USING MITRE SHIELD TO DEFEND AGAINST RANSOMWARE
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
WHITEPAPER USING MITRE SHIELD TO DEFEND AGAINST RANSOMWARE
INTRODUCTION
Ransomware is an ever-evolving crime where malicious actors encrypt data and then demand ransom in exchange
for decryption. Traditional ransomware spreads through several methods, often through malicious emails,
removable storage drives, or infected links. Recent ransomware attacks, dubbed Ransomware 2.0, employ
advanced methods or have a human controller directing their activities. As a result, such attacks spend much
more time conducting discovery to identify business-critical assets for encryption. Because of their importance,
the organization is more likely to pay to recover these assets than endpoint systems. Additionally, these attackers
often exfiltrate data and threaten to release it to induce ransom payment, often demanding a second ransom to
prevent the release of the information.
MITRE Shield, a free, publicly available knowledge base that captures and organizes data from active defense and
adversary engagements can help organizations take proactive steps to defend their networks and assets. MITRE
Shield outlines tactics and techniques fundamental to building an active defense strategy, which can go a long
way in protecting against Ransomware attacks.
Deception technology has long been renowned for its ability to create an active defense. However, unlike other
deception solutions, the Attivo Networks ThreatDefend® platform provides extensive attack prevention and
detection capabilities covering many decoy techniques and other methods. Moreover, the ThreatDefend platform
covers more MITRE Shield tactics than any other comparable solution. This paper discusses how using an Active
Defense strategy with the ThreatDefend platform provides an innovative and efficient approach to combating
ransomware. Offering enhanced protection to traditional security stack controls like Endpoint Platform Protection
(EPP) or Endpoint Detection and Response (EDR), the solution efficiently adds protection against credential
misuse, privilege escalation, and lateral movement tactics.
THE RANSOMWARE PROBLEM
Traditional ransomware infects any asset on the network
indiscriminately, encrypting as many systems as possible to
maximize payouts. First, the ransomware infects the host and then
looks for documents, spreadsheets, pictures, or other files and data
to encrypt. Once it finishes encrypting the local files and folders, it
often looks for network shares mapped to the endpoint and encrypts
any files it can access, thus affecting a more significant number of
people. It may also look for attached storage devices like USB flash
drives to infect another propagation method. Once it completes this
activity, it displays a ransom message on the screen with contact
information and the monetary or bitcoin amount for the unlock code.
Whitepaper ANWP070921 www.attivonetworks.com © 2021 Attivo Networks. All rights reserved. 2Modern ransomware attackers have recognized that they can demand more substantial amounts by targeting and
directing their attacks at critical systems that support the business production chain (DC.s, ERPs, file and database
servers, OT environments, POS, etc.). As a result, they have adopted advanced tactics to steal credentials, move
laterally, elevate privileges, identify targets, and collect data.
According to a Sophos survey, 51% of surveyed organizations in 2020 fell victim to a ransomware attack. In 2021,
ransomware hits a company once every eleven seconds. The Unit 42 threat intelligence team at Palo Alto Networks
published a 2021 report revealing that the average ransom paid for organizations increased from $115,123 in 2019
to $312,493 in 2020, a 171% year-over-year increase. Additionally, the highest ransom paid by an organization tripled
from 2019 to 2020, from $5 million to $15 million. In one particular incident, the ransom demand reached the $65
million mark.
The consequences don’t stop with bitcoin payments alone. In 2020, the average downtime cost totaled $283,000.
The average cost to recover from a ransomware attack was $1,450,000 for companies that paid the ransom, while
those that didn’t pay spent only $730,000 to recover from the attack. Data indicate that most ransomware victims
pay. Additionally, many businesses that chose to pay ransoms also suffered a second ransomware attack. Frequently,
there are also double extortion attacks, where the ransomware attackers steal data and threaten to release it unless
they get the original ransom demand or additional monies.
Clearly, ransomware is a problem that won’t go away anytime soon, and the best way to address it is by preventing
the incident from ever occurring. Fortunately, there are new tools and frameworks that help security teams
understand their security gaps and the ways to address them.
MITRE ATT&CK AND SHIELD
ATT&CK for Enterprise is an adversary model and framework for describing an adversary’s actions to compromise and
operate within an enterprise network. In addition, it expands the knowledge of network defenders, prioritizing network
defense by detailing the tactics, techniques, and procedures (TTPs) cyber threats use to gain access and execute
their objectives while operating inside a network. As a result, organizations can use the model to characterize and
describe post-compromise adversary behavior better.
ATT&CK for Enterprise incorporates details from
multiple operating system platforms commonly
found within enterprise networks, including Microsoft
Windows, macOS, and Linux. ATT&CK provides a
matrix for each of these systems, with a separate one
for mobile systems, cloud, and ICS. The framework
and higher-level categories may also apply to other
platforms and environments.
