What is EDR?

Endpoint detection and response (EDR) actively collects and analyzes data on security threats originating from workstations and endpoints. Moreover, it detects breaches and enables prompt responses to risks. Additionally, the term “endpoint detection and response” broadly encompasses the toolkit’s function, which can vary implementation, functionalities, and features. 

Primary functions of EDR:

  • Monitor and collect endpoint activity data to detect potential threats.
  • Analyze the data for threats patterns
  • Automatically respond to mitigate risks, while notifying security personnel
  • Utilize forensics and analysis tools to investigate and identify suspicious activities. 

Adoption of EDR Solutions

The increasing number of network-connected endpoints and the sophistication of cyberattacks drive the expected growth in EDR adoption. Moreover, Endpoints are targeted as vulnerable entry points, making effective EDR solutions crucial. 

Key components of EDR Security 

EDR security systems actively integrate a hub that collects, correlates, and analyzes endpoint data. Additionally, they coordinate alerts and responses to immediate threats. 

Ransomware 

Ransomware encrypts data and demands cryptocurrency payment for decryption. Moreover, cryptocurrencies facilitate easy payment collection for attackers. Additionally, they may also threaten data leaks if the ransom is unpaid, creating further complications. The Mage’s EDR Solution Guide assists in comprehending, planning, and safeguarding against this threat.    

Understanding the Ransomware Threats 

Methods of Infection

To avoid becoming a target. it is crucial to understand the infiltration and spread of ransomware. Once a ransomware infects a system, it has the potential to infect supply chains, customers, and affiliated entities. Various methods can be used to introduce ransomware, including :  

1.Phishing

2.Compromised Websites

3.Malvertising

4.Exploit Kits

5.Downloads

6.Messaging Applications

7.Brute Force via RDP

Phishing -Attackers frequently utilize targeted emails to infect endpoints with ransomware, deceiving victims through personalized information and gained trust. Additionally,  these emails contain attachments or links with malicious files. Moreover, when victims open or click on these files, they download them. Moreover, the malicious files exploit Windows’ default settings to hide their true extensions, appearing as innocent files. For instance, an attachment named “filename.pdf” may actually be “filename.pd.exe.” These files imitate familiar formats such as MS Office attachments, PDF files, or JavaScript. Interacting with these files or enabling macros activates the execution of the malicious files, resulting in the encryption of the victim’s data.  

Breached Websites -Sophisticated emails are not always necessary for ransomware attacks. Compromised websites inject malicious code, luring unsuspecting users. These websites redirect users to download fake software updates. Clicking on the update immediately triggers the ransomware or initiates an installation process that downloads and executes the ransomware.  

Malvertising – Unpatched vulnerabilities in browsers enable malvertising attacks, as cybercriminals embed malicious code in regular websites ads. When an ad appears, it triggers the download of ransomware without victims needing to take explicit actions such as downloading files or enabling macros. 

Exploit Kits – Cybercriminals use popular exploit kits like Angler, Neutrino, and Nuclear in ransomware attacks. These kits contain preconfigured exploits that target vulnerabilities in browser plugins like Java and Adobe Flash. Notable ransomware variants such as Locky and CryptoWall have been distributed using these kits, with a primary focus on unsuspecting visitors through compromised websites or malvertising campaigns.

Downloads -Attackers can deliver ransomware through any downloadable file or application. Illicit file-sharing platforms are particularly vulnerable, but even legitimate websites can be exploited. Moreover, when the victim initiates the download, ransomware can be injected. 

Messaging Applications- Messaging apps like Facebook Messenger enable the masking of ransomware as SVG files, bypassing extension filters. Malicious actors exploit SVG’s XML-based nature to embed any content. When victims open the infected image file, it redirects them to seemingly legitimate website. Upon loading, victims are prompted to authorize installation. Once installed, the ransomware payload is distributed, impacting the victim’s contacts too. 

Brute Force via RDP-

Attackers actively use ransomware variants like Samsam to compromise endpoints by brute-forcing publicly accessible RDP servers. Exploiting Remote Desktop Protocol (RDP) presents an opportunity for them.

