Advanced Ransomware Protection

Evolving Ransomware

The advent of ransomware in 1989 with AIDS Trojan (aka PC Cyborg) created by Joseph L. Popp, a Harvard-trained evolutionary biologist brought a new breed of threat to the threat landscape and since then there has been an evolution of ransomware.

The rise to a higher and more powerful ransomware malware saw the limelight in 2006 with Achiveus Trojan and GPCode, these ransomware were the first to use RSA encryption. The evolution continues with more sophisticated ransomware such as CrytoWall, CrytoLocker, Crytoblocker, Locky, etc.

Furthermore, the year 2015 saw the emergence of the Ransomware-as-a-Service where ransomware developers lease variants of ransomware malware in the same manner that legitimate software developers lease Software-as-a-Service products.

There are variants of ransomware that emerged through RaaS such as TOX, Fakben, Radamant, Ransom32, and REvil, a RaaS operation that claims to make $100 million per year off ransomware. Since the emergence of RaaS, there has been a rise in ransomware variants, from CryptoHost to Jigsaw. And lately, ransomware becomes the favorite cyberattack of cybercriminals because there are loads of this malware, and more are been developed.

The main goal of the evolving ransomware is to penetrate a system, avoid detection, and encrypt files until payday; how this works can be seen in my article titled “Ransomware Kill Chain and How to Protect your Organization”.

SMEs are now mostly targeted with the motive of financial gain. Hence, protecting your organization has gone past the level of just patching systems and other well-known preventive measures to a more advanced technique.

Active Defense — The Advanced Ransomware Protection

Ransomware keeps evolving with more sophisticated variants. Mere preventive measures seem not enough anymore as adversaries keep breaking through irrespective of the measures put in place. Active defense is the modern and effective tactic to tackling the rise in advance persistence threats like ransomware.

Active Defense is using offensive activities to outsmart adversaries and make attacks more difficult to execute. This tactic slows down or derails attackers to lose control and fail in completing their attack mission, also it increases the chance of exposing the attackers’ presence and unveil the attack vector.

Beyond the red side of cybersecurity, active defense complements offensive-driven actions so that organizations can proactively detect and disrupt attacks early and gather the threat intelligence required to understanding the attack and preventing future occurrences.

Effective active defense employs much of deception technology that is developed to detect an attacker early in the attack cycle that obfuscates the attack surface with effective decoy device and digital baits for misdirecting the attack. This tricks the attacker or malware into engaging more and makes them believe they are executing their attack, which in the real sense, they are wasting their energy, time, and processing power and may in turn be providing the defender with intelligence for counter-response.

Active defense is an effective tactic for advanced ransomware protection for an organization. Not only that, organizations can through this tactic be more aware of their attack surface, how they can deal with them in real-time, and gather intelligence about malware and attacks common to their category of the industry to prevent the attacks from resurfacing.

MITRE Shield: A More Excellent Way

The question that comes to mind is how can Active Defense be effectively implemented in an organization? MITRE Shield is the answer. Shield was birthed from MITRE’s work and experience over the past ten years observing and engaging adversaries in defense of their network.

Shield is a free knowledge base of common tactics and techniques that can help cybersecurity experts take proactive steps to defending their networks and system infrastructure. It uses a similar approach to present active defense concepts as MITRE ATT&CK®, a framework with directories of adversary behavior.

Shield will avail your organization the ability to have better threat detection including ransomware, threat intelligence generation, and adversary engagement. All these can be achieved by applying the Shield techniques in your organization, collecting data from adversaries that are targeting your organization, and deploying services and data in real-time to influence adversaries’ behavior.

How ATTA&CK Influences Shield’s Effectiveness

Shield has 34 techniques mapped against 8 active defense tactics. It leveraged ATT&CK to provide the ability to create an active defense playbook to address specific adversaries. Hence, by clicking on a certain adversary behavior in ATT&CK, defenders can open up recommended tactics and techniques for dealing with that particular behavior.

Shield tactics describe the effect of active defense activities and why a defender would choose to use a particular active defense technique while Shield techniques describe actions to take by defenders in active defense.

Each technique has a detailed page that provides information about the tactics it supports and the opportunities that are available based on adversary TTP as well as use cases and procedures for implementation.

How to Implement MITRE Shield in Your Organization?

Your organization can implement Shield by combining the different techniques and tactics, applying them to design and build a strong and effective active defense system.

For instance, your organization decides to implement the Admin Access technique of MITRE Shied with the following tactics in view: Facilitate, Test, Channel, Disrupt and Contain.

Your organization defender can deploy a target system to allow or disallow users to perform tasks requiring administrator-level permissions which enable the defender to inhabit or facilitate attacks against the targeted system.

This scenario example can offer the following Shield opportunities:

● DOS0001: There is an opportunity to study adversary and collect first-hand observations about them and their tools

● DOS0029: There is an opportunity to block an adversary’s intention action and force them to reveal additional TTPs.

● DOS0147: In an adversary engagement scenario, there is an opportunity to allow or restrict admin access to support your defensive objectives.

These opportunities completely fit into the following Use Cases:

● DUC0025: Defender can enable Admin Access on the system to see if the adversary utilizes that access to create scheduled tasks to launch their malware or tools.

● DUC0042: A defender can allow Admin access on a decoy system or network to allow an adversary to use event-triggered execution.

● DUC0025: A defender can configure system users to not have admin access to ensure privilege escalation requires exploitation.

● DUC0137: A defender can remove admin access from the local user to prevent an adversary from being able to utilize WMI.

● DUC0196: A defender could remove admin access in an attempt to force an adversary to perform privilege escalation to install a rootkit.

● DUC0232: A defender can restrict admin access to force an adversary to escalate privileges to delete logs and captured artifacts from a system.

Your defender can follow these procedures to implement this scenario example:

● DPR0001: Remove an account’s administrative access from a system or service to require an adversary to reveal techniques for elevating privileges to accomplish certain tasks.

● DPR0002: Grant an account administrative access to a system or service to enable an adversary to take advantage of those privileges if they compromise the system or service.

The active defense discussed in this article is very powerful; careful implementation of the tactics and techniques will help protect your organization against ransomware and other advanced persistent threats.

Conclusively, the advanced ransomware protection that your organization can adopt is Active Defense with MITRE Shield. You can also check out Smokescreen Deception MITRE Shield Mapping.

Resources

Arampatzis, Anastasios. “MITRE Shield: What You Need to Know.” ITEGRITI, 2 Feb. 2021, www.itegriti.com/2021/cybersecurity/mitre-shield-what-you-need-to-know/. Accessed 11 June 2021.

CounterCraft. “Active Defense with MITRE Shield.” Www.countercraftsec.com, 27 Aug. 2020, www.countercraftsec.com/blog/post/active-defense-with-mitre-shield/. Accessed 11 June 2021.

Crandall, Carolyn. “What Is Active Defense?” Attivo Networks, 31 May 2018, www.attivonetworks.com/what-is-active-defense/. Accessed 11 June 2021.

Stu Sjouwerman. “Ransomware on the Rise: The Evolution of a Cyberattack.” TechBeacon, TechBeacon, 18 May 2016, www.techbeacon.com/security/ransomware-rise-evolution-cyberattack. Accessed 9 June 2021.