4 Techniques for Early Ransomware Detection

It’s predicted that a ransomware attack will occur every 11 seconds in 2021, and the expected average cost of a ransom? 

$84 thousand.

However, more is at stake than just your bottom line. From downtime halting operations and disrupting productivity to dealing with the fallout of stolen data, the wide-reaching impact of a successful ransomware attack can be detrimental. 

Ransomware has come a long way from its beginnings as a nuisance strain of malware. Bad actors and nation-state hackers have successfully leveraged ransomware to attack organizations of all sizes and across multiple verticals.

There is big money in ransomware, too. Cybercriminals are increasingly leveraging it to encrypt as much of a network as possible as their targets, hoping to extort ransoms ranging from thousands to millions of dollars. 

Stop Ransomware from Encrypting Your Network by Stopping Lateral Movement

Many are even upping the stakes with tactics like double extortion, as seen in the recent PLEASE_READ_ME incidents, where the bad actors ensured a profit by auctioning-off data exfiltrated from breached MySQL servers if a ransom went unpaid.

Unfortunately, there is no known “silver bullet” solution to protect organizations today. Still, you can put a few best practices in place to reduce the impact of ransomware and other similar threats.

Why is Detecting and Preventing Lateral Movement Key?

Outdated technology and “good enough” defense strategies focused solely on perimeters and endpoints are not enough to stop today’s evolving ransomware campaigns.

A ransomware attack begins with an initial breach, often enabled by a phishing email or vulnerability in the network perimeter. From its landing point, the malware will start to move through your network and attempt to maximize damage. Typically, bad actors seek to seize control of a domain controller, compromise credentials and locate and encrypt any backups in place to prevent operators from restoring infected and frozen services. 

Because ransomware relies on lateral movement to execute a successful attack, it’s where organizations should focus their effort. Any organization that can detect and block unauthorized lateral movement early in the attack chain will be in a better position to reduce the impact of ransomware and other similar threats.

Checklist for Early Ransomware Detection

Despite the best perimeter defenses, breaches are inevitable, and if you receive a ransom note, it’s likely too late. Most of your network will already be encrypted.

Early detection is key, but it can be a challenge for many organizations. However, achieving swift detection will allow you to act fast and stop an attack early in the kill chain before it spreads within your network and impacts critical applications and services. 

To successfully spot an attack before it’s too late, you’ll need the following:    

Strong Visibility – Don’t get caught by surprise. Understanding east-west traffic activity in your network will give you insight into unauthorized lateral movement as any ransomware attempts to spread. Strong visibility will also give you an advantage when it comes to defense, allowing you to identify potential attack vectors to critical applications from your broader IT assets.

Segmentation Policies – If you’ve created informed segmentation policies, you’ve hopefully based them on the observed normal communication flows between assets in your environment. Configuring policies to alert you to anything outside the routine activity will give you an early warning of unusual activity, so you can investigate and take action if needed.

IDS System and Malware Detection Tools – These will help you detect ransomware operators’ propagation attempts, whether this means using predefined rules and signatures for known exploits or more general or automated anomaly detection.

Deception Tools – Setting up lures, honeypots or a distributed deception platform that can identify unauthorized lateral movement can also be an effective way to discover an active breach in progress with high-fidelity incidents. 

Learn More About Building a Strong Ransomware Defense Strategy

Early detection is only one piece of the puzzle in addressing ransomware, and its threat to organizations isn’t going away any time soon. Since 2018, the number of ransomware attacks spiked by 350%, the average ransom payment amount rose by more than 100% and downtime increased by 200%.

The world can expect to continue experiencing a higher frequency of sophisticated attacks with even more costly ransom demands — all with the potential for downtime and data exfiltration.

Is your ransomware threat mitigation strategy comprehensive enough?

To learn more about improving your security posture against ransomware, download the E-book: ‘Ransomware Resurgence: How to Strengthen Your Defenses Beyond the Perimeter’. You’ll get actionable tips for building a defense strategy that minimizes the effectiveness of ransomware attacks and stops their spread within your network.


ransomware kill chain

Congratulating Guardicore’s Channel Chief, John Ryan

In 2020, enterprises rapidly accelerated their digital transformation journeys, increasingly adopting cloud technologies to deal with the shift to remote work. As the complexity of these modern environments increased, so did their security and compliance risks.

