Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Monday, 6 February, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Canary in the ransomware mine

by The Gurus
May 9, 2016
in This Week's Gurus
Share on FacebookShare on Twitter

Canary in the ransomware mine
Gunter Ollmann, CSO, Vectra Networks
Ransomware is clearly the scourge of 2016. Every week there is a new and notable enterprise-level outbreak of this insidious class of malware – crippling and extorting an ever widening array of organisations.
For a threat that is overwhelmingly not targeted, it seems to be hitting large and small businesses with great success.
The malware infection can come through the front door of a failed “defense-in-depth” strategy or the side door of a mobile device latched to the corporate network on a Monday morning.
Regardless, many security teams and network administrators are scurrying to halt the rapid encryption of documents accessible through networked shares.
There are several new technologies available to organisations to detect the presence of ransomware within the network and alert security staff to an outbreak (which is just one example of the things the Vectra product does). But it is often a considerably more difficult task to automatically halt an outbreak mid-stream.
I’m often asked what is the “best” way of mitigating this threat – i.e. how can an organisation stop ransomware from shutting down their business in the cheapest and most robust way?
The quickest “no-frills” way of mitigating the network encryption piece of ransomware is actually pretty simple and follows the canary-in-a-coal-mine principle.
Ransomware attempts to enumerate and encrypt files over network shares within the enterprise. A simple protection method is to ensure that every computer has a couple of monitored mounted shares.
If a user or computer attempts to write to or delete a file on those shares, the victim user’s access credentials are immediately suspended. And if the organisation is using some form of network access control (NAC), the host computer is similarly and immediately disconnected from the network.
Since the current generation of ransomware tends to sequentially step through mounted shares in alphabetical or reverse-alphabetical order, ensuring that the first and last mounted shares – such as A: or D: drive, and Z: or Y: drive – are monitored canary shares is likely good enough.
Ensuring that the canary shares have a large number of disposable files can be useful too, as the ransomware will take time to cycle through encrypting these files. This provides a period of time in which credential and network access revocation information can be propagated to the rest of the network.
This technique is similar to what I’ve used in the past to deal with spam-sending malware and automated credential brute-forcing attacks. By adding user accounts that appear as the first and last positions in a user directory – such as Active Directory and email contacts – and monitoring any use of those names, it is possible to rapidly and automatically detect and mitigate the threat.
For example, if anyone attempts to email the fictitious first name in the address book, the mail server automatically blocks all email send requests from the user until the IT team has investigated.
The use of ransomware canary file shares, like canary accounts in Active Directory and email, can be a cheap and effective mitigation approach to threats. Sometimes the simplest methods can be the most effective.
..//
About Gunter Ollmann
Gunter has almost three decades of experience in information security, working as an industry luminary in an array of cyber security consultancy and research roles. Gunter has been focused exclusively on security since 2000; initially diving head-first in to the world of attack-based consulting (penetration testing, ethical hacking, social engineering, etc). In addition to penetration testing and Web security analysis, for several years Gunter has been deeply involved in researching critical security topics and has lead advanced security research teams focused on threat identification and mitigation.

FacebookTweetLinkedIn
ShareTweetShare
Previous Post

Keeping the world’s lights on: The urgent need to secure critical infrastructure from cyber threat

Next Post

What were some of the phishing campaigns seen in the first quarter?

Recent News

safe

Will Emphasising App Security Lead to More App Installs?

February 6, 2023
Phone with app store open

$400,000 Fine for Stalkerware App Developer

February 6, 2023
london-skyline-canary-wharf

Ransomware attack halts London trading

February 3, 2023
Ransomware conversations: Why the CFO is pivotal to discussing and preparing for risk

Ransomware conversations: Why the CFO is pivotal to discussing and preparing for risk

February 2, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information