Ransomware: Innovative Risk Management as a Disincentive - Glasswall Solutions
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Ransomware: Innovative Risk Management as a Disincentive glasswallsolutions.com
“Someone once asked Slick Willie Sutton, the bank robber, why he robbed banks.
The question might have uncovered a tale of injustice and lifelong revenge. Maybe
a banker foreclosed on the old homestead, maybe
a banker’s daughter spurned Sutton for another.
“‘I rob banks because that’s where the money is,’ he [allegedly] said….”1
I. Introduction
Executive Summary
This white paper largely focuses campaigns have touched fewer
on ransomware as it has been victims, but with greater target
experienced over the last few specificity. Ransomware attacks, now
years. It explores some high-profile clearly entrenched as one of many
incidents, traces the evolution of options in threat actors’ arsenals,
ransomware campaigns, and offers a remains an event of potentially great
couple of approaches to managing consequence for victims.
risk considering ransomware’s
apparent trajectory. As just one example, SamSam
ransomware has been used recently to
Ransomware is not a new target transportation and government
phenomenon, although its rise within infrastructures. Following SamSam
mainstream attention reached a attacks on Colorado and the City of
crescendo in 2017 with two large- Atlanta, it was reported in July 2018
scale campaigns. Based on the that the U.S. network of shipping
security community’s experience in giant COSCO suffered a ransomware
2017, initial forecasts for 2018 and attack. While SC Magazine reports
beyond suggested sustained, if not that “[i]t is unclear what type of
increased, ransomware campaigns. ransomware was used in the attack,”
Experience over the first half of SamSam is suspected as the most
the year, however, indicates a likely cause.2 “The incident took
more nuanced trajectory. Whereas place on July 24 and the company’s
ransomware attacks historically American IT infrastructure including
were large in scale, opportunistic email servers, telephone network, and
and not generally targeted, recent company website” were impacted.3
1 Robert M. Yoder, “Someday They’ll Get Slick Willie Sutton,” in The Saturday Evening Post (January 20, 1951), Vol. 223, Issue 30. Citing an alleged statement from Willie Sutton
who disavowed ever saying it.
2 Robert Abel, “Ransomware attack knocks out shipping giant COSCO’s U.S. network,” dated July 26, 2018. Available at: .
3 Id.Also on July 24, ransomware spread threat may be incomplete. Third,
through the network of Alaska’s ransomware is now a commodity
Matanuska-Susitna borough, tool of cyber threat actors, and the
encrypting the “email server, internal barrier to its use is quite low. Finally,
systems and disaster recovery ransomware is generally used to
servers.”4 This impacted most convince a victim to part ways with
of Matanuska-Susitna’s desktop its money, but not always—a threat
computers, 120 servers, telephones actor can just as easily use it as
and a physical access card system. destructive malware with no intention
Although antivirus software “spotted of decrypting impacted files.
one part of the virus on July 17…[it]
failed to detect all the components Certainly ransomware should be
of the malware.”5 Resourceful taken seriously, but there is no need
employees resorted to using to subscribe to the “doom and
typewriters in order to maintain some gloom” narrative that one might
level of productivity. spin from recent experience. Well-
planned risk management strategies,
These and other examples highlight based on proper assessments of
a few characteristics of ransomware. organization assets, threats and
First, it can quickly spread across vulnerabilities, can be applied in
an enterprise or across the globe in support of organizational business
either a targeted or opportunistic or mission goals. The combination
fashion. Second, as with other of people, processes and innovative
malware, antivirus solutions will not technologies can significantly mitigate
always detect a particular strain of the risk of ransomware alongside
ransomware, and even when they other forms of malware.
do, their ability to eliminate the
Prologue
Whether Willie Sutton truly offered themselves and entities with supply
the rejoinder that he robbed banks chain connections to those victims.
