Blog.

The U.S. DOD Cyber Strategy has evolved quickly to meet a broad mix of current and expected threats. Computer and network security controls and strategies are the foundation of new military warfighting strategies. They must be designed to gain and hold information advantage, to strike at any distance, and to enable reliable and secure global command and control. At the same time, our commercial business infrastructure depends on reliable and secure internet infrastructure to conduct commerce. This may also include the defense of non-DOD owned Defense Critical Infrastructure (DCI) and Defense Industrial Base (DIB) networks and systems. Strategically, the U.S. DOD is in competition with many overseas powers, including China and Russia. These powers have been using cyber-enabled military operations to impact our elections, exfiltrate sensitive military data, and gain advantages wherever and whenever possible. China has also been using cyber-enabled military operations to the same end goals. And nation-states are not the only problem – well-funded organized crime also threatens DOD agencies and branches. Organized crime may be the proxy for some of these nation states and has increasingly demonstrated high levels of skill in recent cyber attacks. All of this has required a comprehensive strategy to preserve our cyber advantages and to identify and stop attackers before they can damage our infrastructure or exfiltrate sensitive data. In support of this, the DOD has developed a new strategy in concert with our allies and key partners that is designed to strengthen cyber capacity, expand combined cyberspace operations, and increase information sharing. The new DOD strategy published in 2018 is comprehensive and outlines five pillars of focus that will help support and execute the overall national strategy.

Our newly released Deception @ Work report will share a summary of a semiconductor manufacturer’s cyberattack involving a recently discovered insider attack. This report will overview this attack, share details on the incidents of compromise, and provide evidence of the high accuracy and unique capabilities of deception technology in identifying cyberattacker activity. Our client, this leading fabless semiconductor manufacturer has billions of dollars in revenue, worldwide facilities in many countries, and many thousands of employees. Initially they wanted to increase network visibility and reviewed the addition of new security controls. Their existing toolsets focused on perimeter defense and detection and did not provide the internal visibility and detection they required. This manufacturer required technology that would not use agents nor rely on signature recognition. They also suffered from severe alert management overload, and did not want to add a significant new burden to the traffic which was already overwhelming their SIEM and security operations center (SOC) team personnel. They also needed automation to provide for easy deployment of the new security controls across their global networks. Their security team was strong, but short-handed and often challenged with managing personnel transitions. Ultimately, after a comprehensive review of security control technology they made a decision to select Acalvio ShadowPlex. Initially they deployed the software within their corporate headquarters and then out across the manufacturing plants and engineering centers. This included multiple decoys across two different VLANs. One VLAN was part of their production facility and the other was within the DMZ. Within 72 hours the Acalvio ShadowPlex installation detected anomalous activity coming from one user Windows workstation. Apparent attacker activity was touching several of the decoys within the network. Initial investigation found malware which existing signature-based EDR was unable to detect.     Over the next few hours, it was determined that a malicious attacker was making multiple login attempts using a wide variety of compromised credentials. It was determined that this attacker was using stolen scripts from their red team, specifically one stolen from one tester, which had his credentials embedded with it, to continue to perform reconnaissance and investigate this and many other network VLANs. IP addresses are obfuscated or hidden to protect the identity of the manufacturer, and protect the confidentiality of any law enforcement investigations which might be ongoing at this time.