Our award-winning Partner Program worked tirelessly this year to zero-in on what mattered most to our Partners, to quickly adapt to their customers’ evolved IT and security needs. Leading these efforts with great success was our Head of Channels, John Ryan. While John is never one to take credit, we thankfully have prestigious industry awards to showcase the amazing accomplishments he and his team have achieved.

Today, we’re thrilled to announce that John has been named a 2021 CRN Channel Chief! He’s recognized among the industry’s best who build, support and deliver superior partner programs and strategies.

John’s leadership has allowed the Guardicore Partner Program to enjoy unprecedented success and no one is more deserving of the honor. A few of the many highlights of Guardicore’s Partner Program over the last year include:

  • 300% YoY growth in channel revenue
  • 300% YoY growth in channel bookings
  • 1000% YoY growth in channel pipeline
  • Established a new Focus Partner Ecosystem that expanded into new verticals, offering free lab environments, technical enablement, and other marketing resources like whitepapers and webinars, resulting in 50% of FY2020 bookings

The annual Channel Chiefs list features the prominent leaders who have influenced the IT channel with cutting-edge strategies, programs and partnerships. All honorees are selected based on their dedication, industry prestige, and exceptional accomplishments as channel advocates.

According to CEO of The Channel Company Blaine Raddon, “CRN’s 2021 Channel Chiefs list includes the industry’s biggest channel evangelists, a group of individuals who work tirelessly on behalf of their partners and drive growth through the development of strong partner programs and innovative business strategies that help bring business-critical solutions to market.”

John personifies all of these attributes in his tireless commitment to Guardicore and the rapid expansion of our Partner Program. Thank you, John, for all that you do. Congratulations, Chief!

IPCDump – Guardicore’s New Open-Source Tool for Linux IPC Inspection


Debugging is probably one of the most personal disciplines in software development.  Some developers enjoy the ubiquity of gdb, while others prefer working from the comfort of an IDE. Linux users often use strace   or ltrace before jumping into a real debugger, and many more of us start inserting printf() into our code when a bug comes up. Habits form fast.

Check out IPCDUMP, New Open-Source Tool for Linux IPC Inspection on Github. GET IPCDUMP ON GITHUB.

That’s fine, for the most part. Development is hard enough even in your comfort zone; the distractions of a new tool – even one better-suited to the job at hand – can cause more harm than good. Debugging is particularly troublesome in this respect: it’s probably the most cognitively taxing of all development disciplines. When a system breaks down you have to hold a mental image of every layer of it at once. That’s why it’s so expensive to debug problems that our favorite tools are really not meant for.


This brings us to interprocess communication – specifically, IPC on Linux. Debugging is difficult for single-process applications; for multiprocess ones, it’s a nightmare. Typically it is a juggling act of two instances of gdb , each with some byzantine follow-fork-mode configuration which tries to track only the right PIDs. One often needs to look through strace output for all the variations of recv (recvmsg? recvmmsg? recvfrom? Is that all of them?) just to understand who is interacting with whom. To make matters worse, there are lots of different types of IPC on Linux, and they don’t have common code flows, for the most part. A Unix socket and a FIFO both transfer bytes from one end to another, but that’s pretty much all they have in common.

Modern software exacerbates many of these issues: more than before, applications are made up of distinct processes that plug in to one another in a black-box approach. So when something breaks, it can be very, very frustrating to zero in on where that happened. We had issues like these with some of our more complex systems at Guardicore, and we needed a tool to help diagnose them.

That’s why we wrote IPCDUMP. You can find it on Github: https://github.com/guardicore/IPCDump

IPCDump – BPF Based tool for debugging IPC on linux

IPCDump is a simple tool to operate. Choose the IPC types and process filters you’re interested in, and you’re good to go.

As you can see here, ipcdump is for more than just debugging your own software – it’s also a good way to understand how a program you’re interested in works. Here it’s mostly catching Chrome events (Chrome is a good example of a furious multiprocess application). It’s a lot like how on Windows you’d hack around with procmon to see what process is invoking various system calls – file writes, network operations, module loading, etc, in fact, procmon was one of our main inspirations for ipcdump. For example, if we want to see how domain names are resolved on an Ubuntu machine, we can simply filter by events reaching systemd-resolve:

Pretty neat. systemd-resolved sends keepalives to systemd over the /run/systemd/notify unix socket, and handles domain resolution requests over the local port 53 (in this case, from ping). In the following example, we can see how we are using ipcdump to snoop on unix domain sockets, for example, containerd’s socket.