because they were the locations with It also includes the use of malware
the largest, concentrated amounts and other exploits tied to the most
of money,6 the underlying logic prevalent operating systems and
repeatedly holds true in ongoing software applications. A survey
efforts to manage cyber risks. Nation of ransomware’s evolution and its
state, terrorist and criminal cyber application by threat actors over the
threat actors are smart, organized, last decade certainly follows Sutton’s
and ruthlessly focus their resources purported logic – they simply go
where they are most likely to obtain where the money is.
access to the data, processes, money
or other targets in which they are In the world of cybersecurity, one
interested. This includes the victims could not escape 2017 without a deep
4 Rozina Sabur, “Alaska town returns to typewriters after ransomware attack shuts down computer network”, dated August 1, 2018. Available at: .
5 Id.
6 In his autobiography, Sutton claims that he never offered such an answer.appreciation of the risks presented by incidents were just the exclamation ransomware. In May 2017, WannaCry point on many years of evolution in ransomware spread globally and ransomware. First observed in 1989, severely impacted organizations, the tactics applied by ransomware including the National Health have changed over the ensuing Service in the United Kingdom. decades, but since at least 2004 or so, Shortly thereafter, the NotPetya the end goal of ransomware has been malware impacted organizations to encourage victims to part ways with across over 60 countries, hitting their money. However, even recent Ukrainian transportation, commercial high-profile ransomware campaigns facilities sectors and the national are not necessarily what they appear bank particularly hard. Yet these to be. II. 2017: A Window into the Business of Cybercrime By early 2017, the authors and users Data Breach Investigations Report of ransomware had matured their presents a similar forecast, noting tools and tradecraft far beyond that while the 2018 report suggests their initiatives from a decade a decrease in malware and hacking earlier. In 2017, ransomware, was a events in 2017, this was largely due prominent tool in the hands of threat to the removal of botnet infections actors. And a year later, among the from the data and the fact that the megatrends identified in a February report is based on confirmed data 2018 Ponemon Institute report breaches and “it is important to keep was the “risk [that] cyber extortion in mind that attacks that [Verizon] and data breaches will increase see[s] on the rise, such as ransomware in frequency” over the next three and some financial pretexting, do not years.8 This is supported by 67% of require a breach of confidentiality respondents who ‘strongly agreed’ for the attacker to meet their goal.”9 or ‘agreed’ that the “risk of cyber Of course, these sentiments were extortion (such as ransomware) will the product of respondents’ own increase in frequency and payout,” experiences in 2016 and 2017 as well with 19% judging such cyber extortion as the visible consequences of two to be very frequent in 2018 and 42% major events in 2017. expecting it to be very frequent over the next three years. Verizon’s 2018 7 Ponemon Institute, Research Report, “2018 Study on Global Megatrends in Cybersecurity”, p. 1. Available at: . Sponsored by Raytheon. 8 Id., p. 7. 9 Verizon, “2018 Data Breach Investigations Report”. Available at: .
2017
Early in the morning on May 12, 2017, More advanced than WannaCry,
U.S. authorities began receiving NotPetya encrypted victims’ devices
reports from Asia and Europe of a and displayed a screen demanding
ransomware campaign, which rapidly a ransom. Despite this demand and
spread across 150 countries and led to
over a quarter of a million infections.
the temporal proximity between
WannaCry and NotPetya, there is The attack quickly
Ultimately, it impacted operations at
hospitals, automakers, gas stations,
an important distinction to make
between the two. Whereas WannaCry
spread worldwide,
railways and shipping companies.
