BREACH DETECTION

Nullifying Ransomware Attempts When a Breach Has Occurred

Detecting Ransomware and Other Attacks

This about a strategic approach to the Zero Trust principle of “Assume Breach.”

There are several locations where breaches can and are likely to have occurred despite best intentions and defenses. It doesn’t matter how breaches occurred, all that matters is these threats be detected and removed before they can cause an organization problems whether that be by disabling systems, data exfiltration or corruption.

These pages cover detection in/across a wide area network, a user system or closed network, or within hybrid clouds. This order is deliberate because increasingly systems involve the use of cloud-based applications accessed from an organization’s locations that traverse a service provider wide area network. This page, effectively a white paper, starts with the network and addresses the other areas later.

Part 1: Detecting Ransomware in the Network

1 Motivation

Ransomware as a Service is the Threat Actors’ killer app. The intention of this paper is to show how the use of MEF services significantly impacts business protection by detecting and disabling such attacks.

2 Why it Works

Attacks and breaches can occur anywhere across the Information Ecosystems: in subscriber systems, in multiple clouds and remote user systems.

Increasingly, hybrid cloud environments means that transactions span this ecosystem where the protect surface and attack surface are distributed.

With 80+ threat types focused on penetration of defenses and the reliance on the correct execution of 40+ defensive actions it is inevitable that mitigating actions are missed and that breaches occur.

3 Introduction and Purpose

The good news is that an MEF standard service such as a SASE Service or Network as a Service implementing Zero Trust principles is ideally placed to detect the signs of breaches as they work inside the ecosystem and nullify their impact.

This page provides implementation guidance on MEF 117.1 SASE Services together with MEF 118.1 Zero Trust Framework and MEF 138 Security Functions. These actions specifically address implementation actions that have resulted in breaches to defenses. This is in alignment to the Zero Trust principle “Assume Breach” that has never been more relevant. I.e., the focus is only on detecting the signs of such breaches by the application of strategies of the above MEF specifications. These are necessarily used in the successful attacks when a breach has been achieved and where preventative defenses have failed.

The nature of a ransomware attack is primarily with the use of “Ransomware as a Service” – effectively a for-purchase platform to deliver such attacks with limited technical knowledge required. This platform typically but not always delivers what is termed an Advanced Persistent Threat attack that consists of techniques for

  1. Initial penetration to create a breach
  2. Infiltration and discovery of vulnerabilities
  3. Corrupting or exfiltrating information as described in detail below.

While there are never guarantees in cybersecurity, it’s those signature techniques which, if curtailed, can prevent ransomware or severely reduce its success.

In summary: this page focuses on detection and removal of threats that are present when a Threat Actor has breached a system and is attempting to deploy techniques across a SASE Service.

4 Scope

As indicated, there are many aspects of the enterprise ecosystem that can be affected: Subscriber networks and systems, wide area network Services, OT networks and cloud infrastructures.

While the methodologies provided here could be applied to all of these, this paper addresses:

  1. The SASE Services in this document
  2. Services that deploy MEF Services such as SD-WAN
  3. IP Services that deploy MEF118.1’s Zero Trust attributes
  4. The security functions called out in MEF 138.

The increasing use of multiple and hybrid clouds implies growing importance of using wide area network and Internet access implies has significantly increased the attack surface. The relevance being that attacks and breaches span and are therefore detectable via connecting services such as a SASE service.

The security of end-user systems and Subscriber Networks, public and private Clouds and Internet Services are beyond the scope of this paper. Therefore, also out of scope are the attacks listed here but only present in the Subscriber Network.

r1
5 Anatomy of Ransomware – Delivered as an Advance Persistent Attack (APT)

As opposed to malware, which typically acts immediately, an APT is a sophisticated, often complex and sustained cyberattack that is today’s principal vehicle for ransomware.

To be Continued …

This approach will be fully describe shortly as it is being developed with several industry standards bodies.

These are the typical first steps of an APT attack beginning with out-of-scope elements but are listed to understand the overall picture. 

