4 Techniques for Early Ransomware Detection

It’s predicted that a ransomware attack will occur every 11 seconds in 2021, and the expected average cost of a ransom? 

$84 thousand.

However, more is at stake than just your bottom line. From downtime halting operations and disrupting productivity to dealing with the fallout of stolen data, the wide-reaching impact of a successful ransomware attack can be detrimental. 

Ransomware has come a long way from its beginnings as a nuisance strain of malware. Bad actors and nation-state hackers have successfully leveraged ransomware to attack organizations of all sizes and across multiple verticals.

There is big money in ransomware, too. Cybercriminals are increasingly leveraging it to encrypt as much of a network as possible as their targets, hoping to extort ransoms ranging from thousands to millions of dollars. 

Stop Ransomware from Encrypting Your Network by Stopping Lateral Movement

Many are even upping the stakes with tactics like double extortion, as seen in the recent PLEASE_READ_ME incidents, where the bad actors ensured a profit by auctioning-off data exfiltrated from breached MySQL servers if a ransom went unpaid.

Unfortunately, there is no known “silver bullet” solution to protect organizations today. Still, you can put a few best practices in place to reduce the impact of ransomware and other similar threats.

Why is Detecting and Preventing Lateral Movement Key?

Outdated technology and “good enough” defense strategies focused solely on perimeters and endpoints are not enough to stop today’s evolving ransomware campaigns.

A ransomware attack begins with an initial breach, often enabled by a phishing email or vulnerability in the network perimeter. From its landing point, the malware will start to move through your network and attempt to maximize damage. Typically, bad actors seek to seize control of a domain controller, compromise credentials and locate and encrypt any backups in place to prevent operators from restoring infected and frozen services. 

Because ransomware relies on lateral movement to execute a successful attack, it’s where organizations should focus their effort. Any organization that can detect and block unauthorized lateral movement early in the attack chain will be in a better position to reduce the impact of ransomware and other similar threats.

Checklist for Early Ransomware Detection

Despite the best perimeter defenses, breaches are inevitable, and if you receive a ransom note, it’s likely too late. Most of your network will already be encrypted.

Early detection is key, but it can be a challenge for many organizations. However, achieving swift detection will allow you to act fast and stop an attack early in the kill chain before it spreads within your network and impacts critical applications and services. 

To successfully spot an attack before it’s too late, you’ll need the following:    

Strong Visibility – Don’t get caught by surprise. Understanding east-west traffic activity in your network will give you insight into unauthorized lateral movement as any ransomware attempts to spread. Strong visibility will also give you an advantage when it comes to defense, allowing you to identify potential attack vectors to critical applications from your broader IT assets.

Segmentation Policies – If you’ve created informed segmentation policies, you’ve hopefully based them on the observed normal communication flows between assets in your environment. Configuring policies to alert you to anything outside the routine activity will give you an early warning of unusual activity, so you can investigate and take action if needed.

IDS System and Malware Detection Tools – These will help you detect ransomware operators’ propagation attempts, whether this means using predefined rules and signatures for known exploits or more general or automated anomaly detection.

Deception Tools – Setting up lures, honeypots or a distributed deception platform that can identify unauthorized lateral movement can also be an effective way to discover an active breach in progress with high-fidelity incidents. 

Learn More About Building a Strong Ransomware Defense Strategy

Early detection is only one piece of the puzzle in addressing ransomware, and its threat to organizations isn’t going away any time soon. Since 2018, the number of ransomware attacks spiked by 350%, the average ransom payment amount rose by more than 100% and downtime increased by 200%.

The world can expect to continue experiencing a higher frequency of sophisticated attacks with even more costly ransom demands — all with the potential for downtime and data exfiltration.

Is your ransomware threat mitigation strategy comprehensive enough?

To learn more about improving your security posture against ransomware, download the E-book: ‘Ransomware Resurgence: How to Strengthen Your Defenses Beyond the Perimeter’. You’ll get actionable tips for building a defense strategy that minimizes the effectiveness of ransomware attacks and stops their spread within your network.

DOWNLOAD THE RANSOMWARE E-BOOK

ransomware kill chain

Congratulating Guardicore’s Channel Chief, John Ryan

In 2020, enterprises rapidly accelerated their digital transformation journeys, increasingly adopting cloud technologies to deal with the shift to remote work. As the complexity of these modern environments increased, so did their security and compliance risks.

Our award-winning Partner Program worked tirelessly this year to zero-in on what mattered most to our Partners, to quickly adapt to their customers’ evolved IT and security needs. Leading these efforts with great success was our Head of Channels, John Ryan. While John is never one to take credit, we thankfully have prestigious industry awards to showcase the amazing accomplishments he and his team have achieved.

Today, we’re thrilled to announce that John has been named a 2021 CRN Channel Chief! He’s recognized among the industry’s best who build, support and deliver superior partner programs and strategies.

