Blog.

Ransomware continues to represent the most critical threat facing organizations in 2018. In the latest breaches at Hancock Memorial Hospital, Adams Memorial Hospital, and Allscripts, SamSam ransomware was used to encrypt the files. In this blog, we dive into the technical details of the SamSam ransomware [1]. The blog then shares how the Samsam ransomware can be detected using a deception-based architecture. Technical Details: For the Samsam ransomware to execute, it will require input text file as the command line argument. The input text file will have the base64 encoded public keys in the XML format shown in figure 1.0 When the ransomware code is executed, it drops two files selfdel.exe and del.exe. Selfdel.exe and del.exe are in the resource section of the ransomware file. The dropped file selfdel.exe as shown in figure 2.0 will get the process name Samsam,  and sleep for 3000 milliseconds, after which it will delete the Samsam ransomware process. Figure 1.0 code of the selfdel.exe The ransomware encrypts 328 file extensions.the list of file extensions are shown in figure 3.0 .Since the ransomware encrypts files with extension “.sql”, “.sqlite”, “.sqlite3”, “.sqlitedb” it will encrypt databases. Figure 2.0 File extension targeted by Samsam ransomware.  The ransomware code makes the call to the API DriveInfo.GetDrives() to get a list of all the logical drives in the computer and will encrypt the files in these drives. The ransomware will encrypt the files in shared mapped SMB drives, CD drives, attached removable drives to the computer. Backups from the endpoint can often be configured to access the database via the mapped logical drive. In such configuration, database files which can be accessed via the logical drives will also get encrypted. Figure 3.0 showing call to get the logical drives to the computer. If the path of the directory contains “Windows”, “Reference Assemblies\\Microsoft”, “Recycle.Bin” the files in these folders will be skipped and will not be encrypted. Figure 4.0 code showing ransomware skipping file in specific folders. To create the encrypted file, ransomware creates a new file, writes encrypted data to it and deletes the original file. The new encrypted file will have file extension .encryptedRSA appended to the original file name. HTML file titled “HELP_DECRYPT_YOUR_FILES” having the ransomware note gets dropped to the directory. Figure 5.0 showing ransomware note Deception based detection: Deception-based architecture involves distributing breadcrumbs and lures on endpoints. When these breadcrumbs and lures are accessed, alerts from the breadcrumbs and lures will be generated and get validated by the proprietary algorithm for ransomware infection. The version of Samsam used in the breach will get detected by ShadowPlex-R. Once the infected endpoint gets identified, it get isolated from the network to prevent the spread of infection. Detection of Samsam in ShadowPlex-R For further details about deception based architecture to prevent infection,  I  would encourage readers to read my blog Deception Centric Defense Against Ransomware. The blog details the advantages of deception based architecture over the traditional architecture to detect ransomware. Conclusion: Samsam ransomware gets activated by the threat actor after they have breached an organization, it becomes a challenge for the inline monitoring architecture to detect them. As discussed in the blog to execute samsam ransomware it requires the public key in a specific format from the command line argument. Detection architecture which relies on detonation in a virtualized environment to classify the file as malicious or benign, will not be able to provide public keys in the format which is required for samsam to execute and hence malware will not show its behavior when detonated in a virtualized environment. It will be a challenge for the detection architectures which relies on capturing the behavior in the virtualized environment to classify Samsam as malicious. Deception-based architecture detects and remediates during the execution of malware,  hence it is a recommended architecture to prevent breaches and ransomware. SHA256 of the analyzed file: 0f2c5c39494f15b7ee637ad5b6b5d00a3e2f407b4f27d140cd5a821ff08acfac 710a45e007502b8f42a27ee05dcd2fba References: [1] Allscripts recovering from ransomware attack that has kept key tools offline.