Reports suggest that the ransom
was a rapidly spreading ransomware
campaign that netted relatively little
causing billions of
amount demanded from each victim revenue, NotPetya was not quite dollars in damage
across Europe,
fell between $300 and $600 in bitcoin, ransomware. It certainly demanded
and the perpetrators ultimately only and offered an opportunity for victims
Asia, and the
made just over $140,000 according to to pay a ransom, but the malware
most reporting, it could have been in and supporting infrastructure were
the multiple millions if they were more
organized. Clearly, the significance
not designed for the threat actors to
associate a payment with a particular Americas
of the WannaCry campaign had victim’s device through an installation
little connection with the actual identifier. As such, perpetrators
dollar amount obtained by those would be unable to decrypt an
responsible (other cyber incidents affected device upon receipt of
netted far more), and much more to payment. In reality, it seems that
do with the speed and breadth of its NotPetya was nothing more than
global spread as well as the impact destructive malware—a wiper with
it had to business operations among the ability to spread fast and wide.
critical infrastructure entities. In February 2018, the White House
released a statement that “[i]n June
The sting of ransomware in 2017 2017, the Russian military launched
felt even more painful due to the the most destructive and costly
NotPetya campaign, which followed cyber-attack in history. The attack,
shortly on the heels of WannaCry dubbed ‘NotPetya,’ quickly spread
in late June 2017. The NotPetya worldwide, causing billions of dollars
malware, so named due to its in damage across Europe, Asia, and
similarity with previously seen Petya the Americas.”10
ransomware, used a few technical
options to spread laterally within
an organization and to quickly
spread globally. For example, it
included the use of previously known
vulnerabilities, for which patches
were already available, and so-called
“living off the land” techniques
whereby the malware uses legitimate
system tools to achieve its intent.
10 Id., p. 7.While WannaCry and NotPetya may to the Russian military, the former
not have shared the ability to decrypt was attributed to the North Korean
a victim’s device, they did share an government. The breadth of the
ability to impact a vast array of victims campaigns, the destructive nature of
over a short period of time. They also NotPetya and the attribution to nation
shared another attribute. Unlike prior, states placed these two events on a
well-known ransomware campaigns, plane far apart from prior, concurrent
WannaCry and NotPetya were both or subsequent ransomware
attributed to nation state actors. campaigns.
Whereas the latter was attributed
Forecasts
Consistent with the Ponemon Institute the United States in a crisis short of
and Verizon forecasts of increased war,” and that “[r]ansomware and
risks from ransomware going forward malware attacks have spread globally,
are survey results reported by disrupting global shipping and
Cybersecurity Insiders, which found
that “Ransomware is the fastest
production lines of US companies.
The availability of criminal and
Ransomware is the
growing security threat, perceived
as a moderate or extreme threat by
commercial malware is creating
opportunities for new actors to launch
fastest growing
80% of cybersecurity professionals. cyber operations.”12 security threat
75% of organizations affected by
ransomware experienced up to five SophosLabs noted four 2017 trends
attacks in the last 12 months alone, that they expected to continue
25% experienced [six] or more attacks. in 2018, including “a ransomware
79% predict ransomware to become surge fueled by [ransomware-as-a-
a larger threat over the next 12 service (RaaS)] and amplified by the
months.”11 resurgence of worms.”13 Viewed
as a lucrative threat, ransomware
And these three forecasts did not authors increased the availability
stand alone at the end of 2017 and of RaaS on the dark web, which
beginning of 2018. In his February makes it accessible to even those
2018 “Statement for the Record” with little technical expertise, while
related to the “Worldwide Threat also improving the features of
Assessment of the U.S. Intelligence their malware, such as improved
Community”, the U.S. Director of encryption and antivirus evasion,
National Intelligence observed that broader ransom payment options,
“[t]he risk is growing that some and applicability beyond the Windows
adversaries will conduct cyber operating system.14 At least a dozen
attacks—such as data deletion or other forecasts suggested that the
localized and temporary disruptions experiences of 2017 were expected to
of critical infrastructure—against continue in 2018 and beyond.