The cybersecurity guidelines issued by the Reserve Bank of India (RBI) in 2016 serve as a stark reminder of the need for robust cyber threat detection and response. Although the RBI released extensive IT security guidelines in 2011, it felt compelled to update its guidance with the “Cyber Security Framework in Banks” (CSF) five years later, because the original advisory didn’t sufficiently address the need for post-breach capabilities. Since we at Acalvio are all about “post-breach”, it’s great to see the central bank for such a large country take a leadership role in mandating effective response capabilities. Let’s look at the Cyber Security Framework at a high level. The core goal of the CSF is to compel banks to establish adequate capabilities to reliably detect, respond to, and contain threats that have penetrated their defenses. This is clear from the three main sections (annexes) of the CSF: Baseline security controls, including Real time monitoring Anomalous behavior detection Core controls: configuration management, patching, access control etc. Establishing a Cyber Security Operation Centre It is important to note that the SOC guidelines specifically call out the use of honeypot services. This is one of the very few specifications of a particular technology by the framework, which speaks to the clear value of honeypot solutions in detecting and responding to advanced threats. Establishing an Incident Response plan and supporting program The IR plan includes a Cyber Crisis Management Plan (CCMP) which should address incident Detection, Response, Recovery and Containment. Incident Notification: Banks must promptly notify the RBI of all “unusual” cyber-security incidents whether successful or not. The notification can take no more than 6 hours, which means that detection and analysis much take place extremely quickly. “The systems that NEED to be put in place as a part of the Cyber SoC requires the following aspects to be addressed….Counter response and Honeypot services” Cyber Security Framework in Banks, RBI, 2016

Acalvio was awarded U.S. Patent No. 20,170,310,706, titled “Tunneling For Network Deceptions”. This patent forms the basis of the Deception Farms® architecture. This blog goes a little deep into the patent to talk about what the patented technology is and the benefits.

Compliance is like an annual checkup at the dentist: Nothing good is likely to come of it and we want it to be as fast and painless as possible. In the first of two blogs on compliance, we’ll consider how best to think about compliance intent, and how deception can play a valuable role. In a subsequent blog will look at how to avoid pitfalls related to compliance. If you are unlucky enough to be subject to multiple compliance regimens (PCI DSS, NIST 800-171, internal mandates, etc.) you will quickly see that a) there’s a lot similarity between them, but b) some are more detailed than others. The key to resolving these down to a reasonable set of controls you can actually operationalize over time is to focus on the objective of the control. That is, what is the intended outcome? If you can demonstrate a good faith, risk-rated attempt to achieve the outcome, you are in position of strength to deal with an audit. This is more important than exactly matching the compliance text word for word.

If you’re reading this blog, you likely know the basics of the cyber kill chain. You might even be able to name a few of the seven stages in the kill chain, which lays out the steps adversaries take to attack and exploit their victims. Where you might have a lot more difficulty is in explaining two things: how attackers actually execute these steps, and what you’re doing to detect and mitigate them.

If there’s any organization that knows about dealing with advanced persistent threats (APTs) it’s NIST. The US government is constantly targeted by the most sophisticated adversaries, and the attacks are directed at both the government agencies themselves, and supporting organizations like service providers and defense contractors. Unfortunately, all too often these attacks have been successful. The silver lining is that as a result NIST is very well informed about not just how APTs operate, but why organizations fail to stop them. 800-171B NIST has leveraged this knowledge to come up with new recommendations in a document called 800-171B. This update to an existing standard is focused on “enhanced” controls to protect particularly sensitive data being processed by service providers that support the federal government. However NIST clearly states that the controls should also be applied to anyone who cares about mitigating APTs: “Everyone has high value assets, from small businesses to Fortune 500 companies. These enhanced defenses are great tools for anyone to use. We do our jobs primarily for the federal government, but everyone gets to take advantage of NIST’s cybersecurity guidance.” Ron Ross, 800-171B contributor, NIST 800-171B makes it clear that the initial penetration of the APT is just the start of the battle, and that there are many things that can and should be done to limit or prevent lateral movement and data compromise following the initial breach. 800-171B has a number of great suggestions, but it should be no surprise that here at Acalvio we’re partial to the requirement to implement deception: “Employ technical and procedural means to confuse and mislead adversaries through a combination of misdirection, tainting, or disinformation.” NIST 800-171B”, Requirement 3.13.3e. The requirement lists three critical benefits of deception: Reveal the presence of the attacker; Confuse and mislead the attacker to delay and degrade his efforts; Reveal the TTPs (tactics, techniques, and procedures) being used by the attacker These align perfectly with the benefits of Acalvio ShadowPlex – we couldn’t have said it any better ourselves! The only thing we would add is that deception is more operationally efficient and less risky that alternatives that attempt to provide similar benefits. But I suppose that’s implied in the fact that NIST is mandating deception. They know that 3rd party organizations supporting the government don’t have endless resources, and so the efficiency of the control set is an important consideration. NIST 800-171B is open for public comment until August 2019, and after the standard NIST review process will go into effect. But the threat actors aren’t bound by this schedule – they’re on the offensive today. So it’s a good idea to review the document now, and start assessing how your controls stack up and how you can do a better job of lowering the risks from APT class attacks.

