AppGuard joined its partner Cipher at the FinCyber Today event on 3 November 2021. Cipher presented on the Lifecycle of a Cybersecurity Threat during the Showcase Sponsor section. Cipher delivered an informative demo of how to detect, stop and respond to a cyberattack. Overall, the conference featured prominent subject matter experts in cybersecurity sharing insights and recommendations with attendees.
Lessons from Withstanding Ransomware Attacks
Ransomware, perhaps better called extortion attacks, challenges the resilience of enterprise IT/Sec-Ops. Prevention and detection are only the beginning. Recovering after harm has been done is a serious matter as well.
Enterprises must look at their back-up capabilities. Some require more aggressive back-up capabilities: continuous, hourly, daily, etc. For example, a mission critical server bears greater risk than an ordinary employee's laptop. Beware, cyber criminals also target back-ups. Enterprises must look to immutable back-ups.
Capturing forensic data from affected endpoints delays recovery operations, though they don’t always identify the threat actors. Response plans should be revised if time for investigation is not factored. Response plans should also be rehearsed so they can be performed faster and with fewer irreparable mistakes.
Restoring affected endpoints from back-ups or reimaging them do not always perform as hoped. The time and effort required to perform these tasks can far exceed expectations. Sometimes the recovery tools do not work correctly or at all. Organizations should rehearse, and if necessary, revise expectations or seek better tools/processes.
Insights from Studying the Ransomware Industry
Extortion attacks are increasingly conducted by ever more complex criminal ecosystems consisting of diverse supply chains with a growing number of specialized roles and responsibilities. They are applying the lessons of the industrial revolution to become more profitable and resilient. Different specialists handle different parts of the business. There are even subject matter experts for hire that identify valuable information within mountains of stolen data as well as those that broker sale of this valuable information to buyers.
Like any business looking to grow its earnings, it requires brand awareness and reputation. Individuals and organizations in this industry cannot be totally hidden in the Dark Web. Building their brand is essential to convincing victims to pay. It substantiates the promised destructive outcome as well as the avoidance of that outcome if victims acquiesce.
All industries are targeted. They strike any target of opportunity. Sadly, their tactics evolved to where they no longer detonate their harm on day one. Instead, they install one or more backdoors, confirm remote connectivity, and return later, when convenient. And remember specialization, the same people that gained access are increasingly not the same people that come back to monetize the break-in. Countless organizations in any industry have timebombs within their ecosystem right now that will be activated later.
All this specialization results in more effective operations and attack techniques, making cyber defense all the more challenging. From our blog, learn more about the challenges of detecting malware attacks and how imperfect detection drives up IT/Sec-Ops costs.
For more information on the Ransomware business, check out this video by Marutis Lucas of Intel471.
Tips for Improving Security Operations Center (SOC) Efficacy
It’s important to first reflect on what makes running SOCs so difficult. First, detecting malicious activities is extremely difficult. No single tool suffices. A SOC must fuse data from numerous disparate sources. And worse, despite assistance from machine learning enhanced tools, it requires many talented analysts to investigate alerts. Much of their time is wasted with false positives, too much irrelevant information, too little relevant data, poorly optimized automation, organizational silos, and lack of familiarity with malicious techniques. Worse, potential attack surfaces are increasingly diverse and expanding. There are too many alerts for too few analysts with too many skills gaps.
Performance metrics sometimes divert focus toward ticket resolution efficiency away from response proficiency for high risk attack techniques. This sub-topic is a big iceberg worth studying.
Anton Chuvakin, one of the most respected market analysts on SOCs, made many recommendations. Big data enthusiasts might have been surprised to hear him say one remedy is addressing the imbalance between detection and prevention. One can never replace the other. And too little of one creates too much risk, and too much SOC workload. Improving SOC operations would be simpler if the alerts and data volumes were significantly lowered by more effective efforts at preventing cyber incidents.
SOC tools, much like many other IT/Sec-Ops tools, are created by development personnel and used by DIFFERENT operations personnel. Wherever practical, rotating development personnel into operational roles would lead to better automation widgets or implementations of widgets. Similarly, consider rotations for policy/rules creators and analysts. Ultimately, a SOC can reap big dividends from rotations and continuous learning across team boundaries, making the SOC more adaptive, agile, and more effectively automated to force-multiply personnel.
SOCs would also benefit from reinventing roles with less artificial rigidity caused by definitions of ‘Level 1’ versus ‘Level 3’ analysts. Instead, ‘roles should be more aligned between the skills of individuals with the use-cases that fall under their purview’. Some people are better at dealing with handling suspicious application activities than lateral movement indicators, for example.
Learn more about Anton Chuvakin’s recommendations for improving SOCs by an order of magnitude by reading this short article here, or this detailed white paper called “Autonomic Security Operations, 10x Transformations of the Security Operations Center”.
How AppGuard can Help Your Organization with Ransomware
Ransomware, like other malware, frequently evades detection technologies. It’s no wonder. Malware can have a nearly infinite variety of shapes and disguises. AppGuard is endpoint protection software for Windows and Linux endpoints that complements whatever detection based protection they have. AppGuard is not a detection tool; it takes an entirely different approach. That is why you should consider adding this lightweight tool. Check out this blog post, “There’s a Hole in Enterprise Cyber Defense: Detection-based Protection is Not Enough” to better understand the matter.
AppGuard Lowers Workloads to make SOC Improvement Easier
SOCs are overwhelmed with alerts, data, and threat intelligence feeds. Adding AppGuard to your endpoint defenses alleviates pressures and frees resources for other cyber stack layers, “Inadequate Malware Detection Drives-up IT/Sec-Ops Costs/Impact”.
AppGuard protects endpoints by enforcing Zero Trust principles WITHIN endpoints, blocking malware attacks without having to detect/recognize them. This not only blocks attacks for which no detection data yet exists but also blocks some detectable attacks earlier, before alerts are generated, before credentials need to be reset, before lateral movement alerts are generated, before harm must be cleaned up, and before yet more work has to be done.