Authors: Deepak Gujraniya, Mohammad Waseem, Balamurali AR, and Satnam Singh Since the first attack in 1989 [1], ransomware attacks have gained popularity. Especially in 2017, it has created havoc in every possible industry, including the government offices, public-sector departments, and hospitals. Apart from the financial strain that ransomware can bring, it also affects everyday aspects of the public life. For instance, the WannaCry attack on hospitals, police stations, government offices have hindered daily life of the regular citizens of numerous countries [2]. To make the things worse, ransomware is now available as a service on the darknet. Any novice attacker can also avail the ransomware service to start their own attack. This leads to the situation in which same entity is attacked more than once. Like other malware, ransomware also has a kill chain. That typically includes luring the victim via phishing or other means, loading the payload i.e. installing the ransomware on the target host, and finally spreading and detonating the ransomware i.e. encrypting the host’s memory and demanding for the ransom via a ransomware note. The ransomware attack starts when a user clicks a malicious web link or opens the attached file in a phishing email. Now, ransomware is installed on the target machine. Depending on the strain, the detonation can happen before it spreads. To encrypt machine’s data, ransomware need to use an encryption key. It may or may not use the Command and Control (C&C) to get the encryption keys. The ransomware without C&C use hardcoded encryption keys or locally generated keys and use the same keys for all the infected hosts. In this case, the security experts can reverse engineer the malware binaries and may find the keys. However, the ransomware using the C&C get the encryption keys from the C&C server hosted by the attacker. CryptoLocker, WannaCry, TeslaCrypt, Cerber, and Locky are some of the ransomware using the C&C that makes nearly impossible for the defenders to recover the encryption keys from the ransomware. Figure 1: Ransomware attack using command & control (C&C) for encryption key management Ransomware use different asymmetric and symmetric encryption techniques e.g. RSA, AES for generating encryption keys. The attackers are becoming more sophisticated and using both techniques in combination. An AES key is hardcoded within the payload to encrypt the files on the infected machine and then an RSA public-private key pair is generated and used to encrypt the AES encryption key and the private RSA key is uploaded onto the C&C server. In early variants of ransomware, the C&C server addresses were hardcoded in the malware binaries. It was easy for the defenders to find these addresses and block them. Once blocked, C&C servers could not spread the infection and encrypt files. To evade such security measures ransomware started using Domain Generation Algorithm (DGA)-based techniques to connect to C&C servers. With the DGA, attackers generate dynamic domain names and redirect their C&C servers to these dynamic addresses. Using DGA-based C&C the attackers can easily evade perimeter-based security defense tools such as firewalls, IDS/IPS, and even threat intelligence feeds. The main use of the C&C is to contact the C&C server using a domain name, if the domain can be detected and blocked immediately, the attack can be stopped from spreading to other machines. For example, thisisyourchangeqq.com and gvludcvhcrjwmgq.in are two C&C domains that are used by TeslaCrypt and Locky ransomware respectively. Ransomware connects to the C&C server using DNS queries. To establish the connection, DNS resolution queries are made for domains generated by the ransomware. These queries are captured in the DNS logs of the system. By analyzing DNS logs we can detect domains used for the C&C. In machine learning (ML), this problem can be posed as a classification problem where there are two classes i.e. benign DNS server and malicious C&C domain server. Several machine learning classifiers, such as Random Forest [3], Support Vector Machine (SVM) [4], Artificial Neural Networks etc. can be used as classifiers. Using discriminatory and informative features from the DNS logs, one can build a classification model to detect the C&C domains. We trained a ML classifier using a Random Forest classifier to detect domains generated by DGAs. Features such as bigram and trigram scores are informative and discriminating to classify the C&C domains from benign domains. A bigram score tells how often that bigram is likely to occur in a normal english word [5].  