If you’ve ever had a security vendor pitch their wiz-bang internal network threat prevention solution, you’ve probably thought at some point “You’re getting ahead of yourself. First we need to know what’s going on, then we can talk about active controls on the internal network”. The problem is that gaining visibility is a lot easier said than done. Because the security team is usually in no position to gate application deployments, and inventory management systems are notoriously inaccurate, Security has to resort to active monitoring to gain visibility. Unfortunately that’s hard to do, and getting harder. In the good ‘ol days, intranet visibility was more straightforward: You could concentrate on the Internet perimeter, and the data center access layer, because all of the interesting traffic was north/south (client to application). But now the situation is more complex, for several reasons: Application architectures have changed, resulting in far more east/west traffic within the data center Virtualization confines much traffic to virtual distributed switches, which is harder to access Public cloud offers fewer options for visibility, and significant costs can be incurred And in general the environment is just more dynamic, with trends like BYOD and micro-services accelerating the rate of change. So maintaining an accurate picture of what’s going requires hour-by-hour insights, or worse. So what to do? Visibility boils down to two things: knowing about the threats, and knowing about the legitimate traffic. For the later, it’s critical to establish read-only links with the orchestration systems and APIs that are available to provide real-time updates on applications and authenticated clients. Fortunately those APIs are much better developed than just a few years ago. And for seeing “the bad stuff”, consider using deception solutions such as Acalvio ShadowPlex. These solutions focus on one thing: providing visibility into threats with a high level of fidelity. They are much easier to implement than traditional tap or SPAN port solutions because they are deployed as hosts on each network and don’t need to “see” all the traffic. That means no need for promiscuous-mode switch or virtual ports. This also eliminates concerns that the visibility solution might affect network performance. Most importantly, they provide both visibility and detection in a single solution, including the ability to engage an adversary to understand his methods and motivations Now we’re talking about real visibility! This means much less work to get to the desired result: find and handle the threats in an operationally and financially viable manner.

Authors: Santosh Kosgi, Mohammad Waseem, Arunabha Choudhury, and Satnam Singh Deep Learning-based methods have been successfully applied to various computer vision and NLP based problems recently [1]. AI researchers have achieved statistically significant improvements in pushing the benchmarks for state of the art algorithms in object detection, language translation, and sentiment analysis. However, the application of Deep Learning in Information Security (InfoSec) is still in its nascent stages. We introduced deep learning and its applications for InfoSec in our article [2]; this blog is a continuation of this topic. Malware detection and network intrusion detection are two such areas where deep learning has shown significant improvements over the rule-based and classic machine learning-based solutions [3]. Specifically, we demonstrate the power of deep neural networks using Tensorflow, Keras to detect obfuscated PowerShell scripts. PowerShell is a task automation and configuration management framework consisting of a robust command line shell. It was made open sourced and cross-platform compatible by Microsoft since August 2016. PowerShell has been heavily exploited tool in various cyber attacks scenarios. According to a research study by Symantec, nearly 95.4% of all scripts analyzed by Symantec Blue Coat Sandbox were malicious[4]. The Odinaff hacker group leveraged malicious PowerShell scripts as part of its attacks on banks and other financial institutions [5]. One can find many tools like PowerShell Empire[6] and PowerSploit[7] on the internet that can be used for reconnaissance, privilege escalation, lateral movement, persistence, defense evasion, and exfiltration. The adversaries typically use two techniques to evade detection: First, by running fileless malware, they load