Did you know that malicious emails, or those containing malware or ransomware are up 600% due to the COVID pandemic? The past few years have shown us just how much of a nightmare ransomware attacks can be, operating 24/7 and hiring the most accomplished black hat hackers to achieve their lofty goals. Ransomware is a type of malware designed for the simple purpose of stealing data from victims, but the route ransomware takes to steal data and encrypt files is anything but simple. Businesses are finding an urgent need for better and more powerful threat hunting tools, and they are finding them in network detection and response, or NDR. Let’s explore some of the ways ransomware is being made more powerful, and the EDR, NDR and incident response techniques being used to combat it.
The answer is most often, no. Ransomware has been quietly evolving to be more dangerous and invasive than ever before. There are several ransomware improvements being implemented to make it more powerful and destructive.
The types of devices ransomware is now targeting are also referred to as endpoints. Endpoints are any remote computing device that allows communication via the internet when connected, and includes desktops, laptops, smartphones, tablets, servers and any other IoT device. In 2018 there were 3.96 billion endpoints operating around the globe, growing to 4.81 billion devices by 2019. These shocking numbers are eclipsed only by the 21% increase in endpoints in 2020 – and the number is only getting higher. Ransomware operators have seen the writing on the wall and taken steps to grasp this unique opportunity.
In response to this record growth, the network security industry has been developing as well. Endpoint detection and response (EDR) is an endpoint security solution that works in real-time to continuously monitor and collect endpoint data, based on rules set by administrators that determine what traffic or endpoints are safe, and which ones have the potential to be malicious or threat actors.
There are several principals that endpoint detection and response solutions follow to maintain their upper hand over ransomware trying to access an enterprise network through endpoints. Let’s drill down into the functions and benefits of EDR.
With EDR protecting the endpoints, we turn to network detection and response, or NDR, to protect the network from the threat of ransomware. NDR is a security solution designed to detect and prevent malicious network activity, like those due to ransomware, and also investigate and perform forensics on any potential threat, to determine the root cause, entry point (compromised endpoint) and then respond and mitigate the issue.
One of the biggest benefits of a network detection and response solution is the improved visibility into all areas of the network. While legacy security systems can potentially protect you from an attack in progress, there could still be malware or ransomware lurking in your system, lying dormant and waiting to attack when you least expect it. NDR solutions let security personnel look beyond the perimeter and concentrate on bringing that knowledge to provide inward security. One such way is through incident response, or IR.
Incident response is a term used to describe the way an enterprise responds to a data breach, cyber-attack or threat. The goal is to detect the incident fast, and manage it to limit the amount of damage it causes. In addition, IR is critical to recovery and recovery time, keeping it to a minimum. Organizations should always have an incident response plan ready, to determine who is to take what action in the event of an attack, and to set up automatic responses to any attacks that might occur outside business hours.
A SANS whitepaper lays out all the critical steps for a world-class incident response plan, including:
Ransomware is evolving at a dizzying speed, and our network detection and response capabilities must be well honed to deal with it effectively. For more information on incident response, endpoint detection and response, and endpoint detection and response, check out Sangfor Cyber Command, Sangfor Technologies’ advanced network detection and response solution. Cyber Command can be trusted to improve overall IT security and risk posture by:
Contact Sangfor today, to see how we can make your IT simpler, more secure and valuable.