In one terminal, we are executing the following command in order to start docker’s hello-world container:

Docker’s hello world container

As you can see, the container executed successfully. Now, let’s have a look at what we can see with ipcdump, by executing the following command in a separate terminal:

ipcdump -t u -x

We can see containerd’s ‘conversation’ with dockerd. We can also see the parameters that are passing in between the two processes, we can easily identify what’s in these parameters:
containerd's parameters seen using IPCDump

Containerd’s parameters being passed through its unix domain socket, instrumented by ipcdump

Under the hood

Right now, ipcdump supports the instrumentation of the following IPC mechanisms:

  • Pipes
  • FIFOs
  • Loopback TCP and UDP
  • Unix streams and datagrams
  • Pseudo Terminals (pty)
  • Signals

One of the key points for all of these is ipcdump's ability to name the processes at either end of an IPC event. While sniffing over the loopback with tcpdump is a terrific way to understand the traffic you’re seeing between any two processes, it doesn’t actually tell you who those processes are. While you can certainly check port numbers against netstat, short-lived processes will wreak havoc on your ability to map out who really sent out each packet. Short-lived processes are one of the best use-cases for ipcdump in general; a lot of the bookkeeping it does internally is for tracking their creation and destruction.

By default, ipcdump outputs just the metadata of the IPC on the system. You can also use it to dump the actual contents (so you can basically sniff the contents of, say, a Unix socket stream). The output can be either human-friendly or JSON-formatted, so you should be able to process ipcdump output pretty easily.

ipcdump is largely implemented using BPF hooks placed on kprobes and tracepoints. Each of the IPC types it supports has one or more hook points in the kernel that it observes – for example, pty_write() is a good place for pseudoterminal-based IPC, and tcp_rcv_established() is where it probes for loopback-based TCP.

ipcdump collects whatever information it can from these hook points, and then correlates it with whatever other bookkeeping it does to fill out the rest of the details (for example, associating a process name with each PID).

IPCDump – Alpha version

Guardicore Labs released an alpha version of IPCDump. As some of the points we trace in the kernel are internal APIs, the tool requires changes across versions and distributions. You may have to make adjustments and hack around our own hacks. We really appreciate code contributions to this project – everyone stands to gain by improving the ipcdump platform. Check out IPCDump’s README and TODO for more details on how to contribute.

Happy debugging!

Check out IPCDUMP, New Open-Source Tool for Linux IPC Inspection on Github. GET IPCDUMP ON GITHUB.

Guardicore Wins 2020-21 Cloud Award for Security Innovation of the Year

Segmentation Solution Provider Recognized for “Future-Proofing Cloud Deployments”

Boston, Mass. and Tel Aviv, Israel – February 1, 2021 – Guardicore, the segmentation company disrupting the legacy firewall market, has been declared the winner of the Security Innovation of the Year in the international Cloud Computing Awards program, The Cloud Awards. The coveted annual program celebrates the world’s brightest and best in Cloud Computing across several categories.

“Accelerated digital transformation demands a new breed of security solution to secure complex cloud and distributed environments against sophisticated attacks,” said Pavel Gurvich, co-founder and CEO of Guardicore. “Today’s cybercriminal is focusing efforts on moving laterally between east-west traffic workloads and is evading legacy firewall protection. Being honored as the Security Innovation of the Year is a tremendous honor and validation that Guardicore is purpose-built for the security demands of the modern enterprise.”

The Guardicore Centra Security Platform is the simplest and most effective way to visualize and secure business applications in cloud and hybrid environments. The platform creates human-readable views of an organization’s complete infrastructure with intuitive workflows for segmentation policy creation. Its segmentation controls reduce the attack surface and detect and control breaches within east-west traffic, providing deep visibility into application dependencies, and enforcement of network, workload, user, device and process-level policies to isolate and segment critical applications and infrastructure.