malicious scripts downloaded from the internet directly into memory, thereby evading Antivirus (AV) file scanning. Secondly, they use obfuscation to make their code challenging to decode, thus making it more difficult for AV or analyst to figure out the intent of the script. Obfuscation of PowerShell scripts for malicious intent is on the rise and task of analyzing them are made even more difficult due to the high flexibility of its syntax. In Acalvio high interaction decoys, we can monitor PowerShell logs, commands, and scripts that the attacker tried to execute in the decoy. We collect these logs and analyze them in real time and detect whether the script is obfuscated or not. Problem: For a Windows operating system, Microsoft PowerShell is an ideal candidate for the attacker’s tool. Firstly, it is installed by default in Windows and secondly, attackers are better off using existing tools that allow them to blend well and possibly evade Antivirus (AV). Since PowerShell 3.0 Microsoft has enhanced PowerShell logging considerably. If Script Block Logging is enabled, then one can capture commands and scripts executed through PowerShell in the event logs. These logs can be analyzed to detect and block malicious scripts. Obfuscation is typically used to evade detection. Daniel and Holmes address this problem of detecting obfuscated scripts in their Blackhat paper [8]. They used Logistic Regression classifier with Gradient Descent method to achieve a reasonable classification accuracy to separate the obfuscated script from clean scripts. However, using a deep feed-forward neural network (FNN) may enhance other performance metrics such as precision and recall. Hence in this blog, we decided to use the deep neural network and compared the performance metrics with different machine learning (ML) classifiers. Dataset We use the PowerShellCorpus dataset published and open sourced by Daniel [9] for our data experiments. The dataset consists of around ~300k PowerShell scripts scraped from various sources on the internet like Github, PowerShell Gallery, and Technet. Apart from this we also scraped PowerShell scripts from Poshcode [10] and added to the corpus. Finally, we had nearly 3 GB of script data consisting of 300K clean scripts. We have used Invoke-Obfuscation [11] tool to obfuscate the scripts. Once we have obfuscated all scripts using this tool, we have a labeled data set consisting of class label as clean or obfuscated script. Data Experiments: All the activities performed by an attacker in a high interaction decoy are malicious. However, obfuscation detection asserts the presence of an advanced attacker. Here is a simple PowerShell command to get a list of processes: Get-Process| Where($_.Handles -gt 600}| sort Handles| Format – Table This command may be obfuscated as: (((“{2}{9}{12}{0}{3}{10}{13}{4}{18}{8}{17}{11}{5}{16}{1}{15}{14}{7}{19}{6}”-f’-P’,’es’,’G’,’rocess8Dy Whe’,’ {‘,’S’,’le’,’-Ta’,’-gt’,’e’,’r’,’y ‘,’t’,’e’,’t’,’ 8Dy Forma’,’ort Handl’,’ 600} 8D’,’RYl_.Handles ‘,’b’)) -crePLACE’8Dy’,[cHar]124-crePLACE’RYl’,[cHar]36) | IEx This looks suspicious and noisy. Here is another example of a subtle obfuscation for the same command: &(“{1}{2}{0}”-f ‘s’,’G’,’et-Proces’)| &(“{1}{0}”-f’here’,’W’) {$_.Handles -gt 600} | &(“{1}{0}” -f’ort’,’S’) Handles | .(“{1}{0}{2}”-f ‘-‘,’Format’,’Table’) This obfuscation makes it hard to detect the intent of PowerShell command/script. Most of the malicious PowerShell scripts in the wild have these kinds of subtle variations that help them to evade AVs easily. Practically, it is nearly impossible for a security analyst to review every PowerShell script to determine whether it is obfuscated or not. Therefore, automating the obfuscation detection is required. One can use a rule-based approach for obfuscation detection; however, it may not detect a lot of obfuscation types, and a large number of rules needs to be manually written by a domain expert. Therefore, a machine learning/deep learning-based solution is an ideal solution for this problem. Typically, the first step of machine learning is data cleanup and preprocessing. For the obfuscation detection dataset, the data preprocessing is done to remove Unicode characters from a script. Obfuscated scripts look different from normal scripts, some combination of characters used in obfuscated scripts are not used in normal scripts. So, we use character level representation for all PowerShell scripts instead of word-based