Written by: Joseph R. Salazar, CISSP, CEH, EnCE – Ransomware attacks have evolved and grown in number. Traditional ransomware sought to spread and encrypt as many endpoints as possible, but Ransomware 2.0 attacks employ advanced methods or have a human controller directing their activities. These attacks spend much more time conducting discovery to identify business-critical assets for encryption. Because these assets are essential for business continuity and daily operations, the organization is more likely to pay to recover them instead of spending the money on endpoint systems they could re-image and recover. Attackers encrypting the entire Active Directory server infrastructure can demand much higher ransoms, and the organization must pay or else lose money, time, and resource attempting to restore operations. Additionally, these attackers often exfiltrate data and threaten to release it to induce ransom payment, often demanding a second ransom to prevent the release of the information.
Many people are familiar with MITRE ATT&CK, an adversary model and framework for describing an adversary’s actions to compromise and operate within an enterprise network. It details the tactics, techniques, and procedures (TTPs) they use to gain access and execute their objectives while operating inside a network. Organizations can use the model to characterize and describe post-compromise adversary behavior better.
As a complement to ATT&CK, MITRE Shield is a free, publicly available knowledge base that captures and organizes data from active defense and adversary engagements. MITRE Shield can help organizations take proactive steps to defend their networks and assets. From a defender’s perspective, the ATT&CK matrix provides a data model of how one should protect their enterprise against cybersecurity threats. Meanwhile, the Shield matrix provides the capabilities a defender must build for an Active Defense and adversary engagement in a post-breach situation. MITRE Shield outlines tactics and techniques fundamental to building an active defense strategy, which can go a long way in protecting against Ransomware attacks.
One can analyze Ransomware 2.0 attacks by mapping their techniques to ATT&CK to understand how they operate, then find the corresponding defensive techniques in Shield to counter them. For example, a common Ransomware 2.0 technique is to steal and abuse credentials with varying privileges during initial access to bypass access controls or establish persistence, which falls under ATT&CK technique T1078 – Valid Accounts. The corresponding defensive Shield techniques are DTE0010 – Decoy accounts, DTE0012 – Decoy Credentials, and DTE0008 – Burn-in, which together create deceptive user accounts for attackers to target. In an adversary engagement scenario, deploying decoy credentials across various locations increases the chances of attackers finding and using them. Attivo Networks recently published a whitepaper with this analysis.
Deception technology has a reputation for its ability to create an Active Defense. However, unlike other solutions, the Attivo Networks ThreatDefend® platform provides extensive attack prevention and detection capabilities covering many decoy techniques and other methods. Those familiar with Attivo Networks know that it provides extensive coverage for MITRE Shield. There are currently 33 Shield Techniques and 190 use cases covered in the MITRE Shield documentation. The Attivo Networks ThreatDefend platform covers 27 of the Shield Techniques and 123 use cases. Offering enhanced protection to traditional security stack controls like Endpoint Platform Protection (EPP) or Endpoint Detection and Response (EDR), the solution efficiently adds protection against credential misuse, privilege escalation, and lateral movement tactics common to modern Ransomware 2.0 attacks.
Beyond these mappings, the ThreatDefend platform offers unique capabilities to derail and occupy many forms of ransomware. Among them are:
- concealing local files, folders, network or cloud mapped shares, local administrator accounts, and removable storage
- protecting Active Directory by detecting and misdirecting unauthorized attacker queries attempting to mine AD for sensitive or privileged accounts and objects
- misdirecting port and service scans from production assets to decoys for engagement
- occupying ransomware upon engagement by feeding it endless decoy data to stall the encryption process
- derailing credential theft, privilege escalation, and other lateral movement activities with decoy credentials and assets
Endpoint security solutions can handle many forms of ransomware. However, augmenting ransomware defenses with the Attivo Networks ThreatDefend platform provides greater coverage for new variants or human-controlled attacks.