5.1 Out of Scope

  1. The intruder begins with Reconnaissance probing for vulnerabilities, targets to exploit and financial opportunities if present.
  2. Dependent upon which, Threat Actors will deploy the next stage – Resource Development of vulnerabilities, targets to exploit and financial opportunities if present.
  3. Using some of the 40+ methods (including many phishing types, identity theft, social engineering, AI based scams, etc.) it then penetrates the Subscriber, Cloud, infrastructure or OT-based system. As indicated this first step is out of scope and is only successful if end systems or human error cause them to fail. Endpoint Detection and Response (EDR) software is the first of several defenses that are designed to disempower APTs before they begin. These marketing solutions have limitations.
  4. Having penetrated a system, the Threat Actor establishes an undetected presence that compromises the system and establishes a hard-to-detect foothold by hiding Malware inside legitimate systems, applications and data files.
  5. They can also leverage file-less infiltration by corrupting native tools such as PowerShell or Windows Management Instrumentation, etc. These are known as “Living-off-the-Land” and such exploits are typically hide in end-user systems until activated and are therefore not detectable by end-user security software.
APT threats where breaches occur within user systems or cloud systems are address in a separate page.

Note: MITRE|ATT&CK lists 14 attack categories that are relevant.

5.2 In Scope

Having a created breach the following steps happen that have the potential to be detected as Indicators of Attack.

  1. The act of Discovery (MITRE TA0007)[1] is the technique used by threat Actors to explore systems for vulnerabilities. There are 25 techniques listed by which an adversary may explore a system. Where that spans the SASE service, these can be detected by applying the Zero Trust methodologies below.
  2. It may prepare for an attack by elevating its privilege level and seeking targets in the systems’ network. Then it may lie dormant, Beaconing it’s remote host and lying undetected in systems for a long time. This is the first sign detectable in a Zero Trust enabled network.
  3. When activated, it will invoke one of more Lateral Movement attacks to infiltrate connected systems, operating out of infiltrated applications. This is also detectable in a SASE Service of Zero Trust enabled networks.
  4. To complete the attack, the next phase begins data exfiltration, damage or encryption to systems and applications etc. The result can be anything from disruption, identity or data theft, ransomware, etc. Attempts at bulk exfiltration are also detectable. Likewise, attempts at illicit encryption or corruption of software systems, device firmware and software.

6 Detection of Threats by Applying Zero Trust Principles.

Deployment of Zero Trust intercepting Ransomware in a SASE service, a Network as a Service, SD-WAN or as the security oversight of an Infrastructure as a Service. Other detection and removal techniques shown are also explained.

Detection of Threats by Applying Zero Trust Principles in SASE Services

7 Methodologies to Detect Potential Attacks

  • The methodology described in MEF 118.1 is required to be applied in order to verify that transactions are legitimate and not infiltrated by a Threat Actor. The functions described are highlighted in the above diagram. The separation of Policy Management from Several Policy Enforcement Points are a key element of the strategy.
  • Subject Actors in a Zero Trust enabled system are required to be identified via an Identity Manager, Authenticated via a form of Multi-factor Authentication, Passkey etc.
  • Authorization is required by the policies associated with that Subject Actor.
  • Access is granted aligned with the Access Controls listed in MEF 118.1 section 12. These are Mandatory, Discretionary, Role-Based and Attribute-based Access controls.
  • Attempts to execute transactions outside of rules of these access controls are blocked, reported and logged.
  • Similarly blocked and reported are breach of policies regarding unapproved locations, times, duration, amounts of data being transferred or accessing unauthorized target Actors, workloads, etc.
  • Policies should also apply as appropriate to Zero Trust enforcement points particularly attempts to access segmented networks.
  • Of particular importance are the limitations on the use of file sharing and file transfer applications as these are used in exfiltration of data and Lateral Movement attacks that transport malware.-

8 Threats Detected Using as an Indicator of Attack

The following threats enabled by a breach that are relevant and necessary for the Threat Actor to effect ransomware in a Network Ecosystem are detection and prevention of Beaconing (any attempt to access a remote host is easily detected), use of Discovery techniques, Living-off-the-Land transactions and Lateral Movement.