representation. Another reason being, in case of PowerShell scripting, sophisticated obfuscation can sometimes completely blur the boundary between words/tokens/identifiers, rendering it useless for any word-based tokenization. Character-based tokenization is also used by security researchers to detect PowerShell obfuscated scripts. Lee Holmes from Microsoft had explored character frequency-based representation and cosine similarity to detect obfuscated scripts in his blog [12]. There are multiple ways in which characters can be vectorized. One hot encoding of characters represents every character by a bit, and the bit is set to 0 or 1 depending upon whether that character is present in the script or not. The classifiers trained with a single character one hot encoding performs well. However, this can be improved by capturing the sequence of characters. For example: command like New-Object may be obfuscated as (‘Ne’+’w-‘+’Objec’+’t’). The character plus (+) operator is common for any PowerShell script. However, plus (+) followed by a single (‘) or double quote (“) may not be as common. Therefore, we use tf-idf character bigrams to represent as the features input to the classifiers. Here are 20 bigrams with top tf-idf score from the training dataset: Clean script [‘er’, ‘te’, ‘in’, ‘at’, ‘re’, ‘pa’, ‘st’, ‘on’, ‘me’, ‘en’, ‘ti’, ‘le’, ‘th’, ‘am’, ‘nt’, ‘es’, ‘se’, ‘or’, ‘ro’, ‘co’] Obfuscated script [“‘+”, “+’”, ‘}{‘, “,’”, “‘,”, ‘er’, ‘te’, ‘in’, ‘re’, ‘me’, ‘st’, ‘et’, ‘se’, ‘ar’, ‘on’, ‘at’, ‘ti’, ‘am’, ‘es’, ‘{1’] Each script is represented using the character bigrams. We process all these features using deep Feed Forward Neural Network (FFN) with N hidden layers using Keras and Tensorflow. Figure 1: Obfuscation Detection data flow diagram using deep FFN The data flow diagram as shown in Figure 1 shows the training and prediction flow for obfuscation detection. We have varied the value of hidden layers in the deep FNN and found N=6 to be optimal. For activation, RELU is used for all the hidden layers. Each layer of Hidden layer is dense in nature of dimension 1000 and used a dropout rate of 0.5. For the last layer, sigmoid is used as an activation function. Figure 2 shows the deep FFN network representation for obfuscation detection. Figure 2: FFN Network Representation for Obfuscation Detection We see a validation accuracy of nearly 92% that indicates that the model has generalized well outside the training set. Next, we test our model on the test set. We see accuracy of 93% with 0.99 recall for obfuscated class. Figure 2 shows the classification accuracy and classification loss plots for training and validation data for each epoch. Figure 2: Classification Accuracy and Loss plots for Training and Validation Phase Table 1 shows the results of deep FNN as compared to other ML models. Performance metrics precision and recall are used to measure the efficacy of the various models. Table 1: Output of ML Models for Obfuscation Detection. Classifier Used                                               Precision Recall Random Forest                                                    0.92 0.97 Logistic Regression                                             0.91 0.87 Deep Feed-forward Neural Network (FNN)    0.89 0.99 Our objective is to detect most of the obfuscated scripts as the obfuscated script, i.e. we would like to minimize the false negative rate for the obfuscated class. The Recall seems to be the appropriate measure in this case. Table 1 shows that the deep FNN model achieves more recall as compared to other classifiers. The dataset used in our experiments is of medium scale, in the wild, the datasets are typically quite big, and deep FNN performs even better as compared to the other ML classifiers. Conclusion: PowerShell obfuscation is a smart way to bypass existing antivirus and hide the attack’s intent; a technique which is used by many adversaries. In this blog, we demonstrated the power of deep learning combined with Acalvio’s deception [13] technology to detect obfuscated PowerShell scripts in a high interaction decoy. Acalvio’s ShadowPlex [14], an autonomous deception platform provides an ability to engage with the adversary, understand his intent, tools and monitor all of his activities. In our next blog of this series, we will share some more use cases where AI and deception can be leveraged for information security. References: [1] “Deep Learning,” Ian Goodfellow, Yoshua Bengio, Aaron