By Mr. Shomiron Dasgupta, CEO and Founder, DNIF
Cyber threats have been prevalent on the internet for decades now. Unfortunately, malware has been evolving more rapidly than the anti-malware software needed to combat it. The three most active cyber threat categories worldwide are currently ransomware, phishing, and endpoint attacks.
Ransomware is malicious software that encrypts data on a target system and demands a ransom in exchange for restoring access to the encrypted data. The demand is typically in Bitcoin and requires a digital key to unlock the files. These attacks range from low-level nuisances to serious incidents such as the data lockdown of several organizations.
The recent incident of the ransomware “Petya”, which hit Ukraine in 2017 and cascaded to several countries, brought into light the extent of damage a ransomware can bring. The attack spread through Ukrainian government systems that use Microsoft Windows. This resulted in the ransomware shutting down banks, state power utilities, ATMs, airport and metro system. It also resulted in the Chernobyl radiation monitoring system to go offline and forced officials to check radiation levels manually. The ransomware demanded $300 Bitcoin, which was allegedly paid by various companies.
Preventing ransomware begins with updating and patching operating systems and applications regularly. Furthermore, regular backups of all systems on a network can greatly reduce the damage caused by a successful attack. Remind users to be wary of suspicious files they receive, and make sure they understand how to identify and filter malicious emails. Lastly, be sure that a reputable antimalware solution is installed on all systems.
Security monitoring grants real-time visibility of users and their devices. Through monitoring, software professionals can verify security and compliance requirements regardless of whether data is stored locally, in a database, in a virtual environment or in the cloud. Additionally, monitoring solutions classify devices by type, owner, and operating system to deliver insights and make preventing and responding to risks easier. Here are just a few effective ways to implement security monitoring:
- Use analytics to build a connectivity map within your infrastructure to detect anomalies in hosts and their connection patterns.
- Use process monitoring to detect changes in process footprints.
- Set up effective file access monitoring to detect large-scale changes to files. Quarantine suspicious hosts immediately to stop malware from spreading.
Phishing attacks are hard to detect. They often appear to be everyday emails from known and trusted sources, but they trick users into installing malware on their devices, giving hackers access to their victims’ workstations.
These attacks are often used to steal confidential user data, like credit card numbers and login credentials. The attacker purports to be a trusted source or entity and convinces the target to click on a malicious link. This often leads to the installation of malware, or to a fake login page under the attacker’s control.
Proactively blocking malicious emails and securing email gateways can reduce the users’ exposure to generic, opportunistic campaigns. Many security solutions also include features to help identify breaches and support regulatory compliance. Creating awareness among users, conducting training and running simulations can also reduce the effectiveness of phishing attacks.
Combining phishing awareness with training provides users an easy way to act on their knowledge and empowers users to take charge of their own security. Being able to identify affected user accounts and their credentials is crucial. Supplementing user-based reporting with detection capabilities provides complete end-to-end visibility to the security authorities in an organization — when employees report breaches themselves, there is more time to take countermeasures that limit their impact.
A few anti-phishing monitoring techniques are listed below:
- Set up an effective endpoint monitoring strategy to detect maliciously spawned child processes that might be used to steal data (discussed further in the next section).
- Identify malicious files and URLs within emails by forwarding messages to a sandbox, or use lookups with service providers that maintain databases of known malicious files and URLs.
Endpoint attacks target user systems rather than their servers. These user systems are entry points to network and include smartphones, computers, laptops and fixed-function devices. Endpoint attacks also affect the shared folders, Network-attached storage (NAS) and hardware such as server systems.
Endpoint security is implemented on the user systems to prevent them from running malicious threats, which may be internal or external, from malware or non-malware, data theft, and system disruption. A way to prevent an endpoint attack is by setting up high endpoint security that combines prevention, detection, monitoring and determining root causes of an attack.
It is important to note that endpoint security is very different from traditional antivirus mechanisms as it uses predictive analyses instead of reactive actions.
Therefore, organizations should set up endpoint-monitoring solutions that monitor connection activity and can identify an anomaly indicating a potential threat. Another way to combat an endpoint attack is through behavioral analytics. It observes parameters such as user behavior, network behavior, other entities that connect to it and looks for patterns and tasks that are not within the norm.
Other steps include removing administrative access from an endpoint system, which do not require administrative rights for everyday applications, keeping systems up to date, implement advanced authentication.
These monitoring techniques can help to prevent endpoint attacks:
- Set up effective process profiling to identify, validate and investigate unknown processes spawned on endpoint systems.
- Analyze connections made by endpoints to identify malicious transactions between hosts.