Cloud Award judge Jason Ford says, “Absolutely brilliant alternative to legacy firewall solutions, and the judges were very impressed with a solution that future-proofs cloud deployments. This is the future of perimeter security.”

Hundreds of organizations entered the Cloud Awards, with entries coming from across the globe, covering the Americas, Australia, Europe and the Middle East. Guardicore was selected over competitors in the Security Innovation of the Year category, including Alert Logic, McAfee, VMware Inc, Tanium, Securonix, CyberArk, Thycotic and more.

To learn more about how Guardicore Centra can make visualizing and securing on-premises and cloud workloads fast and simple, visit: https://www.guardicore.com/cloud-security-platform/#section_platform

About the Cloud Awards

The Cloud Awards is an international program which recognizes and honors industry leaders, innovators and organizational transformation in cloud computing. The awards are open to large, small, established and start-up organizations from across the entire globe, with an aim to find and celebrate the pioneers who will shape the future of the Cloud as we move into 2021 and beyond. The Cloud Awards currently offers two awards programs, the Cloud Computing Awards and the Software-as-a-Service Awards.

Categories for the Cloud Computing Awards include Most Promising Start-Up, Best SaaS, and “Best in Mobile” Cloud Solution. Finalists were selected by a judging panel of international industry experts. For more information about the Cloud Awards, please visit https://www.cloud-awards.com/.

About Guardicore

Guardicore is the segmentation company disrupting the legacy firewall market. Our software-only approach is decoupled from the physical network, providing a faster alternative to firewalls. Built for the agile enterprise, Guardicore offers greater security and visibility in the cloud, data-center and endpoint. For more information, please visit www.guardicore.com or go to Twitter or LinkedIn.

Guardicore Insight: Adding Best-in-Class Osquery Visibility to Secure Your Workloads

What if you had a single solution that was able to detect non-compliant and high-risk endpoints and servers, assess their level of exposure, and then immediately secure these servers and endpoints with laser-sharp segmentation policies?

Guardicore Insight enables you to do just that. 

We are excited to announce Guardicore Insight, a powerful agent add-on, integrated into Guardicore Centra. As its name suggests, Guardicore Insight provides security teams enhanced insight into endpoints and servers across all operating systems and environments that allows it to detect non-compliant and high risk assets. Insight is able to collect current real-time context from all endpoints and servers such as OS patch levels, network connections, running processes and more.

But, unlike similar asset management solutions, Guardicore Insight doesn’t stop there. 

Security teams can then set policies and permissions to restrict access of these vulnerable assets and strengthen compliance across the organization. For example, users can be granted access only if their workstations meet the security standards of the organization; or all endpoints that access corporate resources must have up-to-date EDR installed. This level of policy granularity is impossible to achieve with traditional network firewalls. 

Additional compliance tasks that can be supported with Guardicore Insight include producing hardening status reports, policy compliance audits and other reporting needs.

Why Guardicore Insight is unique

The power of Guardicore Insight lies in its unique integration with Guardicore Centra, a software-based segmentation solution.
Powered by Osquery, Guardicore Insight allows security teams to create segmentation policies based on sophisticated queries across all endpoints and servers, assess the level of risk by visualizing network connections, and then based on the results, assign a current state policy to mitigate the risk. This ability is unmatched by any network firewall or segmentation solution in the market today.

Single solution, 3 critical capabilities | Guardicore Insight

How Can Guardicore Insight help you secure your endpoints and servers?

Guardicore Insight detects security and compliance gaps and mitigates them using Centra’s segmentation policy. Main use cases include compliance, asset management, incident response including ransomware mitigation and more.

Eliminate security compliance gaps

As a security administrator, you want to ensure that all your assets meet the security and compliance standards of your organization. You also want the ability to set a stricter access policy for those assets that do not meet these standards. For example, you want to ensure that all assets operate in compliance with Cyber Security best practices, such as the Center for Internet Security (CIS). 

One of the CIS standards calls for preventing the use of SMBv1, the old version of the Server message Block protocol Windows uses for file sharing on a local network, known to be abused in ransomware attacks. With Guardicore Insight, you can quickly detect all systems that accept SMBv1 connections and group them under a dedicated label. Once you have the defined label, you can apply policy rules to block all SMBv1 connections to these assets to reduce the attack surface, allowing your IT team the time they need to fix the violation at scale. 