Courville; pp 196, MIT Press, 2016. [2] “Using Deep Learning for Information Security – Part 1,” Acalvio Blog, 2018. [3] “Malware detection using machine learning,” Dragoş Gavriluţ, Mihai Cimpoeşu, Dan Anton, Liviu Ciortuz; International Multiconference on Computer Science and Information Technology, Mragowo, 2009 [4] “The increased use of Powershell in attacks,” Symantec, 2016 [5] “Odinaff: New Trojan used in financial attacks,” Symantec Security Response, Oct 2016 [6] “Empire,” Will Schroeder, Justin Warner, Matt Nelson, Steve Borosh, Alex Rymdeko-harvey, Chris Ross; 2017 [7] “PowerSploit,” Matthew Graeber; 2012 [8] “Revoke-Obfuscation,” Daniel Bohannan, Lee Holmes; 2017 [9] “PowerShell Corpus” [10] “PoshCode – PowerShell Projects for Power Users.” [11] “Invoke-Obfuscation,” Daniel Bohannan; 2017 [12] “More Detecting Obfuscated PowerShell,” Lee Holmes; 2016 [13] The Definitive Guide to Deception, Acalvio Technologies. [14] ShadowPlex, Acalvio Technologies.

I recently saw a news article published by Symantec stating that cyber criminals are shifting their attack techniques. According to Symantec, “For the first time since 2013, ransomware infections declined, dropping by 20 percent.” Due to the sharp decline in the price of cryptocurrency, attackers are increasingly interested in formjacking attacks, such as MageCart, rather than simply detonating ransomware inside corporate environments and asking for ransom to paid via bitcoin. This is very interesting. As in my previous blog post, Kaspersky drew a similar conclusion. I talked about how to leverage deception to effectively detect ransomware. In this post, I will discuss how we could use deception based detection solution to fight formjacking attack. Formjacking is a relatively new term in cyber security. In Symantec’s definition, “Formjacking attacks are simple – essentially virtual ATM skimming – where cyber criminals inject malicious code into retailers’ websites to steal shoppers’ payment card details.“  Symantec claims more than 4,800 unique websites are compromised with formjacking on a monthly basis, and almost one third of the attacks in 2018 happened during the busiest shopping reason, Nov and Dec. This is absolutely shocking! The worst part about formjacking is that neither the website administrator nor the online shoppers are aware that credentials are being stolen from the website. Unlike ransomware, which is detectable when encryption starts or the ransom note is shown, formjacking can hide itself inside the web server and secretively collect credit card information for months before anybody notices. Once website code is published, it is generally not checked again until the next update is made. In the meantime, the actual e-commerce transaction goes through as if nothing has happened without any business interruption. From the customer’s perspective, they simply continue shopping online and probably realize their credit card information has been stolen until days or weeks later. This type of delayed alerting makes it extremely difficult to track. In my opinion, formjacking is an even more powerful and dangerous attack than ransomware for following reasons. It’s extremely hard to detect and has much longer dwell time in corporate environments. It’s becoming increasingly popular and attractive to hackers because of the high yield. (According to the article, with a single credit card fetching up to $45 in the underground selling forums, attackers get get up to $2.2M each month) It can deeply hurt both the business reputation of the ecommerce website and the customer’s personal identity. This really puts ecommerce websites and online retailers under pressure. The most recent famous victims include Ticketmaster and British Airways. Over 380,000 credit cards were stolen in the British Airways incident alone, according to Symantec. If we take a step back and think about the typical attacker workflow, we can see how a Deception based solution could be a perfect tool to fight back. Let me explain how. We all know most of the corporate breaches start from user endpoint, their laptop and workstation, which are the most vulnerable components in corporate security. Once an attacker compromises an endpoint and establishes their beachhead, they will start looking for high value targets inside the victim network. In the Formjacking scenario, the target is the web servers in the data center. From a compromised endpoint, they will try to move laterally into the web farm, where they can inject the malicious code. Once they achieve that, it’s mission accomplished. Enterprise customers could deploy deception based detection solution in the following places to catch and detect the attacker activity. First, enterprises  could also set up a number of fake web servers (called decoys) throughout the entire web farm. An ecommerce website typically consists of multiple web servers, sometimes even hundreds or thousands.  