1 / 7

Overcoming the Chaos, Concern and Fear of Ransomware with Seceon aiXDR

Seceon aiXDR monitors File Access, particularly recursive access to directories is seen as suspicious activity u2013 Threat Indicator is generated and no. of instances (recursive activity) are counted. Also, Seceon aiXDR with FIM capabilities come in handy. Call Us: 1 (978)-923-0040

Companyseceon
Download Presentation

Overcoming the Chaos, Concern and Fear of Ransomware with Seceon aiXDR

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OvercomingtheChaos,Concern and Fear of Ransomware with SeceonaiXDR Demand for ransom in exchange for something valuable, captured forcefully, is an age old vice that has found its parallel in the digital world several years ago. Cyber criminals have resorted to extortion, preyingonindividualsandorganizations(enterprises,businesses, institutions) by encrypting files on personal computers, workstations, tablets andmobiledevices. In order to salvage the situation, helpless user would be coerced to

  2. pay up a ransom, in return for the recovery key. While the ransom could vary from a couple of hundred dollars to thousands, depending onperceivedvalueofthedataandasset,thereisalsoahigh probability that parts of the data (personal, confidential or business oriented)maybesoldonthedark web,ifthedemandremains unfulfilledbythestipulateddeadline. Welcometo thedarkworld ofold andnew ransomware– from WannaCry, Ryuk, Petya, and Maze to Darkside, REvil and Epsilon Red. Whileattacktechniquesand tactics couldvary,perpetratorsare mostly elusive, aswith anycomplicated crime scenario,and cyber sleuthshavenegligiblesuccessatreversingthe situation. That leaves us with only a few options – a.)Self-Awarenessto avoid anytrap b.)Softwarebasedearlydetection c.)Rapidresponsetominimizedamage oreliminate threat. Almost allransomwareattacksoriginatefromanemailphishing campaignordrive-bydownload(accessingablacklistedsite or hijacked site). SeceonaiXDR quickly swings into action, correlating logs from email server with endpoint activities, identifying access to blacklistedsite(withgatheredThreatIntelligence)andapplying behavioral patterns to find traces of unusual or suspicious process spawned on the endpoint. The picture below depicts attack stages thatarecommonlyseen.

  3. Letusconsidertheattack scenariothatunfoldedatColonialPipeline, with business servers being critically impacted by Darkside Ransomware. DoesaiXDR,theXDR SolutionfromSeceon, stand up tothe challenges posedbytacticalmaneuversfromDarkside? Hereiswhat we’velearnedabout Darkside’smodusoperandi… Scours information from the victim’s computer – OS type, version, username, hostname, disks, language etc. Any computer with Easter EuropeanorRussianlanguagewasleftunaffected. Selectively chooses which files to encrypt, based on directories, file names and extensions. This is intended to save time and keep the system in working condition sothat contact information related to ransom paymentcanbeconveyed. SeceonaiXDRmonitorsFileAccess,particularlyrecursiveaccessto directories is seen as suspicious activity – Threat Indicator is generatedandno.ofinstances(recursiveactivity)arecounted.Also, SeceonaiXDRwithFIM capabilitiescome in handy.

  4. 3.Foranonymity, attacker instructsdesignated website(forpayment arrangement)canbeaccessed using TOR browser. Usingnetflow/J-flow/IPFixdata,IP Address of destinationcanbe extracteddespite useofTORbrowser 4.CriticalstringsareencryptedusingXOREncryptiontoavoid detection.Also, mainconfigurationisencrypted using base64 encoding. SeceonaiXDRcandecryptXOR Encryptedstringstoidentifytypeof activity.Also,anyprocessassociatedwithbase64encodingor any otherencryption/decryption(e.gOpenSSL)methodisidentifiedby aiXDRandflaggedasaThreatIndicator. 5.Dynamically calls WinAPIbyhashednamesandencrypted names instead of referring to the import table of APIs, to avoid detection and revelationofpurpose. Any WinAPI call results in a process with an unknown hash that getspickedupbyaiXDR’sMachineLearning algorithm. 6.PullsupalistofShadowCopybackupsandgetsridofthem,sothe user can’t restore files. It is quite a common behavior for ransomware to hijack the windows program vssadmin.exe that manipulates volume shadow copies of a filesystem.Seceon’saiXDRinstantlycatchesthisattempt – generallyasacombinationofcommand-line“vssadmin delete shadows”andWMIcommand“wmicshadowcopydelete”.This maliciousbehaviorandthreatindicatorisconsideredveryriskyand thealertiselevatedtoseveritylevel“Major”or “Critical”. Note,vssadminrequires“Administrator”privilegetoexecuteandis

  5. commonly used by other ransomwares like Ryuk and WannaCry to wreak havoc.Hence,privilege escalationby the malware isalso detectedbyaiXDRasaseriousThreatIndicator. 7.Triesto disablevariousbackup solutions. SeceonaiXDR detectsanyattempttodisable aserviceonthe host/endpointandcreatesaThreatIndicator. 8.Usesbothsymmetricandasymmetrickeyencryption,sothatan intercepted publickeycannotbesolely usedforrestoringaccessto data. As noted earlier, any process associated with encryption or decryptionispromptlydiscernedbyaiXDRandtaggedas potentiallysuspicious,subjecttootherevidences. In summary, an advanced XDR solution like Seceon aiXDR relies on comprehensive set of information streaming in from network, events, endpoints (EDR), threat intelligence and vulnerability scan to assign appropriatethreatindicators.TheAIengine correlatesthese indicators and applies behavioral aspects to conclude “Ransomware” attackinprogress,whileimmediatelyescalatingalertseverityto “critical/major” with a high degree of confidence. In fact, aiXDR goes a step further by empowering the Security Analyst to take rapid action through auto-remediation or semi-automated remediation built into the solution. Affected endpoint/host can be isolated from the network orspecificprocessescanbeeliminatedpromptly to blockfurther damage. • To learn moreaboutSeceonaiXDR,checkouttheseresources: • End-to-endCybersecurity withaiXDR • •Seceon aiXDR Datasheet • CustomerStories

  6. tanu(Shaan)Bagchi ctor, Pre-Sales Solutions eonInc. s://www.linkedin.com/in/shaanbagchi/ Santanu(Shaan)Bagchihas20+ yearsof experienceinSoftware Industry, leading through Product Management, Pre-Sales/Solutions Architecture, Consultingand ProductMarketingrolesforProduct Vendors,MSSPsandSystemIntegratorsinNorthAmerica.As someone who has expertise in multiple tracks of Cyber Security – AdvancedSIEM,DataLossPrevention,Endpoint Security, VulnerabilityManagement,ThreatIntelligenceandIdentity and AccessManagement– hebringsversatileperspectivetoproduct innovation and customer centric solutions. Before joining Seceon, he workedasPracticeDirector(Cybersecurity andRiskServices)for Wipro.Previously,heheldProductManagement positionsat Secureworks(MSSP),Novell(VirtualizationandIaaS),Digital Guardian(DLP)andHitachi DataSystems(CloudStorage-aaS). Shaanreceived MBA degree from Babson College (Wellesley, MA) and Bachelor of Engineering from IIEST (formerly Bengal Engineering College,India)

  7. Contact Us Address -238 Littleton Road, Suite #206,Westford, MA 01886, USA Phone Number - +1 (978)-923-0040 Email Id - sales@seceon.com , info@seceon.com Website - https://www.seceon.com/ Twitter - https://twitter.com/Seceon_Inc 10/25/2022, 19:13

More Related