By Nicolas Stricher, Advanced Technology Specialist, EMEA at McAfee
In 2021 ransomware attacks have been dominant among the bigger cyber security stories. Hence, I was not surprized to see that McAfee’s June 2021 Threat report is primarily focused on this topic.
This report provides a large range of statistics using the McAfee data lake behind MVISION Insights, including the Top MITRE ATT&CK Techniques. In this report I highlight the following MITRE techniques:
- Spear phishing links (Initial Access)
- Exploit public-facing applications (Initial Access)
- Windows Command Shell (Execution)
- User execution (Execution)
- Process Injection (Privilege escalation)
- Credentials from Web Browsers (Credential Access)
- Exfiltration to Cloud Storage (Exfiltration)
I also want to highlight one obvious technique which remains common across all ransomware attacks at the end of the attack lifecycle:
8. Data encrypted for impact (Impact)
Traditional defences based on anti-malware signatures and web protection against known malicious domains and IP addresses can be insufficient to protect against these techniques. Therefore, for the rest of this article, I want to cover a few recent McAfee innovations which can make a big difference in the fight against ransomware.
Unified Cloud Edge with Remote Browser Isolation
The following three ransomware techniques are linked to web access:
- Spear phishing links
- User execution
- Exfiltration to Cloud Storage
Moreover, most ransomware attacks require some form of access to a command-and-control server to be fully operational.
McAfee Remote Browser Isolation (RBI) ensures no malicious web content ever even reaches enterprise endpoints’ web browsers by isolating all browsing activity to unknown and risky websites into a remote virtual environment. With spear phishing links, RBI works best when running the mail client in the web browser. The user systems cannot be compromised if web code or files cannot run on them, making RBI the most powerful form of web threat protection available. RBI is included in most McAfee United Cloud Edge (UCE) licenses at no additional cost.
McAfee Client Proxy (MCP) controls all web traffic, including ransomware web traffic initiated without a web browser by tools like MEGAsync and Rclone. MCP is part of McAfee United Cloud Edge (UCE).
Protection Against Fileless Attacks
The following ransomware techniques are linked to fileless attacks:
- Windows Command Shell (Execution)
- Process Injection (Privilege escalation)
- User Execution (Execution)
Many ransomware attacks also use PowerShell.
McAfee provides a large range of technologies which protect against fileless attack methods, including McAfee ENS (Endpoint Security) Exploit prevention and McAfee ENS 10.7 Adaptive Threat Protection (ATP). Here are few examples of Exploit Prevention and ATP rules:
- Exploit 6113-6114-6115-6121 Fileless threat: self-injection
- Exploit 6116-6117-6122: Mimikatz suspicious activity
- ATP 316: Prevent PDF readers from starting cmd.exe
- ATP 502: Prevent new services from being created via sc.exe or powershell.exe
Regarding the use on Mimikatz in the example above, the new McAfee ENS 10.7 ATP Credential Theft Protection is designed to cease attacks against Windows LSASS so that you do not need to rely on the detection of Mimikatz.
ENS 10.7 ATP is now included in most McAfee Endpoint Security licenses at no additional cost.
Proactive Monitoring and Hunting with MVISION EDR
To prevent initial access, you also need to reduce the risks linked to the following technique:
- Exploit public facing applications (Initial Access)
For example, RDP (Windows Remote Desktop Protocol) is a common initial access used by ransomware attacks. You may have a policy that already prohibits or restricts RDP but how do you know it is enforced on every endpoint?
With MVISION EDR (Endpoint Detection and Response) you can perform a real time search across all managed systems to see what is happening right now.
MVISION EDR maintains a history of network connections inbound and outbound from the client. Performing an historical search for network traffic could identify systems that actively communicated on port 3389 to unauthorized addresses, potentially detecting attempts at exploitation.
MVISION EDR also enables proactive monitoring by a security analyst. The Monitoring Dashboard helps the analyst in the SOC quickly triage suspicious behavior.
Actionable Threat Intelligence
With MVISION Insights you do not need to wait for the latest McAfee Threat Report to be informed on the latest ransomware campaigns and threat profiles. With MVISION Insights you can easily meet the following use cases:
- Proactively assess your organization’s exposure to ransomware and prescribe how to reduce the attack surface:
- Detect whether you have been hit by a known ransomware campaign
- Run a Cyber Threat Intelligence program despite a lack of time and expertise
- Prioritize threat hunting using the most relevant indicators
These use cases are covered in the webinar How to fight Ransomware with the latest McAfee innovations.
Regarding the following technique from the McAfee June 2021 Threat Report:
- Credentials from Web Browsers (Credential Access)
Rollback of Ransomware Encryption
Now we are left with the last technique in the attack lifecycle:
- Data encrypted for impact (Impact)
McAfee ENS 10.7 Adaptive Threat Protection (ATP) provides dynamic application containment of suspicious processes and enhanced remediation with an automatic rollback of the ransomware encryption.
You can see how files impacted by ransomware can be restored through Enhanced Remediation
Additional McAfee Protection Against Ransomware
Last year McAfee released additional capabilities from McAfee Endpoint Security (ENS), Endpoint Detection and Response (EDR) and the Management Console (ePO) against ransomware including:
- ENS Exploit prevention
- ENS Firewall
- ENS Web control
- ENS Self protection
- ENS Story Graph
- ePO Protection workspace
- Additional EDR use cases against ransomware
Discussion about this post