11 Verizon, “2018 Data Breach Investigations Report”. Available at: .
12 Statement from the Press Secretary, The White House (February 15, 2018). Accessed on July 5, 2018 and available at: .
13 SophosLabs, “2018 Malware Forecast”, p. 1.
14 Id., p. 5.III. Ransomware’s Evolution Despite the news coverage and Since mid-2017, ransomware government response around the campaigns continued. For events of May and June 2017, example, SamSam ransomware ransomware was nothing new at emerged in 2016 and continued that time. Digital Guardian reports to be encountered in 2017 and that “[a]fter the first documented 2018. In March 2018, the City of ransomware attack in 1989, Atlanta, Georgia suffered a SamSam ransomware attacks remained ransomware attack, and the State uncommon until the mid-2000s…. of Colorado previously experienced Popular during this time were the same ransomware. In early Gpcode, TROJ.RANSOM.A, December 2017, Glasswall Solutions Archiveus, Krotten, Cryzip, and protected one of its customers from MayArchive.”15 Other, more a new variant of the GlobeImposter recent and commonly encountered ransomware, which demands $1,037 ransomware variants include from its victims and was being CryptoWall, Teslacrypt, Cerber, CTB- distributed via email attachments by Locker, Cryakl, Scatter, and Locky, the Necurs botnet.18 and the “total number of users who encountered ransomware between Plenty of information is available April 2015 and March 2016 rose by about earlier and current iterations of 17.7% compared to the previous 12 ransomware. Without repeating that months (April 2014 to March 2015) information, it is best to consider two – from 1,967,784 to 2,315,931 users aspects along the historical trajectory around the world.”16 And a paper of this threat—(1) types of extortion by the Heritage Foundation found and ransomware, and (2) actor targets that “[b]etween 2011 and 2016 the and motivations. number of ransomware attacks grew steadily, with incremental evolutions in sophistication and scale. That all changed in 2017.”17 15 Nate Lord, “A History of Ransomware Attacks: The Biggest and Worst Ransomware Attacks of All Time”, dated April 6, 2018. Available at: . 16 Kaspersky Lab, “KSN Report: PC ransomware in 2014-2016,” dated June 22, 2016. Available at: . 17 Klon Kitchen and Megan Reiss, “Ransomware is Coming. It’ll Make You WannaCry,”, dated May 8, 2018. Available at: < https://www.heritage.org/technology/commentary/ ransomware-coming-itll-make-you-wannacry>. 18 Glasswall Solutions FileTrust™ Advanced Threat Protection prevented this ransomware incident on day “T”, although the antivirus community did not indicate awareness of the ransomware file’s hash until day T+1.
Types of Extortion and Ransomware
Symantec provides an analysis of how authors to expand into crypto
online extortion and ransomware ransomware. With a locker, the
evolved between 2005 and 2015.19 targeted device may no longer be
Four general categories of extortion accessible, but there remains the
and associated ransomware can potential to recover the files stored
be used to trace the history of this on its hard drive. However, crypto
online threat. These categories ransomware encrypts individual files,
include: misleading applications; rendering recovery difficult if not
fake antivirus; lockers; and crypto impossible. Interestingly, this final
ransomware. The first category category that emerged over the last
generally presented an end-user with three years had a relatively significant
the appearance of a spyware removal presence in 2005, but fell out of favor
or performance optimizing solution during the intervening years.21
available to the user for a fee. Over
time, the presence of fake antivirus The trend is fairly obvious.
increased. This category of extortion Extortionists generally moved from
presented the end-user with alleged approaches that relied on using a
scan results, which appeared to false threat to scare a victim into
detect significant malware infections. parting with its money to approaches
Perpetrators scared their victims into that presented very real threats to the
purchasing fake antivirus. As the first availability of a victim’s computing
two categories began to recede in resources or data. Intended victims
relative prevalence, the activity of could learn to differentiate false
locker ransomware increased. from real threats, thereby rendering
misleading applications and fake
According to Symantec, “[f]rom antivirus less lucrative. Cyber
2011 to 2012, attackers transitioned criminals, however, followed the logic
from fake antivirus tools to a more attributed to Mr. Sutton and increased
disruptive form of extortion. This their use of lockers and crypto
time, the cybercriminals disabled ransomware, which led to sustainable
access and control of the computer, profits.
effectively locking up the computer
from use.”20 Although locker
ransomware has decreased in
its relative prevalence, it has not
disappeared. However, network
defenders and incident response
teams sometimes found ways to
defeat lockers, leading ransomware
19 Kevin Savage et al., “Security Response: The evolution of ransomware”, dated August 6, 2015, pp. 7-11). Available at: < http://www.symantec.com/content/en/us/enterprise/
media/security_response/whitepapers/the-evolution-of-ransomware.pdf>.