8.1 Additional Security Functions for SASE Services – addressed in MEF 117.1

Section 9.6.2.1 on Supported Application Identity and Access Management (SA-IdAM) determines whether a Subject Actor of a Session is Authenticated and more importantly, Authorized to access a particular supported Application thus is an important Indicator of attack. Similarly, Section 9.6.2.2  Data Integrity Security Function is the Security Function that examines whether certain supported Applications and determines if the actions included in those Sessions are allowed or blocked based upon the SASE Policy. Attacks based on Living-off-the-Land attacks are likely to be detected by this function.

8.2 Additional Security functions

Although not in scope for this paper, this document along with MEF 138, SASE functions and other solutions calls out other security functions for the prevention of breaches that reduce the chance of a breach that uses the SASE Service to create ransomware:

All eleven Security Functions listed in section 7.9 of this document SHOULD be implemented. Specifically, the Middlebox function will allow inspection of the contents of packets. These are covered in detail in MEF 138.

Other SASE functions in section 7.9 include Proxy, Cloud Access Security Broker and Remote Browser isolation are focused on defense rather than after a breach has occurred.

SASE functions also add security prior to transit of the SASE Service ecosystem, such as Universal ZTNA, including Lateral Movement detection, SWG etc.

Other relevant Detection and Response solutions such as NDR (Network Defense and Response Systems) should be examined to see if they add protection and avoid breaches. Endpoint Detection and Response (EDR) is deployed in Subscriber Networks and Extended Detection & Removal Software (XDR) spans both EDR and XDR.

8.3 Dependencies and Actor Collaboration

Successful implementation depends on the reliable execution of several supporting elements. The Zero Trust principle of “Never Trust, Continually Verify.”

Subscriber implementation of Privileged Access and Account Management and Identity Management MUST be used to manage and limit the privilege of Users, Software and Devices. This limit is known as Least Privilege.

These are required to prevent or limit Threat Actors ability to impersonate processes. These SHOULD include the rules regarding what applications can be run and accessed, the amount of data that can be transferred to avoid exfiltration, to which location, when the User is authorized to access the Application and the location of the User or Application, etc.

It may fall upon the Subscriber to provide these functions directly or in collaboration with the Service Provider. In any case, it is imperative that the Service Provider verify and not trust that functions and supplied software can be depended upon. This collaboration is essential to strengthen any potential vulnerabilities or weak links.

The above also applies to any software or system used by the provider to implement the Services. This supply chain applies to any third part supply chain software such as SASE components, monitoring or auditing systems.

This process must be continually verified as part of any regression testing of updated systems.

9 Defensive Evasion

The implementation recommended in this paper is also subject to attack and disablement. Care should be taken to ensure that implementation of the system uses memory-safe languages and only be accessible using the same Zero Trust protective methodologies describe above. MITRE ATT&K (TA005) lists 25 techniques used for defensive evasion.

10 Other Benefits of Deployment.

Proper documentation of the implemented SASE Services will act as an essential reassurance that use of SASE service reduces risk should other measures of risk mitigation prove unsuccessful.

11 Vigilance

Finally, continual awareness of development in attack techniques and defensive responses remains an essential part of every cybersecurity strategy.

[1] MITRE ATT&K Discovery Techniques https://attack.mitre.org/tactics/TA0007/ (2019)

#63B4D1

#1D1E18

#6C6F7F

#55917F

#FFFED21

#E1F0C4

#211F63

[1] https://onug.net/onug-collaborative-blog/evaluating-different-approaches-for-adopting-generative-ai-in-network-and-security-operations/

AI Platforms of note: Pros and cons

Reflection 70B

To quote itself: “Reflection 70B has made headlines for its ability to outperform some of the most well-known proprietary models, including GPT-4 and Claude 3.5 Sonnet. On a wide range of benchmarks, this open-source model has shown remarkable results in reasoning, math, and general knowledge tasks. These performance gains are attributed to its ability to engage in self-correction and fine-tuned reasoning, setting it apart from previous models in the space.” Others have discredited it as a fraud.