Active Defense and Ransomware - Cutting Off Paths to Encryption

This is the final article in a 3-part series on the evolution and sophistication of modern ransomware attacks, which serves as a snapshot from the comprehensive eBook on the topic, Ransomware, Inc: The Rise of Targeted Ransomware Crime Syndicates, published by Alissa Valentina Knight and Knight Ink, and commissioned by Illusive. Read part 1, The Major Ransomware Threat Groups and What Makes Them Effective and part 2, Ransomware Incognito: 5 Tools Targeted Ransomware Groups Use to Disguise Themselves. 

Previously we looked at some of the most prominent ransomware criminal syndicates, the model of RaaS (Ransomware as a Service), as well as some of the methods that attackers use to move stealthily through the IT environment. In this article, I want to provide a practical, tangible and achievable strategy for stopping these human operated ransomware attacks before they encrypt and extract sensitive information.

What is Active Defense? Looking at MITRE Shield

IT Security teams the world over have long turned to the MITRE ATT&CK framework to gain deep understanding of cyber adversaries’ tactics and techniques collected from MITRE’s comprehensive real-world observations. MITRE once again has brought tremendous value to cybersecurity with the release of Shield, a rich knowledge base built over a decade of enemy engagement, detailing tactics and techniques for defenders to implement in order to achieve an ‘active defense’ posture. 

Structured similarly, but looking at the other side of the table, MITRE Shield organizes defense techniques in a framework of defensive tactics that move the security posture from a reactive stance into an Active Defense. What are some of the most effective cybersecurity techniques and strategies for CISOs to be aware of? SHIELD is a great resource for that.

According to MITRE, Shield is intended to stimulate discussion about Active Defense.

Active defense ranges from basic cyber defensive capabilities to cyber deception and adversary engagement operations. The combination of these defenses allows an organization to not only counter current attacks but also to learn more about that adversary and better prepare for new attacks in the future. – MITRE Shield

Active Defense to Stop Lateral Movement

At Illusive, we place much of our focus into detecting attacker lateral movement, and making it much more difficult to achieve for attackers.

As Alissa Knight writes, “[t]he most effective method of ransomware detection would be the detection of lateral movement and the effects of living off the land so the syndicates can be identified before the droppers are placed and files encrypted and leaked….The first step in lateral movement for the syndicate is to use tools such as LaZarus or Mimikatz to dump credentials from the system they’ve established a beachhead on. Once those credentials are gained, queries are performed to determine whether any of those credentials or Kerberos tickets have domain administrator or enterprise administrator privileges. The syndicate will move laterally within the network until a system is reached that contains domain admin or enterprise admin credentials from a credential or ticket dump on a host. “

A new paper published by analyst firm IDC, Defeating Ransomware Requires a Deterministic Cybersecurity Game Plan, expands on this point, specific to ransomware. 

Malware such as TrickBot and derivatives such as Ryuk are specifically designed to be reconnaissance and beaconing tools. The malware seeks to gain a toehold in the network and then spread laterally throughout the network. But this type of malware is also cunning. The malware is trained to recognize sandboxes and to evade cybersecurity appliances, the digital profiles of which the adversary knows as well as the enterprise.

So let’s focus on the lateral movement aspect of these ransomware attacks. The first element necessary for lateral movement is an identity- usually in the form of a credential pair but other identities can also be leveraged. Those harvested credentials are then combined with the pathways that connect different workstations and servers to enable lateral movement. Illusive acts in 2 ways to combat that approach.

Shrinking the Ransomware Attack Surface Inside the Network

The first critical action is to identify and eliminate exploitable and unnecessary identities (credentials) and connections.

Illusive’s Attack Surface Manager (ASM) is specifically designed to detect which hosts have latent administrative identities present. It also allows security teams to “remove admin access in an attempt to force an adversary to perform privilege escalation to install a rootkit (MITRE use case DUC0196).” Rootkits are only one example of malicious tools used by attackers in this method.