20 Id., p. 9.
21 Id., p. 8.Victims The victims of ransomware have Again, the shift to ransomware types largely cut across government that open up greater opportunities and private sector organizations, to extort large public and private critical infrastructure sectors, sector organizations reflects one of small businesses, and home users. the most predictable attributes of Arguably, small businesses and unpredictable threat actors—they home users were more susceptible and their tools will gravitate towards to the early categories of misleading the victims of greatest value to them. applications and fake antivirus. The NotPetya experience, although This has little relationship to the technically not ransomware, shows sophistication of a business or user that value is not always reducible to and everything to do with decision- clear monetary amounts. Especially making authority. In a small business among nation states, strategic or home user setting, the person interests can have much more to do experiencing the extortion is also with disruption of infrastructure and more likely to be the person in a institutions within competitor nations. position to spend money on the security and maintenance of their There is no reason to believe information technology resources. In that threat actors will abandon larger organizations, the initial victim their pursuit of victims they value. is more likely—although not always— However, the continued trajectory of to defer to an information technology ransomware is not as obvious. department for handling the issue and making payment. At that point, information security professionals have the opportunity to intervene, recognizing the false threats for what they are. With respect to lockers and crypto ransomware, however, the advantage of the larger organization falls away. The threats are real and, absent the execution of pre-existing risk management strategies, the pressure to pay a ransom may be very great.
IV. The Threat Landscape Isn’t So Clear:
The Latest Observations
The cybersecurity community This and similar reporting indicates
entered 2018 with well-defined that while ransomware is not
ransomware capabilities and victims. expected to disappear as a concern,
Ransomware tools had evolved in it is expected to evolve. Less
their ability to spread quickly and
cause considerable disruption. A
indiscriminate than the campaigns
of 2015 through the high-profile Ransomware efforts
debate around whether or not to
pay requested ransom amounts co-
campaigns of 2017, threat actors are
using ransomware to focus on specific
were becoming
existed with the increasingly visible
events. Whereas law enforcement
victims. And while the common
ransomware families appear to be
much more
generally encouraged victims to not dying, the ransomware that remains targeted
pay the ransom, the final decision is being presented to victims through
belonged to the asset owner. Within the use of larger malware variants.
this context, security professionals Finally, access to the malware is widely
predicted that 2018 would see a available through RaaS.
growth in ransomware.
This is perhaps as worrisome as the
Yet, by mid-2018, assessments broad ransomware salvos of the last
suggested a more nuanced trajectory. few years. Now, potential victims
In March 2018, a Recorded Future are likely to be specifically targeted.
blog noted that over 2017 and SamSam ransomware, for example,
into 2018 there actually had been is now characterized by threat actors
“a steady decline in ransomware scanning for the presence of specific
campaigns”, that ransomware efforts vulnerabilities that can be exploited
were becoming much more targeted, to achieve an initial infection as an
focusing on specific industries and alternative to using phishing emails.
using a greater number of variants, And once inside a victim’s network,
and that RaaS “would continue SamSam threat actors “prep[] the
to thrive, at least through 2018.”22 victim for full exploitation.”24 In this
Similarly, in April 2018 it was observed emerging era of ransomware, a threat
that ransomware “is falling into such actor will have the discipline and
a steep decline that some of the focus to tailor its delivery mechanism,
major families responsible for taking such as spear phishing emails with
millions from victims have ceased attached malicious files, to achieve a
operation….It is a sharp contrast to greater probability of exploiting the
how ransomware performed during victim.