They leverage tools like Shodan, Nmap, and Zenmap to discover vulnerable machines. Employing systematic password guessing, their goal is to gain administrator access. Opensource tools such as “Aircracking,” “John The Ripper,” and “DaveGrohl” prove effective, particularly with default or weak credentials. Once inside, attackers seize full control, deploying ransomware and encrypting data. They may also disable endpoint protection, delete backups, or pursue additional objectives. 

Ransomware tactics adapt to the growing popularity of ransomware-as-a-service. Malware authors offer customized ransomware to criminals in exchange for a share of the profits. Buyers determine targets and delivery methods, resulting in more targeted malware and frequent attacks. 

Common, Prevalent and Historic

Over the last five years, we have witnessed a variety of ransomware, with new ones emerging regularly. Ransomware comes in diverse forms and sizes. Here are a few examples:  

WannaCry– In 2017, the WannaCry cyberattack caused significant damage, targeting global companies like Renault, FedEx, and Britain’s health service. It encrypted files on Windows computer and had a severe impact on the UK’s National Health Service. The attack exploited a Windows vulnerability in the Server Message Blocked (SMB) protocol, commonly used for network communication. It spread through a worm component, infecting computers via IP address scanning.  

Maze– The Maze ransomware surfaced in May 2019, and rapidly gained popularity. This technique allowed attackers to extort payment by threatening to expose sensitive information. The compromised data could involve valuable intellectual property or customers’ personal information  (PII), resulting in substantial financial impact, harm to reputation, and legal implications.  

Robinhood -The RobinHood ransomware, also known as ‘RobbinHood’, targeted government entities like the City of Grenville and the City of Baltimore. It specifically infects individual machines rather than spreading across networks. Although not highly sophisticated, it plays a significant role in executing network breaches, enabling substantial ransoms through individual machine payments.

Cerber -Cerber, a highly exclusive Ransomware-as-a-Service (RaaS), surfaced in 2016. Public ransomware services have varying client vetting and affiliate access procedures. Cerber developed streamlined operation, management, payment processing, and manipulation for ransomware distributors. It spread through spam/phishing emails or drive-by downloads, sometimes in combination with exploit kits like RIG. Cerber also gained recognition for its capability to discover and steal cryptocurrency wallets.

Ryuk Ryuk, a notorious ransomware, carried out numerous high-profile attacks, including targeting the Los Angeles Times in 2018. Although the Lazarus group (DPRK) is associated with it, Ryuk is not limited to their activities. It gains recognition for its fast encryption and ability to disable defenses and recovery options on infected machines. Like other ransomware, it terminates security processes and deletes backup Volume Shadow Copies (VVS). Ryuk’s widespread infections make it a potent and highly dangerous threat, resulting in the operators amassing millions of dollars in profits overtime.  

CryptoLocker -which was reported in late 2013, was one of the first ransomware to utilize encryption. It gave victims a strict 72-hour deadline to make the payment before permanently deleting the decryption key. This particular ransomware targeted businesses, encrypting Microsoft Office and Adobe application files. Swansea Police became a well-known early victim, having to pay a ransom to recover their data.

TeslaCryptTeslaCrypt was detected in February 2015, initially encrypted computer game data such as game saves and player profiles. Security researchers developed decryptors for early versions. However, newer variants expanded their targets to include file types like JPEG, PDF, and others. These variants fixed programming flaw, which prevented the creation of public decryptors.

LockyLocky ransomware discovered in February 2016, spreads through malicious email attachments. Once activated, it encrypts files, appending the “locky” extension. Locky also deletes VSS backup copies and displays a ransom message as the desktop wallpaper, demanding payment for file recovery. 

NotPetya NotPetya captured in 2017, rapidly spreading across 65+ countries, impacting numerous organizations. Similar to WannaCry, it spread quickly. NotPetya has characteristics of ransomware but is better classified as a destructive wiper, erasing data on the target’s hard disk. It focuses on the master boot record ( MBR), rendering the system unbootable. Even if the ransom is paid, NotPetya’s damage is irreparable. The attackers’ objective was thought to be system sabotage rather than financial gain.  

Samsam Samsam ransomware emerged in 2015 and attackers are increasingly using it in targeted attacks on healthcare, schools, and valuable data networks. The ransomware directly infects servers through a vulnerability in Red Hat’s JBoss enterprise products. Attackers utilize tools like JexBoss to identify unpatched vulnerabilities. 

