to seek out similar attacks and stop them before they start.

Ransomware is evolving at a dizzying speed, and our network detection and response capabilities must be well honed to deal with it effectively. For more information on incident response, endpoint detection and response, and endpoint detection and response, check out Sangfor Cyber Command, Sangfor Technologies’ advanced network detection and response solution. Cyber Command can be trusted to improve overall IT security and risk posture by:


  • Significantly improving overall security detection and response capabilities
  • Continuous monitoring of internal network traffic for any unusual behavior or traffic.
  • Correlating existing security events and applying AI and behavior analysis to detect even the most crafty threat
  • Deploying  global threat intelligence to get a birds eye view of any new or unknown ransomware or malware.
  • Uncovering breaches of existing security controls, while performing impact analysis to identify hidden threats.
  • Integrating with network and endpoint detection and response security solutions to automatically perform threat hunting functions and stop the threat before it deploys.

Contact Sangfor today, to see how we can make your IT simpler, more secure and valuable.