This score is less in a DGA-generated domain. We computed trigram_benign and trigram_malicious scores that are fractions of trigrams present in the benign and malicious corpus respectively. The entropy of a domain is also different for both malicious and benign classes of domains. We used Shannon entropy [6] as another feature to differentiate between benign and malicious domains. Example domain: google.co.in bigrams [‘$g’, ‘go’, ‘oo’, ‘og’, ‘gl’, ‘le’, ‘e$’, ‘$c’, ‘co’, ‘o$’, ‘$i’, ‘in’, ‘n$’] trigrams [‘$go’, ‘goo’, ‘oog’, ‘ogl’, ‘gle’, ‘le$’, ‘$co’, ‘co$’, ‘$in’, ‘in$’] Figure 2: An example of how bigrams and trigrams are extracted from a domain Below histograms shows how these features are discriminative for benign and malicious domains. Some features are more discriminative than others however all of them complement each other and improve the classification. Figure 3: Frequency distribution plots of entropy, bigrams and trigram features Example: Benign domains url bigram_score entropy trigram_benign trigram_malicious class label google.co.in 7.28 0.44 1.0 0.0 benign bloomberg.com 7.94 0.30 1.0 0.0 benign conservativetribune.com 7.53 0.77 1.0 0.0 benign howstuffworks.com 8.21 0.35 1.0 0.0 benign Example: Malicious domains url bigram_score entropy trigram_benign trigram_malicious class label 52uo5k3t73ypjije.zzis8p.bid 10.02 0.18 0.54 0.45 malicious equityaccountants.nl 7.88 0.56 1.00 0.0 malicious 3qbyaoohkcqkzrz6.tordonator.li 8.65 0.52 0.68 0.32 malicious Figure 4: Precision-Recall curve for the classifier Figure 5: Code snippet of C&C Detection Classifier Figure 6: Test run on some normal domains and some C&C In the above example, “google.com” and “howstuffworks.com” are benign domains and other domains are used by Locky [7] ransomware for the C&C. The domain “fofsslkwvwee.de” got the maximum malicious score (=1.0), however, other 3 malicious domains that look like normal domains got a score less than one. Typically, ML-based the C&C detection is deployed at the perimeter to monitor every DNS domain that needs big data infrastructure to process a high volume of DNS logs. Acalvio’s solution to the C&C detection is different and more effective than other solutions as our approach is event-driven instead of traditional boiling-the-ocean approach where every DNS query needs to be monitored. In our approach, we use deception to detect the ransomware and then leverage machine learning to detect the C&C. In this approach, one does not need to monitor all the DNS traffic all the time. Once detected, these domains can be blocked to stop spreading of the ransomware in the organization. We analyse the domains only when we detect ransomware attack from our deception-based solution ShadowPlex-R [8], hence the false positive detection rate is very low. Figure 7: Low False-Positive rate against various ransomware families We tested our approach on nearly 20 different ransomware families and results are summarised in Figure 7. “Detected C&C domains” is the number of domains detected by our solution and “Actual C&C domains” was the actual number of the C&C domains used by the ransomware.  Our solution can achieve nearly 100% true detection rate i.e. detect all the ransomware with a false positive rate of nearly 2.5%. The results demonstrate the power of combining deception along with machine learning for the C&C detection. Conclusion: Ransomware attacks are evolving at an unprecedented pace today and it is becoming impossible to detect them beforehand. In this blog, we explained how ransomware uses the C&C to encrypt the user data and how one can extract features from domains and train a ML classifier to detect the C&C domains. Many current techniques for detecting the C&C monitor logs continuously and inspect every domain request. This leads to a high number of false positives and is computationally expensive. With Acalvio’s deception-based solution ShadowPlex-R, we can detect a ransomware attack in real time and use a ML-based classifier to detect the C&C domains. A demonstration of ransomware attack and the C&C detection is available in our webinar [9] hosted by Acalvio and Splunk. References: [1]:Lord, Nord (2017, July 17), A history of ransomware attacks: the biggest and worst ransomware attacks of all time [2]: SANS whitepaper 2017 https://www.sans.org/reading-room/whitepapers/threats/sensitive-data-risk-2017-data-protection-survey-37950 [3]: Breiman, L., 2001. Random forests. Machine learning, 45(1), pp.5-32. [4]: Burges, C.J., 1998. A tutorial on support vector machines for pattern recognition. Data mining and knowledge discovery, 2(2), pp.121-167. [5]: Cheng Qi, Xiaojun Chen, Cui Xu, Jinqiao Shi, Peipeng Liu, A Bigram based Real Time DNS Tunnel Detection Approach, In Procedia Computer Science, Volume 17, 2013, Pages 852-860 [6]: Shannon, C.E., 1951. Prediction and entropy of printed English. Bell Labs Technical Journal, 30(1), pp.50-64. [7]: Locky. Wikipedia.,Retrieved November 19, 2017, from  https://en.wikipedia.org/wiki/Locky [8]: ShadowPlex-r, Retrieved November 19, 2017, from /shadowplex-r/ [9]: Splunk webinar, Retrieved November 19, 2017, from https://www.splunk.com/blog/2017/08/18/webinar-learn-how-to-use-deception-to-defend-against-ransomware.html

