For SOC teams to be resilient to ransomware attacks, they need to not only have the right set of security tools, but they also need to understand the three main stages of a ransomware attack. In this article, we'll dive into these key phases, see how they unfold and what signs an attack has occurred, and review what can be done to mitigate any damage.
When it comes to ransomware attacks, most of the time they don't"Reliable evidence"to alert the defenders of what happened. Conversely, there are many different signs of compromise (IOCS) that tend to appear at different stages of an attack and appear harmless on their own. Therefore, it is important to identify as many IOCs as possible as early as possible and then determine if they are correlated. This allows analysts to piece together the initial stages of a ransomware attack early in the attack chain.
This is critical to preventing attacks, as SOC teams must take action before ransomware attacks progress too quickly and data is exfiltrated and encrypted. Unfortunately, it takes a lot of manual threat hunting and investigation work for SOC teams to identify the early stages of a ransomware attack, let alone determine if the signs they see are relevant. This delays the team's maturation in attacks and ransomware"Detonation"The ability to stop attacks before.
What are these key stages?How can you and your SOC team detect ransomware at every stage?Let's dive in.
The first stage of a ransomware attack is to establish a foothold. The attack enters this phase after the attacker gains initial access to the network. The initial breach can be achieved in a number of different ways, but it usually starts with email phishing. Hackers can also obtain data from public Wi-Fi centers such as hotels or employee hotspots. This eventually leads them to install the initial ransomware component on corporate devices, expecting employees to reconnect to the main corporate network, allowing the attack to progress and establish a foothold.
Next, the ransomware establishes a connection to the command and control (C2) server and then determines how to infiltrate the network further, moving laterally to find where critical or sensitive data resides. For example, hackers can use a remote access Trojan to gain access to a host. The hackers will then explore the network, identify host services, and attempt to map those connections back to a centralized application such as a database. It would be even better if attackers could circumvent current access rules or steal credentials to move around the network more efficiently.
How can ransomware be detected and stopped at an early stage?This entails identifying strange or unusual user and entity behavior across the network, such as accessing files outside of their scope of work, installing external software on the network that is not approved by the company, viewing DNS queries, and more.
Many of these activities can indicate that the IT administrator's activity is normal, so it's critical to be able to identify deviations from the normal way users behave. To do this, SOC teams need to deploy security solutions that combine user behavior analytics with machine Xi, such as next-generation SIEM solutions. If the SOC can't see these activities, there's no way to stop ransomware at an early stage.
The privilege escalation and lateral movement phases involve further access to other systems on the network. Once hackers enter a corporate network, they find out where ransomware can be installed. In this process, hackers search the web for sensitive information, files, applications, or anything that could cause damage to the company in order to exploit these things for high pay. Access to a larger database that may contain more sensitive information will lead to more serious ransomware attacks, and hackers will also be paid more.
Once hackers have accessed a database containing a large amount of sensitive information or taken control of a network, they will begin to deploy software such as Putty in different areas to further establish themselves and create backups of the ransomware in case they are discovered.
The most recent example of such an incident occurred in Las Vegas, where the hacking group Scattered Spider launched a ransomware attack on MGM properties. The hackers impersonated a MGM employee they found on LinkedIn, gained access to MGM's internal systems and network by calling the company's IT help desk and impersonating the employee. After the hackers entered the network through forged credentials, they detonated the ransomware, shut down *** to lock guests out of their rooms, and caused other damage to the company's network and applications.
How do I detect if privilege escalation and lateral movement are occurring?Installing new, unauthorized applications on the network is a sign that this is happening. If you have an app like putty, this can be a big sign. The application may be transferring dangerous files to the network. Other signs of incursion include:
Access to infrastructure.
Look for a specific DNS address.
Connect to external cloud services like Dropbox.
Again, these signs can be difficult to tell because the actions look like they're being done by someone who has been authorized to access sensitive data, but they're actually being mimicked by hackers on the web.
Once the hackers find the critical data, they begin the actual ransomware payload. They may exfiltrate data, set encryption keys, and then encrypt important data. This phase of IOC includes communication with the C2 server, data movement (if an attacker exfiltrates important data before encrypting it), and anomalous activity around encrypted traffic.
Performing inspections at this stage requires more advanced security products to work together. When it comes to ransomware, chaining different types of analytics models together is an effective way to catch the slightest signs of intrusion, as they can gather network context in real-time, allowing SOC teams to identify anomalous behavior as it occurs.
If a security alert is triggered, these additional analyses can provide more context to help piece together if and how a larger attack occurred. However, many successful ransomware attacks don't trigger antivirus software at all, so it's crucial to accurately understand user behavior and compile numerous metrics into a coherent timeline.
While detecting a ransomware attack can be difficult for a business, being able to identify all the subtle IOCs of a ransomware attack will help businesses understand what stage the attack is in and how to stop it from progressing. While these IOCs may be insignificant, the ability to tie them all together is crucial. By using machine Xi technology and behavioral analysis and model chains, your business will have the tools it needs to detect and mitigate the damage caused by ransomware attacks.