Even if the attackers safely land on the web server without being detected, it is in their best interest to deploy their malicious code into as many web servers as possible. It is, therefore, very likely they will eventually try to do so on one of the fake systems as they navigate through the web farm, which will trigger an alert immediately. Second, enterprises could generate breadcrumbs, fake artifacts meant to lead adversaries to decoys, and distribute them across endpoints in the environment. Breadcrumbs can be of various types, including SMB file shares, saved RDP/SSH sessions and credentials, etc. These are the typical clues attackers look for in their search for high value targets; in this case, the web servers. In case any of the endpoints get compromised, those breadcrumbs could serve as bait leading attackers to one of the intentionally placed decoys (instead of real web server). Once an attacker connects to the decoy, the deception solution immediately identifies them and various types of responses can be initiated. Using deception is probably the most effective way to combat formjacking attacks. It is completely out-of-band, no interruption to regular production traffic, and provides very fast and accurate detection. It can significantly reduce the attacker dwell time and help e-commerce websites provide secure and safe transactions to its customer. Acalvio ShadowPlelx is a leading deception platform which can help you easily setup web decoys and breadcrumbs in your environment, as described above, whether you are hosting this on-prem or in the cloud. If you are concerned about formjacking attacks, please contact us for more information!

Ransomware infections have fallen 30% over the past 12 months according to a research conducted by Kaspersky (Ransomware and Malicious Cryptominers 2016-2018 report), The decline correlates with the crashing price of popular cryptocurrencies, This, however, does not mean that corporate security engineers and CISOs can sit back and relax.  Ransomware still remains one of the most popular attack campaigns, and most damaging. Ransomware attacks are especially damaging to small to medium sized business according to a report from Datto.  Datto surveyed over 2,400 MSSPs and over 500,000 managed service clients. The stats show 79% of MSSPs had customers who were affected by Ransomware during the period from Q2 2016 to Q2 2018. Those small to medium size business typically do not have enough security budget and staff to implement sophisticated layers of prevention and detection solutions to fight Ransomware attacks. Traditionally, most organizations rely on signature-based inspection or Sandbox-based heuristic solutions to detect and defend against Ransomware. While these remain an important component in a best-practices corporate security architecture, they also have major drawbacks which render them ineffective in detecting some of the latest and most sophisticated Ransomware. For starters, there are just way too many new ransomware variants emerging on a daily basis for signature-based solutions to keep up. (According to Kaspersky’s report, there were over 32,000 new ransomware variants in Q3 2016) Sandbox-based solutions are typically deployed on the edge and monitor traffic coming from the internet. However, the perimeter could be completely bypassed using social engineering techniques like phishing and sandbox evasion techniques. Also, it is not effective to deal with zero-day Ransomware attacks, not to mention many times the internet traffic is encrypted makes it even harder to see the actual payloads inside. Deception can truly be a game changer in terms of detecting Ransomware. The way Ransomware Detection typically works is that some hidden files are deployed as part of the breadcrumbs to endpoint and servers throughout the enterprise environment. When Ransomware infects a host, it will perform a certain set of actions, such as encrypting the files on the infected host,  deleting the