Acalvio Threat Research Labs Web Servers are becoming one of the entry vectors in breaches. In the last blog, I had shared the details of deception based architecture to prevent breaches involving web server as an entry vector. In this blog, we take  Zealot campaign as a case study to show the effectiveness of deception based architecture.  F5 Labs recently disclosed zealot campaign. It employs a vulnerability in Apache Struts.  Upon successful exploitation, threat actor then uses Eternal Blue and Eternal Synergy exploit to mine monero in the internal network [1]. As per the investigation Zealot collectively exploits servers vulnerable to: CVE-2017-5638: Apache Struts Jakarta Multipart Parser attack. CVE-2017-9822: DotNetNuke (DNN) content management system vulnerability. The attack leverages EternalBlue and EternalSynergy exploits for lateral movement inside of networks. As the exploit is running on a Windows machine, it will download the the SMB exploit package zealot.zip and raven64.exe which does network enumeration[1]. For infection, as shown in figure 1.0, Raven64.exe generates class B IPv4 private network address pseudo-randomly in a static manner. Figure 1.0 showing memory page of the IPv4 addresses.  These IP addresses are then used to send TCP SYN packet to the SMB ports. Raven64.exe will invoke Zealot.py  which will make use EternalSynergy and EternalBlue exploit for lateral movement to the computers in the Class B private network address range. Figure 3.0 TCP Sync Traffic to IPv4 address on SMB ports.  Further details of post exploitation have been discussed in the blog[1] from F5 Networks and hence will not be presented here. Distributed deception architecture involves projecting services deceptions such as SMB, SSH, etc. in the internet class B IPv4 private network address.  When these deceptions are accessed then :      Alerts are generated, which are validated by the proprietary algorithms for the possibility of a breach[2].      Or the threat is diverted to the high engagement platform for the execution of every stage of a breach. The execution of every step of a multi-stage attack leads to the generation of IoC[3]. These IoC can then be used for validation of a breach. When the raven64.exe will send TCP syn packets to the class B IP address, as shown in Figure 3.0, it will get detected by the distributed deception architecture. (Shown in Figure 4.0.) Figure 4.0 Alert getting generated from TCP SYN There is a very low probability that a web server will attempt to establish a connection to the deceptions which are projected in the internal network. Hence, the TCP SYN packet received from the web server instantly becomes an indicator of breach with a probability close to 100%. Deception centric architecture detects the second stage of payload, and hence the detection of distributed detection becomes independent of the vulnerability which is exploited at the first stage. The first stage can make use of 0-days, or it can make use of known vulnerability. A deception-centric architecture will raise an alert if the second or subsequent phase touches the deceptions. Since the deception-centric architecture complements the existing inline monitoring detection architecture, it is a recommended architecture to prevent breaches.  IoC’s: dcaa9e0cfeef2e0fd9360ddb72b19227 b22bded796e83cd19335180083eabf07a681b913189b40a1615f5308d8bdd36c References: [1]  Zealot : New Apache Struts campaign uses Eternal Blue and Eternal Synergy to Mine Monero on Internal Networks.. [2] Deception Centric Defense Against Ransomware [3] Looking Deep into MultiStage Attack

In the next few years, Artificial Intelligence (AI) will transform and expand as a decision engine across every enterprise business layer from product development to operations to finance to sales. While, internet biggies like Google, Facebook, Microsoft and Saleforce are already embedding AI into their products, the Information Security (InfoSec) industry is also catching up to leverage AI in InfoSec. Almost every InfoSec vendor is claiming to have AI in their product. This makes it difficult for end-user organizations and they need to evaluate the AI capabilities of multiple vendors. A recent Gartner report by Whit Andrews and Jim Hare [1] raised this concern and provided a well-reasoned set of guidelines to help end-user organizations validate the AI claims made by vendors. AI is a loosely defined term and its definition changes from vendor to vendor. In most of the discussions, AI is referred to as more of recent advances in deep learning combined with large compute power to automate most of the mundane tasks that humans can do with ease. For example, classifying images, translating speech, automatically tagging photos etc. What we need to understand: why AI is synonymous with deep learning today? Deep learning is an advanced representational learning that brings in more context for taking better decisions [2]. With the wider context available, systems will obviously do better. To build them, one needs a large amount of data. The AI solution needs to learn from a large amount of data to be contextually aware, and then act to maximise the probability of success of a defined task in that environment. Let us discuss more on what is AI in InfoSec? Is Snort, Bro rule-based anomaly detection AI? Is Spark-based anomaly detection framework AI? Is deep learning-based classifier for malware/ransomware classification AI? These are solutions to specific subproblems that aid in InfoSec however, independently they don’t form a cohesive AI solution. The InfoSec problem is like defending a complex system made of hundreds of subsystems and every subsystem defense needs a different solution. Deep learning is not a silver bullet that can solve all the InfoSec problems because deep learning needs a large labeled dataset and no such labeled data is available