Once they gain access to a system, the operators navigate through the network, deploying more instances of the ransomware and encrypting files. Samsam ransomware also deletes shadow copies, which are backup snapshots created by the operating system, making data recovery more challenging.

CryptoWall  Cryptowall, discovered in June 2014, spreads through emails with ZIP attachments to bypass anti-spam security. It tricks user by renaming .exe files .scr or .pif, which Windows executes normally. CryptoWall encrypts files and deletes VSS or shadow copies to impede data recovery. 

Revil Revil ransomware actively targeted and impacted CyrusOne, the largest data center provider in America, in 2019. Additionally, it was involved in the Travelex breach on New Year’s Eve 2020, where the attackers demanded a $3 million ransom. Following the retirement of Gandcrab, affiliates are searching for new tools to established their source code and business model. The skills and tools utilized in Revil campaigns can vary among different affiliates. 

Snake  also known as Ekans, is a ransomware that emerged in January 2020, written in Golang to infect multiple operating systems. It primarily targets healthcare organizations worldwide and launches large-scale campaigns, like the notable one in May 2020. Snake’s focus is infiltrating Industrial Control Systems (ICS) and ensuring uninterrupted encryption and data collection by terminating specific processes. 

In its early campaigns, Snake included ICS-specific processes in its kill list, creating the perception of an ICS- targeting threat. However, the kill list can be customized for any environment. Like other recent ransomware variants, Snake attempts to exfiltrate victim data before encrypting it. Failure to meet the ransom demand within 48 hours leads to the threat of public data release. 

The Ransomware as a Service (RaaS) Model

The trend of selling new ransomware families as a service to cybercriminals increased in 2019 and 2020. Ransomware families like Maze, Revil, NetWalker, Nephilim, Project Root, and  Smaug adopted the RaaS model.

Tox- Viruses

Between 2014 and 2015, Ransomware-as-a-Service (RaaS) gained momentum, especially among non-exclusive and lower-tier ransomware families. TOX was the first RaaS, but it collapsed due to high demand and industry attention. Other services like Ransom32, Nemes1s, SATAN, Encryptor RAAS emerged. Petya, also adopted the RaaS model.

Petya started as a closed ransomware ecosystem and later became a public RaaS. Anyone could create an account and generate Petya or Mischa payloads for free. These services eventually evolved into GoldenEye.

The Ransomware “Kill Chain” 

Ransomware often exhibits certain indicators that can signal an attack, distinguishing it from other forms of malware. Defenders rely on the MITRE ATT&CK framework, which serves as a standardized system, to comprehend the different elements of an attack, detect its presence, and proactively prepare against such threats by assessing their defensive capabilities. In alignment with the MITRE ATT&CK framework, the following offers a broad overview of the typical sequence of events observed in a ransomware attack. 

Initial Access- trying to get into your network.

Execution- run malicious code

Persistence- maintain their foothold.

Privilege Escalation- gain higher-level permissions.

Defense Evasion-  avoid being detected. 

Credential Access- steal account names and passwords.

Discover- figure out your environment. 

Lateral Movement- move through your environment.

Collection- gather data of interest to their goal.

Command and Control –communicate with compromised systems to control them

Exfiltration- steal data.

Impact- manipulate, interrupt, or destroy your systems and data.

Planning for a Ransomware Incident 

To effectively prepare for ransomware incident, established a response management process that specifically addresses ransomware. Note that existing response plans may not apply due to encryption, potential loss of critical files and services, and data breach notification complexities. 

Recent developments advise treating most ransomware infections as potential full data breaches , requiring compliance with breach notification regulations like GDPR. Assess relevant fines and incorporate them into risk management. Consider the challenges posed by permanent files loss and damage when restoring business continuity. 

When planning for a ransomware incident, consider these key elements:

Incident Response Policy

To develop an effective incident response policy that addresses ransomware attacks, start by using the Six-step SANS process for incident handling as a valuable foundation. By actively considering the actions you would take in the event of an attack, you can establish a structured framework for your response and lay the groundwork for you policy. The Incident Response Policy comprises the following six steps:  

Preparation phase: 

Consider prioritizing awareness and education for users, ensuring that trained staff have the necessary tools and resources to effectively respond to a ransomware incident. 