2017.”23
22 Allan Liska, “5 Ransomware Trends to Watch in 2018”, dated March 6, 2018. Available at: < https://www.recordedfuture.com/ransomware-trends-2018/>.
23 Danny Palmer, “Ransomware: Not dead, but evolving nasty new trick”, dated April 9, 2018. Available at: < https://www.zdnet.com/article/ransomware-not-dead-but-evolving-
nasty-new-tricks/>.
24 Doug Olenic, “SamSam ransomware payments hit $6 million, malware called labor intensive to operate”, dated July 31, 2018. Available at: .At the same time, increasing varieties where it falls in relation to the early
of a particular piece of ransomware 2018 forecasts and the nuanced
have the potential to avoid detection trajectory suggested more recently.
and prevention by signature- and From an organization’s perspective,
heuristic-based intrusion prevention, determining the probability of facing
next-generation firewall and antivirus ransomware is important. But RaaS,
solutions. which lowers the bar for those who
want to use this threat, and the threat
Yet if recent reporting is correct, actor-specific determinations of victim
then most organizations are value, which suggest a dynamism
unlikely to experience ransomware around whether one is a target at a
unless they are targeted. From a particular time, suggest that a given
risk management perspective, an probability determination could
organization needs to understand quickly become stale.
V. How to Manage Risk as Ransomware Evolves ations
If ransomware is seen for what it now asset owner can choose to mitigate
is—just one more commoditized tool threats (or at least the threat vectors),
to achieve cybercriminal and nation vulnerabilities, consequences, or a
state goals of financial gain, disruption combination thereof. However, as will
or obfuscation—then associated be discussed, innovations in threat
risk management approaches vector mitigation offer tremendous
are relatively straightforward. opportunities for broader risk
Ransomware risk management fits management efforts.
well within broader risk management
efforts. This is evident through a Beginning in reverse order,
decomposition of the risk. Whether consequence mitigation strategies
risk is: (1) presented as the common include business continuity
function of a threat interacting planning, recovery planning, and
with an exploitable vulnerability the implementation of back-up and
and a resulting consequence; (2) recovery solutions such that systems
identified using the Factor Analysis can be reconstituted and data
of Information Risk and its focus on restored based on pre-determined
quantifiable loss event frequency, loss restoration points and maximum
magnitude and their concomitant downtime targets.
threat, vulnerability and loss
component measurements; or (3)
assessed using any other common
methodology; the risk manager’s
conclusion is clear. Ransomware risk
can be mitigated to a level at which
remaining risk is either acceptable
or fit for transfer. The mitigation
techniques are nothing new. AnWhether a threat actor wants to extort postures and how to improve them
money in exchange for decrypting in light of the threat. Generally,
files, or whether an actor is focused email attachments are scanned by
on disrupting a business or sector, a traditional, signature-based antivirus
well-planned, exercised and practiced solutions at the email gateway
back-up and recovery strategy will and upon execution at enterprise
greatly mitigate the consequences. endpoints. Innovations have added
Of course, this approach also could heuristic-based antivirus solutions
be used to mitigate the consequences and sandboxing opportunities. Such
from other types of attacks as well organizations’ success is largely based
as non-malicious human errors and on prior experience—a combination
natural disasters that impact an of previously seen malicious files,
organization’s data. As such, it serves malicious behaviors, suspect
as a threat-agnostic, all-hazards risk behaviors, and other attributes
management solution. of prior attacks. Yet email-based
malware continues to effectively
Some ransomware and initial compromise individuals and
ransomware infection vectors will be organizations. Increasingly, it is used
designed to exploit known, published as a pivot-point from which so-called
vulnerabilities. A vulnerability “file-less” malware can be introduced
management program, which likely into an enterprise, presenting its own
includes vulnerability detection, patch detection and prevention challenges.
management and other mitigations, And as recently observed, the number
can limit the attack surface of ransomware variants in use appear
available to ransomware. Similarly, to be increasing, thereby reducing the
configuration management, proper chance of successful detection and
network segmentation, and identity, prevention.