for the all the InfoSec problems. InfoSec involves monitoring and defending multiple layers of network, endpoints, data centers, etc. using typically 20-50 different technologies. Keeping these factors in mind, we propose the following definition of AI in the context of InfoSec: “AI is a cohesive solution that employs deep learning, advanced data science techniques, machine learning and security domain knowledge to solve a lot of subproblems and brings a lot more contextual knowledge about the advanced threats present within the enterprise.” Also, we believe that using AI-based solutions alone cannot defend our networks. We need to have an interplay of AI along with other approaches. At Acalvio, we are using deception to detect adversaries and advanced threats that may have already penetrated through the firewalls, IDS, etc. and are hiding within the enterprise network to carry out their next stage of attack kill chain. We fuse AI and deception to give a new defense layer that can detect, delay, divert, engage as well as a response to these insider threats. We use AI to automatically deploy, keep up the deceptive security within the enterprise and take the load off the shoulders of IT admins. As the Gartner report [2] says: for any AI solution development, the tech vendor should have a focused team with either some researchers/scientists on-board or collaborate with scientists in the community to enhance the algorithms and in turn, evolve the product with more AI capabilities. At Acalvio, AI has been built into the foundation of the product from the beginning. A focused AI team is deeply embedded along with the system engineering, networking and InfoSec experts to build products with AI capabilities. At Acalvio, we have been sharing our AI methodologies with the community from early on at various technical conferences (to name a few – Splunk .conf2016, .conf2017, Cypher 2016, Data Science Summit 2017) and enhancing the AI capabilities of the ShadowPlex based on their feedback. AI is deeply integrated and embedded in ShadowPlex, and is used to automatically produce the efficient decoys and content: AI to Determine Decoy Configurations: To compute the decoy configs, we use several principles. One such principle is that for deception to be effective, it is important that it blends well within the enterprise network, e.g. a VLAN having Windows desktops should not have Linux desktop decoys. The same is true for services as well, a vlan having telnet service only at 5% of the endpoints should have only about 5% of the decoys having telnet service. This blending has to be computed and maintained for hundreds of vlans and thousands of hosts with ever-changing networks. It can be automated and accomplished only using AI. We leverage existing network scan data to infer the network state, topology, services, operating systems, etc. This data is used as a baseline to determine the decoy configs such that they blend well with the environment. Specifically, we have formulated this as a binary linear optimisation problem where the output is the configurations of thousands of decoys having specific set of services and mac address, etc. such that they blend well within the existing hosts. AI to Generate Content for Decoy Share Drives: Another example of an effective deception type is a decoy SMB share drive. If the contents of the SMB share drive are static and the same in each VLAN, then the adversaries can easily spot them. In the ShadowPlex, we use AI to determine the optimal content of a fake SMB drive such that the content is contextual for each VLAN and each enterprise. Therefore it becomes difficult for the adversary to figure out the difference between fake and real content. For example, a marketing vlan SMB drive should have documents related to customer leads, marketing campaigns and marketing strategies, etc. To create the content, we use Natural Language Processing (NLP) and deep learning (specifically, LSTM networks). Here, we have shared few use cases, however, AI is not just limited to above use cases. We are working on using AI to automatically change deceptions in real-time, based on the threats detected in each VLAN and play a game with the adversary, slow down the adversary, therefore, provide more time and richer context for the incident response team to take preventive actions. References [1] Gartner Report, “Questions to Ask Vendors That Say They Have ‘Artificial Intelligence’ ” Whit Andrews, Jim Hare, Gartner Report ID: G00334005, 7 August 2017. [2] “Artificial Intelligence: A Modern Approach”, Upper Saddle River, New Jersey: Prentice Hall, Stuart J. Russel; Peter Norvig, 2003.

Acalvio Threat Research Labs. Emotet is one of many information stealer malware families which have been active in the recent months. The initial delivery vector of the malware is via phishing campaign. The blog by TrendMicro[1] and Microsoft[2] discusses the first stage infection of the malware and shares statistics on the global infection. Once a corporation has been infected with Emotet, it can spread throughout the internal network. In this blog we detail the lateral movement technique which have been employed by the malware and its detection by a deception-based architecture.