John’s leadership has allowed the Guardicore Partner Program to enjoy unprecedented success and no one is more deserving of the honor. A few of the many highlights of Guardicore’s Partner Program over the last year include:

  • 300% YoY growth in channel revenue
  • 300% YoY growth in channel bookings
  • 1000% YoY growth in channel pipeline
  • Established a new Focus Partner Ecosystem that expanded into new verticals, offering free lab environments, technical enablement, and other marketing resources like whitepapers and webinars, resulting in 50% of FY2020 bookings

The annual Channel Chiefs list features the prominent leaders who have influenced the IT channel with cutting-edge strategies, programs and partnerships. All honorees are selected based on their dedication, industry prestige, and exceptional accomplishments as channel advocates.

According to CEO of The Channel Company Blaine Raddon, “CRN’s 2021 Channel Chiefs list includes the industry’s biggest channel evangelists, a group of individuals who work tirelessly on behalf of their partners and drive growth through the development of strong partner programs and innovative business strategies that help bring business-critical solutions to market.”

John personifies all of these attributes in his tireless commitment to Guardicore and the rapid expansion of our Partner Program. Thank you, John, for all that you do. Congratulations, Chief!

IPCDump – Guardicore’s New Open-Source Tool for Linux IPC Inspection

Background

Debugging is probably one of the most personal disciplines in software development.  Some developers enjoy the ubiquity of gdb, while others prefer working from the comfort of an IDE. Linux users often use strace   or ltrace before jumping into a real debugger, and many more of us start inserting printf() into our code when a bug comes up. Habits form fast.

Check out IPCDUMP, New Open-Source Tool for Linux IPC Inspection on Github. GET IPCDUMP ON GITHUB.

That’s fine, for the most part. Development is hard enough even in your comfort zone; the distractions of a new tool – even one better-suited to the job at hand – can cause more harm than good. Debugging is particularly troublesome in this respect: it’s probably the most cognitively taxing of all development disciplines. When a system breaks down you have to hold a mental image of every layer of it at once. That’s why it’s so expensive to debug problems that our favorite tools are really not meant for.

Introduction

This brings us to interprocess communication – specifically, IPC on Linux. Debugging is difficult for single-process applications; for multiprocess ones, it’s a nightmare. Typically it is a juggling act of two instances of gdb , each with some byzantine follow-fork-mode configuration which tries to track only the right PIDs. One often needs to look through strace output for all the variations of recv (recvmsg? recvmmsg? recvfrom? Is that all of them?) just to understand who is interacting with whom. To make matters worse, there are lots of different types of IPC on Linux, and they don’t have common code flows, for the most part. A Unix socket and a FIFO both transfer bytes from one end to another, but that’s pretty much all they have in common.

Modern software exacerbates many of these issues: more than before, applications are made up of distinct processes that plug in to one another in a black-box approach. So when something breaks, it can be very, very frustrating to zero in on where that happened. We had issues like these with some of our more complex systems at Guardicore, and we needed a tool to help diagnose them.

That’s why we wrote IPCDUMP. You can find it on Github: https://github.com/guardicore/IPCDump

IPCDump – BPF Based tool for debugging IPC on linux

IPCDump is a simple tool to operate. Choose the IPC types and process filters you’re interested in, and you’re good to go.

As you can see here, ipcdump is for more than just debugging your own software – it’s also a good way to understand how a program you’re interested in works. Here it’s mostly catching Chrome events (Chrome is a good example of a furious multiprocess application). It’s a lot like how on Windows you’d hack around with procmon to see what process is invoking various system calls – file writes, network operations, module loading, etc, in fact, procmon was one of our main inspirations for ipcdump. For example, if we want to see how domain names are resolved on an Ubuntu machine, we can simply filter by events reaching systemd-resolve:

Pretty neat. systemd-resolved sends keepalives to systemd over the /run/systemd/notify unix socket, and handles domain resolution requests over the local port 53 (in this case, from ping). In the following example, we can see how we are using ipcdump to snoop on unix domain sockets, for example, containerd’s socket.

In one terminal, we are executing the following command in order to start docker’s hello-world container:

Docker’s hello world container

As you can see, the container executed successfully. Now, let’s have a look at what we can see with ipcdump, by executing the following command in a separate terminal:

ipcdump -t u -x

We can see containerd’s ‘conversation’ with dockerd. We can also see the parameters that are passing in between the two processes, we can easily identify what’s in these parameters:
containerd's parameters seen using IPCDump

Containerd’s parameters being passed through its unix domain socket, instrumented by ipcdump

Under the hood

Right now, ipcdump supports the instrumentation of the following IPC mechanisms:

  • Pipes
  • FIFOs
  • Loopback TCP and UDP
  • Unix streams and datagrams
  • Pseudo Terminals (pty)
  • Signals

One of the key points for all of these is ipcdump's ability to name the processes at either end of an IPC event. While sniffing over the loopback with tcpdump is a terrific way to understand the traffic you’re seeing between any two processes, it doesn’t actually tell you who those processes are. While you can certainly check port numbers against netstat, short-lived processes will wreak havoc on your ability to map out who really sent out each packet. Short-lived processes are one of the best use-cases for ipcdump in general; a lot of the bookkeeping it does internally is for tracking their creation and destruction.

