Sunday, July 25, 2021
No menu items!

Fighting New Ransomware Techniques with McAfee’s Latest Innovations

Must Read

Fighting New Ransomware Techniques with McAfee’s Latest Innovations

By Nicolas Stricher, Advanced Technology Specialist, EMEA at McAfee In 2021 ransomware attacks have been dominant among the bigger cyber...

Lossless Communication: Key to Build Effective Regulatory Compliance

By Neelesh Kripalani, Chief Technology Officer, Clover Infotech Rise in cyber-attacks, data breaches, and remote access to sensitive data during...

Improve Quality of Connected Medical Devices: Effective Manufacturing Test Strategies

By Sook-Hua Wong, Industry Segment Manager, Keysight Technologies Introduction The advent of IoT is driving transformation in healthcare. Rising healthcare costs...

By Nicolas Stricher, Advanced Technology Specialist, EMEA at McAfee

In 2021 ransomware attacks have been dominant among the bigger cyber security stories. Hence, I was not surprized to see that McAfee’s June 2021 Threat report is primarily focused on this topic.

This report provides a large range of statistics using the McAfee data lake behind MVISION Insights, including the Top MITRE ATT&CK Techniques. In this report I highlight the following MITRE techniques:

  1. Spear phishing links (Initial Access)
  2. Exploit public-facing applications (Initial Access)
  3. Windows Command Shell (Execution)
  4. User execution (Execution)
  5. Process Injection (Privilege escalation)
  6. Credentials from Web Browsers (Credential Access)
  7. Exfiltration to Cloud Storage (Exfiltration)

I also want to highlight one obvious technique which remains common across all ransomware attacks at the end of the attack lifecycle:

8. Data encrypted for impact (Impact)

Traditional defences based on anti-malware signatures and web protection against known malicious domains and IP addresses can be insufficient to protect against these techniques. Therefore, for the rest of this article, I want to cover a few recent McAfee innovations which can make a big difference in the fight against ransomware.

Unified Cloud Edge with Remote Browser Isolation

The following three ransomware techniques are linked to web access:

  • Spear phishing links
  • User execution
  • Exfiltration to Cloud Storage

Moreover, most ransomware attacks require some form of access to a command-and-control server to be fully operational.

McAfee Remote Browser Isolation (RBI) ensures no malicious web content ever even reaches enterprise endpoints’ web browsers by isolating all browsing activity to unknown and risky websites into a remote virtual environment. With spear phishing links, RBI works best when running the mail client in the web browser. The user systems cannot be compromised if web code or files cannot run on them, making RBI the most powerful form of web threat protection available. RBI is included in most McAfee United Cloud Edge (UCE) licenses at no additional cost.

FIGURE 1. CONCEPT OF REMOTE BROWSER ISOLATION

McAfee Client Proxy (MCP) controls all web traffic, including ransomware web traffic initiated without a web browser by tools like MEGAsync and Rclone. MCP is part of McAfee United Cloud Edge (UCE).

Protection Against Fileless Attacks

The following ransomware techniques are linked to fileless attacks:

  • Windows Command Shell (Execution)
  • Process Injection (Privilege escalation)
  • User Execution (Execution)

Many ransomware attacks also use PowerShell.

FIGURE 2. EXAMPLE OF AN ATTACK KILL CHAIN WITH FILELESS

McAfee provides a large range of technologies which protect against fileless attack methods, including McAfee ENS (Endpoint Security) Exploit prevention and McAfee ENS 10.7 Adaptive Threat Protection (ATP). Here are few examples of Exploit Prevention and ATP rules:

  • Exploit 6113-6114-6115-6121 Fileless threat: self-injection
  • Exploit 6116-6117-6122: Mimikatz suspicious activity
  • ATP 316: Prevent PDF readers from starting cmd.exe
  • ATP 502: Prevent new services from being created via sc.exe or powershell.exe

Regarding the use on Mimikatz in the example above, the new McAfee ENS 10.7 ATP Credential Theft Protection is designed to cease attacks against Windows LSASS so that you do not need to rely on the detection of Mimikatz.

ENS 10.7 ATP is now included in most McAfee Endpoint Security licenses at no additional cost.

Proactive Monitoring and Hunting with MVISION EDR

To prevent initial access, you also need to reduce the risks linked to the following technique:

  • Exploit public facing applications (Initial Access)

For example, RDP (Windows Remote Desktop Protocol) is a common initial access used by ransomware attacks. You may have a policy that already prohibits or restricts RDP but how do you know it is enforced on every endpoint?

With MVISION EDR (Endpoint Detection and Response) you can perform a real time search across all managed systems to see what is happening right now.

MVISION EDR maintains a history of network connections inbound and outbound from the client. Performing an historical search for network traffic could identify systems that actively communicated on port 3389 to unauthorized addresses, potentially detecting attempts at exploitation.

MVISION EDR also enables proactive monitoring by a security analyst. The Monitoring Dashboard helps the analyst in the SOC quickly triage suspicious behavior.

Actionable Threat Intelligence

With MVISION Insights you do not need to wait for the latest McAfee Threat Report to be informed on the latest ransomware campaigns and threat profiles. With MVISION Insights you can easily meet the following use cases:

  • Proactively assess your organization’s exposure to ransomware and prescribe how to reduce the attack surface:
    • Detect whether you have been hit by a known ransomware campaign
    • Run a Cyber Threat Intelligence program despite a lack of time and expertise
    • Prioritize threat hunting using the most relevant indicators

These use cases are covered in the webinar How to fight Ransomware with the latest McAfee innovations.

Regarding the following technique from the McAfee June 2021 Threat Report:

  • Credentials from Web Browsers (Credential Access)

Rollback of Ransomware Encryption

Now we are left with the last technique in the attack lifecycle:

  • Data encrypted for impact (Impact)

McAfee ENS 10.7 Adaptive Threat Protection (ATP) provides dynamic application containment of suspicious processes and enhanced remediation with an automatic rollback of the ransomware encryption.

You can see how files impacted by ransomware can be restored through Enhanced Remediation

Additional McAfee Protection Against Ransomware

Last year McAfee released additional capabilities from McAfee Endpoint Security (ENS), Endpoint Detection and Response (EDR) and the Management Console (ePO) against ransomware including:

  • ENS Exploit prevention
  • ENS Firewall
  • ENS Web control
  • ENS Self protection
  • ENS Story Graph
  • ePO Protection workspace
  • Additional EDR use cases against ransomware

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest News

Yotta Collaborates with Commvault to Launch Endpoint Backup as a Service Called Yotta Safe

Yotta Infrastructure announced its partnership with Commvault to launch Yotta Safe – its Endpoint backup-as-a-service. Yotta Safe offers unlimited...

Locus Integrates with ServiceNow to Enable Route Optimization Services for Customers

Locus, a supply chain automation platform, announced an integration with ServiceNow Field Service Management to enable route optimization services that can help streamline the...

C3i Hub Mentors 20 Cybersecurity Startups

Startup Incubation and Innovation Center, IIT Kanpur (SIIC) invited innovators and entrepreneurs to apply for receiving mentorship and business handholding in security. Out of...

SERB Partners with GE India for Promoting Advanced Technology Research

New Delhi: The Science and Engineering Research Board (SERB), a statutory body of the Department of Science & Technology (DST), Government of India and...

Cyient advances SaaS-based solution to launch CyiOPS

Cyient has upgraded its software-as-a-service (SaaS)-based solution and decision support platform to launch CyiOPS. The updated version of the Outage Planning, Scheduling, and Visualisation...

Read More News