Acalvio Threat Research Lab Retadup worm has been in the news recently. It was first observered infecting Israeli Hospitals [1] and recently it was observered active in South America mining for Crypto Currency[2]. The details of the worm have been published by Trend Labs[1][2].  This blog will share the spreading technique used by the worm (For comparison see our analysis of the Petya malware propagation techniques). Retadup’s wormlike behavior consists of copying itself to the drives as malicious .LNK files, named as normal looking shortcuts like “Games.lnk”, “Downloads.lnk”. As shown in figure 2.0, it makes use of the AutoIt function “DriveGetDrive”.  The function “DriveGetDrive” enumerates all the letter drives of specified drive type and returns an array of available drives. Retadup enumerates the array and copies its script folder, which consists of the interpreter (usually named WinddowsUpdate.exe) and the malicious script file (e.g. WinddowsUpdate.zip), to the destination along with several malicious link files which execute the au3 interpreter with command line like: “cmd.exe /c start ..<ScriptDir>\<InterpreterBinary>.exe..<ScriptDir>\<MaliciousScript>.zip & exit” Once the file gets copied, spreading requires user interaction on the destination host since the link file has to be manually executed to start execution on another host. This spreading technique will be detected by distributed deception architecture. Deception centric architecture involves having honey drives at the endpoint which will get returned to the function call DriveGetDrive. When the malicious files gets copied to the  honey drives for the engagement of the threat,  it will raise an alert for the possibility of a compromise. Malicious activity of the Retadup worm like extracting passwords, installing keylogger will classify the file as malicious in the engagement platform and the infected endpoint can be isolated from the network. The IoC which is generated from the engagement will be used for quarantining the infected machines. The material discussed above further establishes the potential of distributed deception solutions and their efficacy for Advanced Threat Detection.  References: [1] Information Stealer Found Hitting Israeli Hospital [2] New Retadup Variants Hits South America, Turn to Cryptocurrenty mining 

Team Acalvio It is estimated that in 2017, damages due to the ransomware will exceed $5 billion.[8]  When successful, ransomware can not only infect the endpoint, it can also spread across the network extending its exploit. The initial versions of ransomware like CryptoWall, CryptoFortess, DMA-Locker, CryptoLuck used mapped and unmapped drive for lateral movement.  WannCry[3] exploited SMB remote code execution vulnerability (MS17-010) and affected 150 countries; and Petya[2] used the same vulnerability (MS-17-010)  along with WMI with stolen passwords for lateral movement and impacted 65 countries. Despite the fact that detection approaches,  algorithms such as detonation in virtualized environment, machine learning based detection algorithms, etc have been employed to detect ransomware, ransomware continues to penetrate the defenses and cause damage to  organizations. In the first part of the blog, we discuss evasion techniques that have been employed by ransomware to avoid detection by traditional defenses. We then discuss deception centric detection solutions and its inherent advantages over the current detection approaches.

The recent ransomware attacks such as Wannacry have highlighted the need for robust security controls in healthcare firms.  These organizations are subject to HIPAA/HITECH compliance requirements, but unfortunately many firms just seem them as a distraction.  This is a big mistake: The controls typically implemented for HIPAA/HITECH shouldn’t be regarded as useless “check the boxes” distractions.  Done right, they go a long way toward true risk management for covered entities. One of the most problematic security tasks for covered entities is the detection of threats that have evaded perimeter defenses. The wide variety of systems and people on internal networks makes it extremely difficult to keep attackers out of the environment. However, the HIPAA Security Rule requires attack detection and containment capabilities as one of the Administrative Safeguards: “A covered entity…must….implement policies and procedures to prevent, detect, contain, and correct security violations”.  [HIPAA, 164.308 (a)] The updated audit protocol issued by Health and Human Services in April 2016 specifically includes auditing of this safeguard as a required element. But even if you’re not worried about being audited, you should be taking a hard look at how you are implementing this control.  A weak detection effort can easily result in a breech that would trigger notification, and a lot of (very unpleasant) scrutiny and second-guessing. Another valuable aspect of internal threat detection is its relevance for risk assessment. HIPAA provides a degree of latitude with respect to public notification: If you have data that shows the risk of a breech is low, you can avoid notification.  This begs the question: How can you possibly reach such a conclusion if you don’t have robust systems in place to detect internal compromise?  The Acalvio Advantage for HIPAA Compliance Acalvio’s ShadowPlex Deception solution is perfectly suited to organizations seeking HIPAA compliance. Since ShadowPlex allows organizations to deploy realistic deceptions at scale and in a cost effective manner, it alleviates the limitations of earlier generation, “Deception 1.0” Solutions. The solution delivers four key benefits: Early detection of malicious activity that has penetrated the perimeter, with high fidelity (that is, low false positives) The ability to inhibit attackers and slow their efforts to compromise critical systems Intelligence gathering on the attacker (modes of operation, potential data exposure, and spread within the network) Internal threat intelligence and enhanced visibility of network & system activity These benefits map to 13 controls in the HIPAA Security Rule, in particular those related to malware detection and inhibition, data protection, and risk assessment.  For a complete list, check out our HIPAA Compliance Whitepaper. We’ve talked about Acalvio’s Deception 2.0 advantages in previous blogs, but one thing is worth repeating because it’s particularly relevant to healthcare covered entities: Service Reflection.   Credible deception in healthcare is hard because there are so many industry-specific systems on the internal network, and if the deception solution can’t blend in with them, a savvy attacker will spot the ruse.  Service Reflection lets you take a single specialized system or application and clone it into hundreds of decoys, making it easy to create a deception posture that looks credible and stays credible over time.