Whitepaper ANWP070921 www.attivonetworks.com © 2021 Attivo Networks. All rights reserved. 3MITRE launched a knowledge base named Shield available at https://shield.mitre.org that captures capabilities
surrounding Active Defense and adversary engagements. The first publication of this knowledge base is in the form of
a matrix listing capabilities for Active Defense. Shield complements the MITRE ATT&CK knowledgebase (Adversarial
Tactics, Techniques, and Common Knowledge), a highly-regarded tool in the Threat Intelligence Community for
modeling cybersecurity threats. From a defender’s perspective, the ATT&CK matrix provides a data model of how one
should protect their enterprise against cybersecurity threats. Meanwhile, the Shield matrix provides the capabilities a
defender must build for an Active Defense and adversary engagement in a post-breach situation.
MITRE uses the US Department of Defense definition for Active Defense as “The employment of limited offensive
action and counterattacks to deny a contested area or position to the enemy.” The Shield matrix lists capabilities that
help an enterprise change an attack engagement from a defensive play to an offensive play. These capabilities range
from basic cyber defensive capabilities to cyber deception and adversary engagement operations.
THE ATTIVO NETWORKS THREATDEFEND PLATFORM
The Attivo Networks ThreatDefend® platform has garnered recognition as the most comprehensive in-network attack
prevention and detection solution, which easily scales to protect on-premises, cloud, remote worksites, and specialty
environments such as IoT, SCADA, POS, SWIFT, infrastructure, and telecommunications. It effectively detects threats
from virtually all attack vectors early in the attack cycle, captures forensic data to create company-centric threat
intelligence, and leverages partner integrations to automate response. Additionally, the platform uses concealment
technology and machine learning to automatically learn the environment and craft misdirections, lures, and mirror-
match decoys for the highest authenticity and engagement believability.
The Attivo Networks ThreatDefend® platform provides a customer-proven solution to prevent identity-based privilege
escalation and detect attacker lateral movement. The platform’s visibility programs deliver insight into credential
and attack path exposures and Active Directory Domain, user, and device-level exposures for organizations seeking
increased security based on least privilege access. Additionally, the ThreatDefend platform’s concealment technology
derails attackers as they can no longer find or access the data, files, AD objects, and credentials they seek.
Whitepaper ANWP070921 www.attivonetworks.com © 2021 Attivo Networks. All rights reserved. 4Additionally, the solution’s decoys obfuscate the attack surface, collect forensic data, automatically analyze
attack data, and automate incident response through its 30 native integrations. The platform provides the most
comprehensive in-network detection solution, deploying a detection fabric that scales to on-premises, cloud, remote
worksites, and specialty environments such as IoT, SCADA, POS, SWIFT, and network infrastructure.
The ThreatDefend Platform modular components include the ADAssessor solution, which identifies AD exposures
and alerts on attacks targeting it. The Endpoint Detection Net (EDN) suite consists of the ThreatStrike® credential
lures endpoint module, ThreatPath® for attack path visibility, ADSecure for Active Directory defense, the DataCloak
function to hide and deny access to data, and the Deflect function to redirect malicious connection attempts to
decoys for engagement. The Attivo BOTsink® deception servers provide decoys, gather attacker threat intelligence,
and automates incident response with its orchestration playbooks. The ThreatDirect deception forwarders support
remote and segmented networks. Attivo Central Managers are available as management consoles.
The ThreatDefend platform offers support across 11 of the 12 tactics within the MITRE ATT&CK Matrix, especially in
the categories of Credential Access, Discovery, Lateral Movement, and Collection. Modern ransomware uses these
tactics extensively.
The ThreatDefend platform offers the highest number of capabilities that can cover the MITRE Shield matrix. The
platform capabilities range from simple deception strategies to a layered prevention strategy.
SHIELD AND RANSOMWARE
Attivo Networks identified and mapped MITRE ATT&CK tactics and techniques common to modern ransomware. It
then mapped the corresponding MITRE Shield tactics that addressed these and the Attivo solutions that enabled
them. The table below outlines how the ThreatDefend platform addresses ransomware through MITRE Shield.
R ANSOM WAR E AT T &CK AT T &CK S H IE L D ACT IVE DE FE NSE H OW AT T IVO HE L PS ATTIVO
TE CHNI Q UE TACTI C T E CHN I Q UE TE CHNIQUE T E CHNIQUE S PR ODUCTS
Exploit public- Initial Access T1133 - DTE0017 - 1. Defenders can get The BOTsink server BOTsink
facing RDP External Decoy System alerted if their public- offers several deception server
servers Remote facing applications/ campaigns deployable to
Services servers are at risk a DMZ or externally facing
networks that provide
2. Defenders can high interaction decoys
learn the tools and that capture every activity
techniques ransomware and related intelligence.
operators employ to Additionally, it allows a
build security controls defender to deploy systems
for detection and hosting native services
prevention against (RDP, SSH) and popular
them. enterprise services like VPN
and Citrix.