shadow backup, creating a registry entry for persistence, encrypting the mapped drive alphabetically or in the reverse order, setting up command and control communication channel back to the mothership, etc. Different security solutions employ different detection methods. In the case of Acalvio’s ShadowPlex, these malicious activities immediately trigger events on the management console, indicating that  ransomware has detonated. Integrated 3rd party tools can be leveraged to do automated incident response, for example, to quarantine the infected host to prevent the Ransomware from spreading throughout your environment. Obviously, ransomware moves fast, so detecting the activity quickly and with enough confidence to act in an autonomous fashion is optimal. Waiting for a human to review and respond could be the difference between minimal impact and complete disaster. Some victims have taken months to recover from these types of devastating attacks. Atlanta’s traffic citation system was offline for six months (if you’re a questionable driver in Atlanta you may not be so sad about that – ). Compared to other traditional detection solutions, deception-based detection has some unique advantages: Comprehensive protection in your entire environment no matter where the Ransomware attack originates or where it is detonated. Detection is independent of the OS type, file format, delivery methods, encryption algorithm, etc. No need to use signatures or threat intel updates. Detecting the malicious behavior works on zero-day attacks and new variants. High fidelity and low-false positive alerts. Very fast and accurate detection. In addition, Ransomware detection should  typically be a built-in feature of the deception platform. Not all vendors will offer the same capabilities, so check with your vendor. Deception can also detect many other malicious activities on your internal network, such as lateral movement, pass the hash attacks, data exfiltration, etc. Acalvio ShadowPlex is a leading deception platform which offers all those features mentioned above, and can be delivered from the public cloud or on-prem in a very scalable and flexible manner. It is the most effective way to fight Ransomware on the market.

In the past few blogs (All Roads Lead to Kubernetes, and Deceiving Attackers in a Kubernetes World) we zeroed in on the cloud native environments being the next frontier for the attacker-defender games. We also commented on how deploying deception in a Kubernetes-based environment is an easy approach to detecting attackers that have breached into the infrastructure. Still, deriving the right stack of deception workload to deploy can be tricky. Let’s dig into how to deploy an effective decoy in cloud environments. Ideally, the deception should mirror the application. The next generation of applications are designed with scale and agility as their top goals. This requirement means they typically span the hybrid cloud, are based on a microservices design pattern, and leverage as many native cloud services (e.g., AWS S3, Spark/EMR) as your budget would allow. The figure below illustrates a typical application stack. This expanded set of options to build applications increases the attack surface and makes it essential that any security solution cover all these diverse resources at cloud scale. Consequently, the deception objective is to mimic production applications and spin up decoys as a tiered-stack that includes front-end, message bus, database and backend tier services, without conflicting or overlapping with existing production workloads, that will work across the full spectrum of platforms in the hybrid cloud. Acalvio’s ShadowPlex Cloud does just that for you! Based on a production workload blueprint, ShadowPlex Cloud controller applies data-science based recommendation to determine the most effective rollout of decoy EC2 or other virtual machine instances, S3 buckets and SQL databases, and Kubernetes pods and services (either in existing namespaces, or a completely new decoy namespace). The inserted decoys can be customized if desired or the security operator can choose to just go with the default recommendation set. Once the decoys are deployed, the appropriate breadcrumbs will, then, be added as environment variables, registry references, and configmaps so as to lead an attacker to the decoys. This makes ShadowPlex Cloud an effective tool in cloud malware detection with negligible false positives.