Illusive provides the privileged identity and lateral movement context regarding what credentials and connections the attacker will use to reach high value or critical assets. Illusive provides acute visibility into which identities and pathways can be used by an attacker to move with privilege while blending in with normal network behavior. ASM also remediates these conditions. This capability is essential for preventing insider threats where an adversary or insider is using “authorized” connectivity and legitimate credentials (aka “living off the land”) to move laterally towards critical assets.

Attack Surface Manager’s many functions include:

• Automatic discovery and mapping of the access footprint across the enterprise “Crown Jewel” systems as well as attack paths to high-value systems;
• Easy definition of rules and policies through automation-assisted processes;
• Continuous monitoring for credential and connection violations;
• Risk-oriented decision support through insight on the potential impact of policy violations and attack paths;
• Corrective action through a choice of manual and automatic methods to eliminate exploitable domain admin accounts, local admin accounts, unmanaged accounts, service accounts, shadow administrators and custom privileged groups and accounts;
• Built-in attack risk reports for security leaders.

Using Deception to Expose Attackers

So what if after eliminating those credentials or Kerberos tickets (for example), you could then create deceptive versions to trick attackers into revealing themselves?

The IDC paper writes, “[the] last step is for organizations to replace those eliminated attacker pathways with deceptive versions that look and feel real to any attacker that happens to find them…The adversary will try to access anything…such as stolen credentials, device MAC addresses, and information from files. It will even attempt to gain access to identities and user group information in registries. This is where deception starts to change the paradigm on the attackers. In lieu of waiting for something to happen, organizations can take a more offensive-minded approach. By placing fake files, fake credentials, and fake devices that look real from an outside-in vantage point, the SOC team sends the attacker down a twisted path. “

The Illusive Attack Detection System (ADS) provides extensive deception capabilities that protect critical assets by automatically planting and maintaining historical interactions to deceptive targets of value to attackers directly on production hosts. This is the most effective way to detect threats that may not be using any malware or known attack tools. While EDR tools are effective at detecting malicious attack tools and techniques, they have difficulty differentiating between normal system/user behavior and malicious lateral movement. Endpoint-based deception is specifically designed to reveal this behavior since the attacker first violates security policy to find the deceptive identities connection history, then uses that information in an attempt to move laterally. The deterministic nature of detection that comes from deception strongly augments anomaly-based detection systems.

Many of the tactics defined in Shield are achieved using deception technology, to include decoy accounts, decoy content, decoy credentials, decoy networks, decoy personas, decoy processes, decoy systems, and decoy diversity. By planting these deceptive data on each endpoint, it creates a hostile environment for attackers who have established a beachhead and are now looking to move laterally. The attacker is tricked into leveraging realistic-looking credentials and historical interaction data (connection strings) and reveals their presence. Deception technology gives early notice to the organization that they’ve been breached while keeping the syndicates away from production systems.

Using Illusive’s Active Defense also allows organizations to shrink the real attack surface while increasing a synthetic attack surface for the syndicates to interact with, also referred to as attack surface management. It plays a key role in stopping the lateral movement needed for high-impact ransomware attacks. It’s something that your security team should now consider a “must-have” capability.

Request a demo to explore how we can help. 

Learn more about Illusive Active Defense and Ransomware

• Register for our upcoming webinar, A View From the Attacker: See A Hacker Disable EDR & Launch Ransomware, which is scheduled for June 30th 11:30 AM EDT 
• Read our solution brief, Ransomware: A Global Data Pandemic
• Read the Alissa Knight & Illusive eBook, The Rise of Targeted Ransomware Crime Syndicates: The Tools They Use, The Profits They Reap and What to do About it
• Download the IDC paper, Defeating Ransomware Requires a Deterministic Cybersecurity Game Plan
• Read our solution guide, Illusive and MITRE Shield: Enabling ‘Active Defense’