Data Privacy in 2021

As we recently recognized Data Privacy Day, it is an annual reminder to raise security awareness and promote data protection best practices, especially during times like COVID-19 when remote work creates more cybersecurity concerns and attackers have become more active than ever. As we continue working from home, shopping online, and generally increasing our online activity, the more sensitive information we put out there. Some organizations in Canada (such as banks...

Read More

Secure Sense Partners with LogRhythm to Offer Industry’s First Unlimited Data Plan for SIEM

Burlington, ON – October 1, 2019 – Secure Sense is now offering an unlimited data plan for SIEM through its partnership with LogRhythm. While other vendors in the industry have previously claimed to support unlimited data plans, those promises have always come with a catch. LogRhythm is changing that with the industry’s first true unlimited data plan for its NextGen SIEM Platform. The reality is that big data volumes are growing...

Read More
How UEBA Can Save Your Organization From Internal Threats

How UEBA Can Save Your Organization From Internal Threats

A recent 2017 study shows that 69% of organizations were impacted by a form of internal data theft. UEBA can help. Everyone has heard about external threats, whether this be ransomware like WannaCry, crypto jacking or phishing. Yet, no one seems to hear anything about internal attacks; however, a 2017 Verizon Breach Study found that 69% of organizations report an internal breach attempt. Why do external threats get so much attention when...

Read More

Secure Sense Named 2016 LogRhythm Partner of the Year Canada

Burlington, ON,  February 28, 2017 – Secure Sense, Canada's fastest growing IT Security company, is pleased to announce it has been named LogRhythm's 2016 Partner of the Year, Canada. The announcement was made at the LogRhythm Partner Summit, held in Boulder, Colorado. “We’re very excited about this partner award,” says Peter William Humphries, CEO of Secure Sense. “Our partnership with LogRhythm is so vital to our business, our Managed Service practice and to the...

Read More

Achieving Intelligent Infrastructure Defence with LogRhythm’s Co-Pilot Service and Security Analytics

Retailers have learned hard lessons in recent years, as organizations such as Target have suffered major data breaches. In Target’s case, the compromised credit card information of 70 million customers have resulted in significant expense, lost revenues, and a damaged reputation. With the number of detected cyber attacks in the retail sector having increased by 154 percent in just one year1, how can retailers protect their businesses, their data, and their...

Read More

Temporal Chain Normalization: The Unsung Hero of Event Correlation

When it comes to correlation capabilities, LogRhythm has you covered. With AI Engine you can perform a variety of activities, from observing a single activity to applying advanced behavior rules across multiple dimensions (entities, devices, log sources, metadata, etc.). In addition to some of the more obvious capabilities, Chris Martin of LogRhythm is here to tell you about one not so know feature of AI Engine called Temporal Chain Normalization (TCN)....

Read More

Five Steps to Defend Against Ransomware via LogRhythm

Over the past three years, ransomware has jumped into the spotlight of the cyberthreat landscape. Until recently, most ransomware attacks were simply opportunistic and mostly affected individual users’ or small businesses’ computers. The ransom demands have commonly been the equivalent of just a few hundred dollars for an individual PC.

But now, attackers have set their sights on larger organizations that have bigger budgets to pay bigger ransom demands. They also have more important files and computer systems that are critical to the organizations’ daily operations.

Understanding what happens at each phase of a ransomware attack, and knowing the indicators of compromise (IOCs) to look for, increases the likelihood of being able to successfully defend against—or at least mitigate the effects of—an attack. These phases are:

Phase 1: Exploitation and Infection

In order for an attack to be successful, the malicious ransomware file needs to execute on a computer. This is often done through a phishing email or an exploit kit—a type of malicious toolkit used to exploit security holes in software applications for the purpose of spreading malware.