Identification phase:  To recognize and detect ransomware incidents, gather data and perform initial analysis to understand the strain of ransomware, attack vectors, attack groups, and their underlying motivations.

Containment phase: To limit the damage, it is imperative to quickly contained the infected systems. This includes the following:

Shutting the system down

Turning off the system’s port at the switch

Utilizing network access control (NAC) to isolate the system

Implementing the quarantine feature of your EDR solution

Eradication phase: To uncover and respond to a potential wider campaign, incorporate broader forensic analysis and attribution methods. It is important to consider that the detected attack could be a pivot or diversion. Additionally, keep in mind that ransomware may not be the sole malware present on the system, but rather the most noticeable one. 

Recovery phase: How will you recover and resume normal operations? It’s important to acknowledge that reimaging or restoring from backups may not be effective in certain scenarios. For example, if the ransomware remained dormant during the last imaging or backup cycle, or if the attackers specifically targeted and destroyed the backups. Therefore, when dealing with ransomware, it is crucial to explore alternative approaches for recovery and restoration.

Post-Incident phase: After resolving the incident, what lessons can you learn to prevent its recurrence in the future? How will you document the incident? This documentation should include detailed enhancements to incident response (IR) plans, additional security controls, preventative measures or new security initiatives.

Recruitment 

Teams responsible for handling ransomware incidents require specific skills, knowledge, and access to relevant system tools and technologies to effectively detect, investigate, and respond. This includes not only technical teams but also PR and media teams, as well as non-technical staff and executives who may require outsourced assistance. These teams should have connections to legal teams, regulators, and law enforcement to facilitate specific responses, such as considering the option of paying the ransom. 

Better Cloud Security, Faster Innovation

Implementing a cloud defense in depth strategy enhances visibility, improves risk management, and expedites recovery time. Additionally, by integrating complementary security platforms, cloud security is streamlined, fostering accelerated innovation. Moreover, Mage EDR’s Solution has partnered with industry-leading solutions to enhance visibility, detection, and defense in depth for cloud environments, enabling scalable integration. 

Shift-Left

The cloud-native application protection platform (CNAPP)

Provides agentless scans of cloud infrastructure to swiftly reveal the contents of your environment. Within minutes, this visibility, combined with a comprehensive risk assessment encompassing network exposure, cloud security posture management (CSPM), vulnerability management, and other factors, enables security and DevOps team to proactively prioritize and resolve the most critical risks in their cloud,  preventing them from escalating into incidents.

  • Agentless visibility across cloud, VMs, containers, and serverless in minutes
  • Risk assessment using graph-based modeling and visualization
  • A single prioritized queue of issues based on attack path analysis

RBAC that automatically routes issues to the right dev teams for remediation

Shield Right

The cloud workload protection platform (CWPP) provided by Mage EDR’s Solution delivers real-time threat detection and response to runtime threats. The CWPP agent, built upon the eBPF framework, ensures high performance with minimal overhead, offering Linux process-level visibility without the need for kernel modules. With 5 detection engines honed over 4 years of field experience, it effectively halts runtime threats such as ransomware and zero-days in real time, safeguarding workload integrity and resilience. Al-driven analysis of workload telemetry streamlines investigation, response, and threat hunting processes. 

  • Real-time CWPP Agent with 5 Detection Engines
  • Hybrid Cloud Servers, VMs, Containers, and Kubernetes
  • 13+ Linux Distros, 20 years of Windows Server, 3 container runtimes

Workload Flight Data Recorder™ 

Better Together

Mage EDR’s Solution provides ongoing, scalable cloud- native security for workloads. Additionally,  it assists customers in identifying their cloud resources and associated risks while offering protection against runtime attacks. Moreover, by facilitating telemetry sharing between the two platforms, customers gain a comprehensive understanding of risks and attacks through contextual threat enrichment and attack visualization. Additionally, this approach enables more effective risk management, maximizes workload availability, and streamlines incident response processes.  