credential and access management
can prevent or otherwise limit Considering the success of threat
ransomware’s ability to spread actors using phishing emails loaded
laterally within an organization. Of with ransomware attachments,
course, instituting these practices one can only conclude that while
will provide vulnerability mitigation detection is necessary for effective
beyond the threat of ransomware. cybersecurity, it is not sufficient. The
“SANS 2018 Survey on Endpoint
Finally, the ransomware threat Protection and Response” suggests
vector can be mitigated. Common that “[t]raditional tools are no longer
approaches include the use of sufficient to detect cyberattacks, the
intrusion prevention systems, next- data shows: Antivirus systems only
generation firewalls, antivirus and detected endpoint compromise 47%
sandboxing solutions. These are of the time,” and that advanced
all good, if not best, practices. But behavior-based detection tools are
they should be seen as baseline
solutions. More is required. Focusing
on the common threat vector of
ransomware delivered via a spear
phishing email, organizations looking
to mitigate the ransomware risk
should consider their defensiveConsidering the success of threat the cybersecurity marketplace.
actors using phishing emails loaded Glasswall FileTrust™ Advanced Threat
with ransomware attachments, Protection is just such a technology.
one can only conclude that while In near real-time, it will compare a
detection is necessary for effective file to that file type’s standard or
cybersecurity, it is not sufficient. The specification (e.g., Microsoft Office
“SANS 2018 Survey on Endpoint specifications, ISO 10918 for JPEG,
Protection and Response” suggests ISO 32000 for a PDF file), regenerate
that “[t]raditional tools are no longer the file in accordance with that
sufficient to detect cyberattacks, the specification, and pass the file
data shows: Antivirus systems only forward. During the regeneration
detected endpoint compromise 47% process, Glasswall FileTrust™
of the time,” and that advanced performs two sets of actions. First,
behavior-based detection tools are it remediates structural deviations
being purchased, but not used due to from the file type specification. This
lack of training and bandwidth among
already over-worked information
includes fixing byte-level anomalies,
which may be intentionally or
A departure from
security teams.25 For too long,
the cybersecurity community has
unintentionally introduced into
the file, but can create unwanted
traditional security
been trying to solve an increasingly consequences. Second, it sanitizes techniques
intractable problem—identifying and functional aspects of the file based on
stopping malicious file attachments an enterprise’s security policies. For
before they infect an endpoint or example, it can remove extensible
network. Yet, automated assembly- attributes, such as macros, JavaScript,
line ransomware generation on embedded files and metadata.
an industrial scale, coupled with Sanitization can be applied differently
sandbox-aware or at least sandbox- depending on user groups and their
evading attributes, will continue to business needs.
defeat detection approaches far too
often. The end goal of preventing The d-FIRST™ approach is a
malicious files from infecting an departure from traditional security
enterprise remains sound, but it techniques; more to the point, it’s
requires solving a simpler problem. approach is the complete opposite of
Instead of detecting and preventing all preceding security solutions. All
“known-bad” files, enterprise email files are subjected to the process on a
security must incorporate technology least-trust basis, instead of only acting
to simply look for, generate and pass on files that match a known signature
“known-good” files. or heuristic pattern. The results,
however, fill a gap in traditional
Generating and passing “known- architectures. For instance, Glasswall
good” files can be achieved using Solutions tested 6,000 known and
deep-file inspection, remediation and unknown malicious files with a global
sanitization technology (d-FIRST™), defense contractor.