BreadCrumbs and Lures are very critical components of any deception based architecture. As the name suggests, breadcrumbs and lures aid to divert a threat a threat actor (an individual or malware) to deception sensors. The moment the deception sensor gets tripped, instead of blocking the multi-stage threat, the threat actor is allowed to execute its weaponry in a monitored network. This execution of all the stages of an attack can help gather pertinent indicators of compromise that can be fed back to the inline or endpoint detection devices for timely and effective prevention. This was discussed in our previous blog looking deep into a multi-stage attack. There are multiple ways in which breadcrumbs or lures can be projected to divert an imminent threat. This blog will discuss two approaches that can be used to project breadcrumbs.  The first method is statically spraying the breadcrumbs on the host. The second manner is a dynamic approach, one where breadcrumbs are projected on the system during the execution of the malicious code.

Acalvio Threat Research Labs Petya is the most recent ransomware strain. It originated in Ukraine [1] and is spreading across Europe. This blog summarizes our technical analysis of Petya.

Ransomware demand in 2016 was around a billion dollars[1].  WannaCry[3] was the recent ransomware campaign that spread across 150 countries affecting 200,000 users. It is estimated that in 2017[2], damages due to ransomware will exceed $5 billion. Modern defenses make use of virtualized environments or machine learning algorithms to ensnare the threat actor. This blog will detail some of the evasion techniques that modern ransomware uses to bypass such defenses. Virtualized Environment Detection: Inline detection solutions that monitor the web or email traffic, make use of virtualized environment for detonating of the incoming file. Once the file is dropped in the virtualized environment, its behavior is captured and is used to determine if the file is malicious or not. CryptoLuck, makes use of Windows API RegOpenKeyExA to open the registry keys and checks for the presence of VMWare, Virtualbox, etc.  If any of these conditions are found, it is an  obvious sign of a virtualized environment, the code exits, hiding its real behavior. Techniques to detect the presence of virtualized environment have been used by other families of ransomware as well such as UIWIX. The ransomware checks for the presence of SbieDll.dll, which is one of the DLL used only by Sandboxie sandbox. It also checks if the execution environment is a cuckoo sandbox. If it detects the presence of Sandboxie or cuckoo sandbox, execution of ransomware terminates thus hiding its intended behavior. DLL Hijacking: When an application loads a DLL, the application searches for the DLL  in the directory where it is executing. If the DLL is not found, then the application searches for the DLL in the windows system32 folder.  In the case of DLL hijacking, the threat actor will place the malicious DLL in the same directory as the application. Since the application will first search for DLL, in the current directory, the malicious DLL will get loaded and executed. This technique can evade the detection algorithm which makes use of the host process for classifying the activity as malicious or benign.  CryptoLuck ransomware uses legitimate application googleupdate.exe to load the malicious DLL with the ransomware payload. Password protected zip files:  Detection architecture which monitors the emails, extracts the attachment from the emails and detonates them in the virtualized environment. If the attachments are passwords protected files, the file asks for password and will not get executed in a virtualized environment, and hence the actual behavior of the file is not revealed. One of the techniques to detonate the password protected files is to scan the body of the email for the password, and then enter the password.  However, if the password and password protected files are in different emails, then it becomes a challenge to obtain the password and use it to detonate the file in a virtualized environment. Some ransomware leverage password protected Zip files to avoid execution in a virtualized environment. Bart family of ransomware[4] is one such example, which has used password protected zip files. Delivery Vector & File Formats: Threat actors have employed spam campaigns, downloaders and botnets, Malvertisement, exploit kits, etc. to distribute ransomware.  The wide variety of delivery channels make it challenging for any organization looking to implement safeguarding approaches. In addition to email and the web, threat actors have used other more sophisticated approaches. Threat actors compromised an external-facing server, harvested the details from Active Directory and distributed the SAMSAM [5] ransomware to the compromised network. Psexec was then used to execute the ransomware. Today, an organization will need to monitor every delivery channel and back-door approaches.  