Guardicore Insight provides you with 3 unique capabilities no other solution provides:

Detect  – Using Insight you can query all your Windows assets to identify which ones receive SMBv1 connections. Use the following query: 

FROM registry
WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1' 
AND data == 1;

Guardicore Reveal to gain visibility and assess risk exposure

Assess – Using Guardicore Reveal, you can gain visibility and assess the level of risk of these assets by investigating all SMBv1 connections made to them.  

Secure  – Finally, using the label you have created, you can create a policy rule to completely block all the SMB connections to the vulnerable asset.
Policy rule to block SMBv1 connections to vulnerable assets

Shorten the vulnerability exposure window

Security patch deployment is one of the hardest tasks for an IT organization of any size but at the same time, one of the most important ones to keep systems and applications secure against recent vulnerabilities and attacks.

When a zero-day vulnerability such as the Solarwinds vulnerability is discovered, naturally the long-term solution is to apply the hotfix, but sometimes it takes time to get the security patch or test it in your production environment. With Guardicore Insight you can provide a workaround solution and immediately limit SolarWinds servers’ communication to and from the internet using a simple Block rule.

 You can use the following query to identify the vulnerable SolarWinds assets: 

Select *	
From hash
Where path = 'C:\Program Files (x86)\SolarWinds\Orion\SolarWinds.Orion.Core.BusinessLayer.dll'
AND sha256 in

Reduce endpoint security risk

As a security admin you’re faced with the challenging task of ensuring that all the endpoints in your organization – often amounting to thousands – are secure. One of the ways to do it is to install an antivirus software on each of your endpoints. 

The following query may help you ensure that all your endpoints have an antivirus software installed:

SELECT hostname 
FROM system_info 
    FROM windows_security_products 
WHERE type='Antivirus' AND state='On') == 0;

What’s next

We invite you to try this new capability on your network to see the power of this feature. Please contact our Customer Success team or your Sales director for further details. 

5 Things You Didn’t Know You Could Do with Guardicore Centra

In this post we’re providing a list of useful tips that our customers love and can make working with Guardicore Centra even simpler: how to quarantine assets with one simple segmentation rule, auto-complete rule labels, integrate external threat feeds and more. 

      1. Quarantine Assets

To allow your SOC team quick quarantine capabilities, create a new label called “Quarantine” and use it to build a quarantine policy. For example, you can block all outgoing traffic from machines belonging to that label. Then, create a SIEM automation which automatically populates this label with assets when quarantine is needed.

Here’s the segmentation rule that blocks ongoing traffic from a machine to the Quarantine label:

Asses risk with Reveal

      2. Auto-complete labels 

When manually creating segmentation rules whose source and/or destination consists of multiple intersecting labels (e,g, Product & Billing), Centra provides a quick way to work with these labels. Instead of writing full label names like Env:Prodution&App:Billing , you can start typing the values in the following way Prod&Bill and Centra will auto-complete your input and suggest full label names.
label auto-complete

      3. Select multiple objects in Guardicore Reveal

To quickly select a portion of any Reveal map (including multiple labels, assets and flows) use the “S” key to switch between the hand & selection functionality. For example, you can use this to drag and drop multiple objects to a different location, or to suggest segmentation rules for multiple flows. To use this, make sure you’re in Policy mode. More keyboard shortcuts can be found by clicking the “hand” icon on the lower right part of the Reveal Explore screen.
Reveal shortcuts

      4. Fast forward maps: Using the fast forward Reveal map Fast Forward  button in Reveal can actually help you recreate the same map with the most recent data, based on an existing filter instead of creating multiple maps. 

Reveal map with 1h data

      5.Integrate external threat feeds: If your organization owns proprietary or 3rd party threat feeds, these can be easily integrated into the Centra threat engine to expand the threat list. Please reach out to support@guardicore.com if you are interested in exploring this option.

For more information about Guardicore Centra visit the Guardicore Centra Product page. 

Preventing and Responding to Supply Chain Attacks with Effective Segmentation

The recent SolarWinds incident is a stark reminder that we all should re-evaluate the blind trust we put into third-party components inside our networks. 