which has been maturing for several
years and is already available in
25 Kelly Sheridan, “Less Than Half of Cyberattacks Detected via Antivirus: SANS”, dated July 16, 2018. Summarizing the SANS 2018 report and available at: .Initially, only an antivirus solution was day-zero, but it took up to three,
deployed. Of the 6,000 malicious seven and even 30 days for the
files, 3,592 of the files were detected antivirus community to indicate
by the antivirus solution—a 40.13% awareness of the malicious files,
failure rate. Subsequently, a heuristic and longer for the sandbox vendor
layer was added by the systems to develop, test and release its
integrator, which reduced the failure updated software. Of course, with
rate to 35.58%. Finally, Glasswall the d-FIRST™ approach this is to
FileTrust™ was inserted in place of be expected. By subjecting all files
the signature- and heuristics-based to the security solution, previously
solutions. Each of the 6,000 files was unknown malware will be rendered
effectively remediated and sanitized inert. Customers are not only
because Glasswall FileTrust™ was not protected by Glasswall FileTrust™
looking for known-bad. on day-zero, but they have access
to personalized threat intelligence
In an operational example, a well- as these are files often specifically
known brand that is a Glasswall
Solutions customer in the tech sector
directed towards them. Multiple security
received 347 million emails over a
six-month period, including Microsoft
As with consequence and vulnerability
mitigation strategies, the deployment
layers failed to
Office, PDF and image files. Four of Glasswall FileTrust™ Advanced prevent malicious
files
layers of defense were applied to Threat Protection alongside more
the files, including next generation traditional solutions is threat-agnostic.
firewalls, anti-spam and anti-phishing Whether an adversary is engaged in a
filters, antivirus solutions and a ransomware campaign or attempting
heuristics filter. Fifty-five million of to introduce another type of file-
the original files were processed and based malware into an enterprise,
allowed to pass as ‘clean’ to Glasswall Glasswall FileTrust™ Advanced Threat
FileTrust™, the company’s final line Protection will neutralize the threat.
of defense prior to the email server.
The multiple security layers failed to It serves an organization well to
prevent 171 malicious files, almost an identify those risk management
average of one file per day. According solutions that can best mitigate
to the customer, Glasswall FileTrust™ the widest set of probable threats,
neutralized the threats with no impact vulnerabilities and consequences.
to the end-user experience. Glasswall At the same time, not all systems
Solutions began querying well- and data are of equal value to
known malware repositories with the the organization or threat actors.
hashes of the original 171 malicious Investment and architectural
files. In some cases, the malware was decisions should take this into
known to the antivirus community, account, applying security, back-up
but the traditional solutions lacked and recovery solutions based on
a matching signature and did not risk-informed decisions. Glasswall
interdict those files, similarly, the Solutions can support this effort
sandbox layer had been bypassed through a no-cost risk assessment,
using new and previously unseen which will demonstrate current
techniques, so it was not looking security gaps and exposures as they
for that malign behavior. In other relate to the formatted files entering
instances, not only did Glasswall and exiting an enterprise.
FileTrust™ protect the customer onVI. Conclusion
Ransomware can cause significant One need only take a step back and
losses in terms of extortion payments, assess cyber threat actors for what
the interruption of business they are—value-maximizing individuals
operations, and associated cascading and entities. Just like Willie Sutton,
consequences. Clearly, some within they will target the prize—data,
the security community expect the money, disruption or other objectives
threat of ransomware to increase in they value—in their efforts. Whether
prevalence. Others expect the threat an organization is confronting
to remain, but evolve in terms of its ransomware, other malware-based
victims, availability to a broader set of attacks, other malicious activity, or
users, and ability to evade traditional non-malicious incidents, a common
security solutions. The events of 2017 set of established and emergent risk
confirm that ransomware is no longer management practices are available.
the tool of cyber criminals focused In the aggregate, the threats driving
solely on financial gain—nation these incidents will not stop. Smart
states have their own, unique use- prevention, response and recovery
cases for it. No doubt, the direction investments are available to address
ransomware will actually take over the them in the aggregate.
next few years is unclear. However,
the associated approaches to
managing the risk it presents are well-
defined.
UK: +44 (0) 203 814 3900 cdssales@glasswallsolutions.com
Glasswall Solutions limited @glasswallnews
USA: +1 (866) 823 6652 glasswallsolutions.comYou can also read