On-prem, hybrid and multicloud      

Enhanced attack path visibility across teams

Customizable runtime response including kill and quarantine

Forensic details for accelerated investigation and hunting

Enhanced Cloud Security, From Build Time to Runtime

Deploy rapidly and achieve visibility across hybrid and multi-cloud environments within minutes.

Proactively detects risks to minimize the attack surface using both static and behavioral AI in real time.

Investigate, prioritize and remediate critical risks while leveraging EDR and XDR data for hunting and response

All Eyes on Cloud Why the Cloud Surface Attracts Attacks

Cloud Attacks Are Rising

Cloud environments have experienced a rapid rise, transitioning from data storage to a  comprehensive computing platform that revolutionizes how businesses handle information. However, this shift has attracted threat actors who target the cloud due to its growing adoption by organizations in hybrid workspaces and cloud technologies. 

The same features that make cloud services beneficial also make them appealing to threat actors. Attacks on cloud environment have surged, taking advantage of the vast amounts of sensitive data exchanged between organizations and their cloud providers. Threat actors exploit weak credentials, misconfigurations, and human errors to execute their attacks. 

While security challenges haven’t deterred cloud adoption, organizations must understand their magnitude and implement effective security measures. This blog post explores why the cloud has become a prime target and outlines strategies to secure cloud environments and data.

According to Gartner, the pandemic and the rise of digital services have made the cloud a central component of new digital experiences. Global cloud revenue is expected to reach $474 billion this year, a $66 billion increase from 2021. The research film also predicts that over 95% of new digital workloads will be deployed on cloud-native platforms, representing a 30% increase from the previous year. 

To manage an expanding enterprise attack surface and mitigate risks associated with cloud services, businesses must plan beyond traditional security strategies. The following statistics highlight the growth of cloud adoption and the increasing frequency of attacks on cloud environments in recent years: 

•  In the last 12 months, 69% of organizations have expedited their cloud migration. Foundry (2022) predicts that the percentage of organizations with the majority or entirely of their IT infrastructure in the cloud will rise from 41% to 63% within the next 18 months.

• 49% of IT professionals reported that cloud-based attacks led to unplanned expenses.

• 80% of CISOs surveyed by PurpleSec were unable to identify instances of excessive access to data in their cloud environments.

• 79% of organizations have suffered at least one cloud-based data breach in the last 18 months. Further, 43% have reported 10 or more breaches within that same time frame (Emertic, 2021).

• 83% of cloud breaches are derived from access-related vulnerabilities(CyberTalk.org, 2021).

Understanding Cloud Risks 

Using cloud services inherently exposes organizations to new security challenges, often related to unauthorized access, insider threats, and supply chain risks. To a threat actor, cloud vulnerabilities are means of gaining access to exfiltrate data from the targeted organization’s network whether by service disruptions, ransomware, or unauthorized data transfer. More sophisticated threat actors may employ lateral movement and detection evasion techniques, or account takeovers to establish and maintain a long-term foothold within the targeted network before leveraging existing services and tools found within it.

Common cloud security risks include the following:

• User Account Takeovers– Whether credentials are stolen through phishing, brute force, or malware, weak password policies often lead to compromised user accounts.

• Misconfiguration – Cloud service providers offer different tiers depending on the needs of the organization. This allows the cloud to work to scale with the organization. However, many organizations lack the security posture needed to ensure the safety of these services, resulting in security risks in the deployment stage of implementation. Misconfigured servers are a leading cause of compromise when it comes to cloud-based attacks.

• Vulnerable Public APIs – Public APIs allow trusted users to interact and operate within the cloud. If exploited, these APIs become a straightforward method for threat actors to gain access to the platform and exfiltrate sensitive data in the cloud database. Further, if the original configuration of the API harbors any vulnerabilities, this leaves threat actors with a backdoor for future exploits. 

• Insider Threats– Even organizations with a healthy cyber ecosystem can fall victim to a legitimate, malicious user with a mind to leak data. Malicious users often already have access to sensitive or critical data, and may also have the permissions to remove certain security protocols. The threat of malicious insiders is greatly minimized through zero-trust policies and identity and access management solutions.