Phase 2: Delivery and Execution

Following the exploit process, the actual ransomware executable will be delivered to the victim’s system. Typically, this process takes a few seconds, depending on network latencies. We often see the executable files being placed in folders beneath the user’s profile. It’s good to know this for detection purposes, because your organization can monitor for those events to set up a line of defense.

Phase 3: Backup Spoliation

A few seconds after the malware is executed, the ransomware targets the backup files and removes them to prevent restoring from backup. This is unique to ransomware. Other types of crimeware and even APTs don’t bother to delete backup files. Ransomware variants will try and remove any means that the victim has to recover from the attack without paying the ransom.

Phase 4: File Encryption

Once the backups are completely removed, the malware will perform a secure key exchange with the command and control (C2) server, establishing those encryption keys that will be used on the local system. Unfortunately, most of the variants today use strong encryption, such as AES 256, so the victim isn’t going to be able to break the encryption on their own.

Phase 5: User Notification and Clean Up

With the backup files removed and the encryption dirty work done, the demand instructions for extortion and payment are presented. Quite often, the victim is given a few days to pay, and after that time the ransom increases. Once paid, the malware cleans itself off the victimized system so as not to leave behind significant forensic evidence that would help build better defenses against the malware.

Once you understand how ransomware works, you can look at how to defend against such an attack. The five steps of defense are:

Preparation

To prepare for the very real possibility of an attack, it’s firstly important to patch aggressively so vulnerabilities are eliminated and access routes are contained. Endpoints need to be adequately protected with tools that can automatically detect and respond to infections before they become big incidents.

Detection

In the event that your enterprise gets hit with an attack, you can minimize the damage if you detect the malware early. Use threat intelligence sources to block or at least alert on the presence of anomalies associated with ransomware in your network traffic. Make sure emails are screened for malicious links and payloads, and use rules that look for files executing from common ransomware folders so you can spot ransomware before any files are encrypted.

Containment

Once the ransomware has already done its dirty work on one device, there are steps you can take to contain it locally. Having an endpoint protection system that is able to look for the execution and kill the process is usually the best means of containment. The local host needs to be blocked and isolated from the network, which prevents additional files on the network from being encrypted.

Eradication

Once you know you have had a ransomware incident, and it has been contained, you now need to eradicate it. The best option is to replace machines that have been affected. Indeed, it’s difficult to know if residual files are hidden on the system and able to re-infect devices.

However, for network locations, such as mailboxes or file shares, sometimes it is more relevant to clean those locations, removing the malicious email message or ransomware instructions. If you choose to clean rather than replace, continue to monitor for signatures and other IOCs to prevent the attack from re-emerging.

Recovery

For recovery, the number one task is going to be restoring from backup. In most ransomware investigations, you usually want to complete your recovery phase by doing a full investigation into what specific infection vector was used against the system.

Ransomware attacks against organizations are just starting to ramp up. The ramifications of a successful attack are far more extensive than just the cost of the ransom. Organizations can suffer the effects of lost productivity, loss of business, inconvenience to customers, and potentially the permanent loss of data.

Your organization’s success in defending against a ransomware attack is largely dependent on your level of preparation and the tools you deploy to monitor your systems and to detect, shut down and contain suspicious activity.

Five Steps to Defend Against RansomwareFive Steps to Defend Against Ransomware

Connect with Secure Sense to protect data, your network, and systems 24/7, 365 days a year. If you have questions or want to learn more, please contact Secure Sense by calling 866-999-7506.
You can find Secure Sense on Facebook,  LinkedIn and Twitter. Follow us for current company and industry news.

10 Things to Watch: Detecting a Phishing Email

As you may have noticed, the topic of phishing has been at the forefront of the concerns within the IT security 2016 landscape. As attacks become more challenging to identify, organizations become more susceptible to breach. Ransomware infections are often instigated through phishing emails. It’s crucial to take proactive measures to help protect yourself and your organization’s security. As attacks become more challenging to identify, organizations become more susceptible to breach. Ransomware infections...

Read More