While the SolarWinds incident is fresh in many of our minds, it’s far from the first successful supply chain attack in the annals of cybersecurity. In 2011, another incident occurred which led to the blacklisting and bankruptcy of Dutch certificate authority DigiNotar after a security breach enabled a malicious actor to issue more than 500 certificates fraudulently. 

Modern supply chain attacks are among the most intricate and effective cybersecurity threats enterprises face today – what can organizations do to improve their defenses?

Wikipedia describes this type of threat as follows, “a supply chain attack is a cyber-attack that seeks to damage an organization by targeting less-secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry or government sector.”

To properly assess our ability to handle an incident, like the recent SolarWinds attack, it’s important to be aware of our preventative and responsive security capabilities. Unfortunately, we know the odds of preventing complex zero-day and supply chain attacks with perimeter security alone are slim. We, instead, should also focus our attention on how far and wide attackers can reach once they breach the walls of our digital fortresses. 

Prevention Best Practices

To ensure prevention, you should leverage micro-segmentation and the Zero Trust framework in your security strategy. If we look at the SolarWinds incident as a case study, we can identify how applying these concepts to application behavior could prevent or disrupt the attack flow.

In the recent supply chain attack, the SolarWinds client was deployed across various systems inside the network (as intended) and had no restrictions on what it could access inside or outside the network, regardless of host.

Two simple actions could have potentially helped organizations:

  1. The first stage of the attack involved pulling the secondary binary from the attack server. If the SolarWinds binary had only been able to access known SolarWinds addresses instead of the ones leveraged by the malicious actors, organizations could have broken the attack chain earlier.
  2. Even if first chain prevention failed and the Sunburst malware successfully deployed the binary, it would still need to communicate with its command-and-control and run commands on the targeted network. If an organization had effective segmentation policies applied to its SolarWinds application, this activity could have been blocked or a non-compliance alert generated for security teams to investigate.

Response Best Practices

From a response perspective, it’s not only about the speed of the response to a given incident. It’s also about having the right tools to surgically stop the attack without disrupting the business and to have data in place to actually assess the breadth and depth of the attack. Dwell time can be days or months, which can mean a far deeper attack footprint than originally assumed.

In ‘simpler’ cybersecurity incidents, such as ransomware attacks, attackers may encrypt files, making their impact and presence on a network obvious. However, in more advanced scenarios, such as supply chain attacks, it may be some time before a previously unknown breach is discovered. Since time will have passed, it’s essential to have the proper tools to mitigate the attack and chronologically investigate the attacker’s actions around your network.

How can Guardicore help?

Preventing the Attack

  • Realize a Zero Trust network – When onboarding a new application or reviewing an existing one, Guardicore segmentation policies can be configured to allow only the required access to a predefined or learned list of assets, domains and ports.Realize a Zero Trust network
  • Crown jewel protection – Reduce risk by protecting your critical assets with granular segmentation policies instead of focusing on each potential third-party application.Crown jewel protection
  • Guardicore dynamic deception technology – Guardicore’s dynamic deception technology allows organizations to detect unknown malicious behavior by simulating a live system on the network to detect lateral movement of malicious actors.
    Guardicore dynamic deception technology
  • Guardicore Threat Intelligence Feed – Apply a built-in list of rules as protection against a curated, constantly updating list of threats.
    Guardicore Threat Intelligence Feed

Responding to the attack

  • Guardicore Reveal – The Reveal map is a powerful tool that allows you to filter and view specific assets (Windows, Linux) and process behavior across time. For example, you can use it to explore the past behavior of a newly discovered malicious binary.
    Guardicore Reveal
     Guardicore Reveal
  • Rapid policy enforcement – Apply segmentation policies on both Windows and Linux within minutes of discovering a threat opposed to days and sometimes weeks due to infrastructure and routing limitations.
  • Guardicore Insight – Proactively query each system (Windows or Linux) on your network for any property about it and respond based on the result. For example,
    • Query for specific software installed or the presence of specific files for a given path
    • Quarantine systems with forbidden or vulnerable software. 
    • Detect and block known indicators of compromise (IoC).

Guardicore Insight

Want to improve your security posture against supply chain attacks? Request a demo today to learn more about effective prevention and response with Guardicore Centra.