• Denial-of-Service (DoS) Attacks– Designed to overload a system and bar users from accessing services, DoS attacks are especially devastating to cloud environments. When the workload increases in a cloud environment, it will provide extra computational power to address the extra load. Eventually, the cloud slows down and legitimate users lose their access to any files in the cloud.

• Third-Party Vendors – It is important for organizations to assess third-party risks when using vendor services. Clouds are susceptible to supply chain attacks when threat actors infiltrate a network through unsecured third-parties that work with the organization. Cyber risk is inherited when organizations choose to work with vendors who have more lax cybersecurity posture than their own.

Defending the Cloud – Cyber Hygiene Matters 

Securing the cloud begins with the basics. Moreover, cloud environments require short and long-term security planning, implementation, and strategy, and practicing cyber hygiene is the first step of that strategy. Additionally, organizations that have processes in place for strong password requirements, multi-factor authentication, patch management, software updates, and device security can impede threat actors from grabbing those low-hanging fruits and lessen the attack surface under target. 

Cover the Bases with Zero Trust & Segmentation 

There is no such thing as immunity from cyber attack goes a long way when building a holistic defense against threat actors who are eyeing a vulnerable cloud. Additionally, threat actors cause the most damage when they are able to move laterally through a victim’s network and escalate privileges along the way. Moreover, adopting zero trust makes life more difficult for threat actors. And the zero trust principle works by eliminating the concept of ‘trust by default’. Implementation of zero trust requires each user and machine to authenticate before receiving only the specific access pre-determined for their role.

Network segmentation plays an important part in successful zero trust implementation as well. By segmenting networks into smaller subnets that each act like their own, independent network, administrators can better control and secure the flow of traffic between each one via granular rules. This approach breaks up the architecture of a network and allows administrators to pinpoint technical issues more easily and be able to improve monitoring efforts.

Develop a Cloud Operational Strategy 

Clouds are, at their core, designed to help businesses scale and store data, not to provide security. For many organizations, clouds are managed by DevOps and CloudOps teams rather than the in-house security team. In siloed organizations, security measures may not be uniform across different teams and could cause discrepancies in how the cloud is protected.

Defending cloud infrastructure requires a joined-up strategy that looks at the organization’s cloud footprint with a holistic approach. Data needs to be collected and analyzed from all available sources in a way that security teams can ingest and understand.

Clouds are, at their core, designed to help businesses scale and store data, not to provide security. For many organizations, clouds are managed by DevOps and CloudOps teams rather than the in-house security team. In siloed organizations, security measures may not be uniform across different teams and could cause discrepancies in how the cloud is protected.

Simplify the Challenges of Multi-Cloud Environments

Many organizations have multiple clouds deployed to optimize support for a larger data infrastructure. However, this scales up the complexity of the cloud infrastructure. Protecting multi-cloud environments means trying to find a common way to cover clouds that may each have a unique deployment, set of regulatory requirements, and policies.

A lack of uniformity here can be a big challenge for organizations, particularly if the organization does not have access to cloud security experts. Multi-cloud environments become even more complex if they are provided by different vendors. Integration between each of the cloud solutions may be difficult and result in a loss of visibility.

Dealing with these challenges involves considering the future as well as the present. Will technology investments made yesterday and today integrate with those of tomorrow? Many organizations have understood the need to move to an XD platform, but only an open XDR platform that integrates existing solutions and can integrate with them, analyzing data, receiving alerts and automatically sending responses, can effectively address the challenges of a multi-cloud environment. 

Conclusion

The widespread adoption of cloud technologies continues to re-shape the modern day workforce. A significant part of the digital transformation happening globally, cloud implementation has allowed businesses to lessen costs, increase organizational agility, and improve long-term scalability. Though the migration to cloud has benefited many businesses, it has come with a variety of new attack vectors for threat actors.

To get ahead of threat actors, organizations using cloud services must fully understand how the services are being implemented and maintained. Visibility within the cloud is critical to seeing how file sharing is being done, the type of data being stored and its security, and what applications are connected.

Mage EDR’s Solution can help organizations improve their cloud security strategy through a combination of endpoint detection and response (EDR) capability, autonomous threat hunting and runtime solutions that can defeat cloud-based threats without compromising agility or availability. Learn more about Singularity™ Cloud or contact us today for a demo.