Each of these delivery vectors may require a different security architecture along with the algorithms to detect ransomware. File Format Delivery Vector by Ransomware Ransomware also used different file formats for delivering the malicious payload. If the malicious payload gets delivered via a new file format, then a new set of features might have to be extracted for the file format and a new classifier based algorithm might have to be developed. Similarly, for ones that employ file detonation in a virtualized environment, the environment might have to be updated to ensure that the new file format gets detonated and the virtualized environment has appropriate instrumentation to capture the true behavior of the file. Development and deployment of detection algorithms for the new file formats carrying a malicious payload will require time, and therefore will open a window of opportunity for the threat actor to exploit the organization.  Conclusion: Ransomware campaigns have employed techniques to evade the traditional security defenses making it an arms race. It is estimated that the total damages due to ransomware will reach around 5 Billion US dollars in 2017.  In our upcoming blogs, we will detail the deception-centric solution to detect ransomware and its inherent advantages over traditional detection solutions. References: Ransomware demand is a billion dollar crime and now growing, http://www.nbcnews.com/tech/security/ransomware-now-billion-dollar-year-crime-growing-n704646 Ransomware damages rise to 15x to hit 5 billion in 2 years. Wann Cry Ransomware, Bart Ransomware  Locks files in Password Protected ZIP files. SAMSAM Ransomware

Since the dawn of time, deception has been used in nature in various forms as a successful survival strategy and has played an important role in the physical and behavioral adaptations of all organisms. Humankind, with its higher cognitive ability, has successfully adapted deception to warfare, as a powerful mechanism to draw an enemy into weak position and to defeat or completely rout. Sun Tzu’s famous aphorism “All warfare is Deception” sums it up succinctly! In the Computer Security industry, Cliff Stoll’s uncanny use of Deception depicted in his book, Cuckoo’s Egg, would put most spy thrillers to shame. Stoll’s success led to a number of Open Source Deception projects – Honeyd, Honeynet, Kippo, Dionaea, and industry specific honeypots – Gaspot, Conpot, etc. All these projects proved the efficacy of Deception technologies through low false positives detection signals. This led to a number of startups offering commercial solutions, typically focused at a certain niche aspect of Deception – Low Interaction Honeypots, High Interaction Honeypots, Breadcrumbs, etc. Despite some innovative approaches, these Deception 1.0 solutions did not address the key aspects of what a modern distributed enterprise needed; namely, to deploy deception at scale, deploy it automatically, deploy it cost-effectively, deploy it from the cloud or on-prem, and deploy it to on-prem or cloud workloads. At Acalvio, we have addressed these fundamental issues in our Deception 2.0 solution, ShadowPlex. In our travels, we heard from Cybersecurity professionals that they would benefit from a simple and succinct explanation of the key aspects of advanced deception techniques using a simple, non-technical jargon approach. This  was the primary motivation behind this book. Deception for Dummies The book has 6 very easy to read chapters, the last chapter providing you 10 key recommendations for a successful deception deployment.     The Truth about Deception in Cyber Security     Deception 1.0: The Inception of Deception     Deception 2.0: The Next Generation of Deception     Creating a Deception Strategy     Deploying a Deception Architecture     Ten Keys to Effective Deception for Cyber Protection Currently there exists a fundamental asymmetry in the security industry – we have to be right all the time; the threat actor has to be right only once. Deception turns this asymmetry on its head to benefit the good guys; with Deception, the bad guy has to be wrong once and we have him nailed. Deception 2.0 solutions allow you to leverage the power and potential of Deception technologies to delay, deflect and ensnare the threat actor; in a high fidelity, timely and cost-effective fashion. Gartner Group has rated Deception as one of the Top 10 security categories that professionals should focus on. We believe that the techniques outlined in this book will serve as a simple and practical guide that you can use to educate the rest of your stakeholders and bring them along in your Cyberdefense journey. You can get your complimentary copy of the book here. Download Deception 2.0 for Dummies PDF We are confident you will be intrigued by what deception can do to improve your security posture and program.