By default, ipcdump outputs just the metadata of the IPC on the system. You can also use it to dump the actual contents (so you can basically sniff the contents of, say, a Unix socket stream). The output can be either human-friendly or JSON-formatted, so you should be able to process ipcdump output pretty easily.

ipcdump is largely implemented using BPF hooks placed on kprobes and tracepoints. Each of the IPC types it supports has one or more hook points in the kernel that it observes – for example, pty_write() is a good place for pseudoterminal-based IPC, and tcp_rcv_established() is where it probes for loopback-based TCP.

ipcdump collects whatever information it can from these hook points, and then correlates it with whatever other bookkeeping it does to fill out the rest of the details (for example, associating a process name with each PID).

IPCDump – Alpha version

Guardicore Labs released an alpha version of IPCDump. As some of the points we trace in the kernel are internal APIs, the tool requires changes across versions and distributions. You may have to make adjustments and hack around our own hacks. We really appreciate code contributions to this project – everyone stands to gain by improving the ipcdump platform. Check out IPCDump’s README and TODO for more details on how to contribute.

Happy debugging!

Check out IPCDUMP, New Open-Source Tool for Linux IPC Inspection on Github. GET IPCDUMP ON GITHUB.

Guardicore Wins 2020-21 Cloud Award for Security Innovation of the Year

Segmentation Solution Provider Recognized for “Future-Proofing Cloud Deployments”

Boston, Mass. and Tel Aviv, Israel – February 1, 2021 – Guardicore, the segmentation company disrupting the legacy firewall market, has been declared the winner of the Security Innovation of the Year in the international Cloud Computing Awards program, The Cloud Awards. The coveted annual program celebrates the world’s brightest and best in Cloud Computing across several categories.

“Accelerated digital transformation demands a new breed of security solution to secure complex cloud and distributed environments against sophisticated attacks,” said Pavel Gurvich, co-founder and CEO of Guardicore. “Today’s cybercriminal is focusing efforts on moving laterally between east-west traffic workloads and is evading legacy firewall protection. Being honored as the Security Innovation of the Year is a tremendous honor and validation that Guardicore is purpose-built for the security demands of the modern enterprise.”

The Guardicore Centra Security Platform is the simplest and most effective way to visualize and secure business applications in cloud and hybrid environments. The platform creates human-readable views of an organization’s complete infrastructure with intuitive workflows for segmentation policy creation. Its segmentation controls reduce the attack surface and detect and control breaches within east-west traffic, providing deep visibility into application dependencies, and enforcement of network, workload, user, device and process-level policies to isolate and segment critical applications and infrastructure.

Cloud Award judge Jason Ford says, “Absolutely brilliant alternative to legacy firewall solutions, and the judges were very impressed with a solution that future-proofs cloud deployments. This is the future of perimeter security.”

Hundreds of organizations entered the Cloud Awards, with entries coming from across the globe, covering the Americas, Australia, Europe and the Middle East. Guardicore was selected over competitors in the Security Innovation of the Year category, including Alert Logic, McAfee, VMware Inc, Tanium, Securonix, CyberArk, Thycotic and more.

To learn more about how Guardicore Centra can make visualizing and securing on-premises and cloud workloads fast and simple, visit: https://www.guardicore.com/cloud-security-platform/#section_platform

About the Cloud Awards

The Cloud Awards is an international program which recognizes and honors industry leaders, innovators and organizational transformation in cloud computing. The awards are open to large, small, established and start-up organizations from across the entire globe, with an aim to find and celebrate the pioneers who will shape the future of the Cloud as we move into 2021 and beyond. The Cloud Awards currently offers two awards programs, the Cloud Computing Awards and the Software-as-a-Service Awards.

Categories for the Cloud Computing Awards include Most Promising Start-Up, Best SaaS, and “Best in Mobile” Cloud Solution. Finalists were selected by a judging panel of international industry experts. For more information about the Cloud Awards, please visit https://www.cloud-awards.com/.

About Guardicore

Guardicore is the segmentation company disrupting the legacy firewall market. Our software-only approach is decoupled from the physical network, providing a faster alternative to firewalls. Built for the agile enterprise, Guardicore offers greater security and visibility in the cloud, data-center and endpoint. For more information, please visit www.guardicore.com or go to Twitter or LinkedIn.