Whitepaper ANWP070921 www.attivonetworks.com © 2021 Attivo Networks. All rights reserved. 5R ANSOMWA R E AT T &CK AT T &CK SH IE L D ACT IVE DE FE NSE H OW AT T IVO HE L PS ATTIVO
TE C HNI Q UE TACTI C T E CHN I Q UE T E CHNIQUE T E CHNIQUE S PR ODUCTS
Exploit Initial Access T1190 - DTE0017 1. Defenders can get The BOTsink server BOTsink
public-facing Exploit - Decoy alerted if their public- offers several deception server
applications Public-Facing System, facing applications/ campaigns deployable to
Application servers are at risk a DMZ or externally facing
DTE0013 networks. Attivo provides
- Decoy 2. Defenders can decoys of over 30 well-
Diversity learn the tools and known web applications
techniques ransomware out of the box and provides
operators employ to a generic way to build
build security controls decoys for custom web
for detection and applications to push to a
prevention against decoy. The customization
them. capability allows a defender
to change the network
footprint for every decoy.
Infected USB Initial Access T1200 - DTE0022 - Defenders can plug The EDN suite offers EDN suite
drive Hardware Isolation in any new hardware multiple capabilities
device to an isolated ADSecure
additions that help track all
environment and
behaviors (endpoint
monitor the behavior
and network) for a
before plugging it onto
an enterprise computer process. Additionally,
or network. the ADSecure solution
monitors key APIs and
console commands to
understand the intent of
a process. At the same
time, the EDN Deflect
function provides an
easy way to achieve
network isolation with
complete visibility into
what attackers are
attempting.
Execute attack Execution T1059 - DTE0036 Defenders can The ADSecure solution EDN suite
scripts (such Command - Software manipulate the can monitor scripts as
ADSecure
as PowerShell, and Scripting Manipulation output of such they execute. It can alter
Windows Interpreter scripts and the results of typical
Cmd Shell, DTE0034 commands to their recon commands to
Visual Basic, - System benefit. For example, influence an attacker’s
or Javascript/ Activity they can use it to next choice of actions.
Jscript) Monitoring prevent attacks to It can also hide critical
critical resources, assets from such recon
force an attacker attempts to ensure the
to reveal more Ransomware doesn’t
TTPs, or monitor propagate to them.
the ransomware
to understand
its behavior and
prepare an adequate
response.
Whitepaper ANWP070921 www.attivonetworks.com © 2021 Attivo Networks. All rights reserved. 6R ANSOM WAR E AT T & CK AT T &CK S H IE L D ACT IVE DE FE NSE H OW AT T IVO HE L PS ATTIVO
TE CHNIQUE TACT I C T E CHN I Q UE TE CHNIQUE T E CHNIQUE S PR ODUCTS
Exploit native Execution T1106 - DTE0036 Defenders can observe The ADSecure solution EDN suite
OS application Native API - Software attacker behavior, allows a defender to alter
programming Manipulation influence subsequent the results of several recon ADSecure
interfaces (APIs) actions, and learn the commands attackers use
DTE0003 - attack techniques to determine the next hop
API Monitoring they use. In addition, for the attack. It employs
they can intercept several interception
commands (system techniques at multiple
calls or OS native layers to ensure the
commands) and alter deception stays authentic
the results of such for an attacker. Additionally,
commands to direct an the EDN Deflect function
adversary in a specific can forward all outbound
direction. traffic to the decoy
environment, so no matter
where the attackers
attempt to go, they only
talk to the decoys.
Employ Execution T1204 - User DTE0018 Defenders can The BOTsink server BOTsink
weaponized Execution - Detonate execute ransomware decoys capture attacker server
email Malware on a decoy system behaviors and tools.
attachments, to examine its These decoy systems
malicious links, behaviors or execute malware under
files, or images potentially engage controlled conditions and
with the attacker provide deep forensic
to obtain further data for investigation,
intelligence. There gaining detailed insights
is an opportunity for for each activity. The
a defender to study BOTsink server also
the attacker and helps to study attacker
collect first-hand behaviors or engage with
observations about the adversary to obtain
their behaviors and further intelligence.
tools.
Additionally, the BOTsink
server includes a
malware sandbox to
detonate and understand
ransomware.
Create Persistence T1136 DTE0033 Defenders must The EDN solution EDN suite
additional - Create - Standard monitor newly generates alerts for
accounts on the Account Operating created accounts, newly created accounts
local system or Procedure privileged, and groups in privileged groups
within a domain and take remedial (local or domain) or
actions for any have critical privileges.
activity outside of The Attivo ThreatPath
Standard Operating solution monitors such
Procedures. groups and permissions
and can raise alerts
when a new one gets
created.
Whitepaper ANWP070921 www.attivonetworks.com © 2021 Attivo Networks. All rights reserved. 7R ANSOM WAR E AT T &CK AT T &CK S H IE L D ACT IVE DE FE NSE H OW AT T IVO HE L PS ATTIVO
TE CHNI Q UE TACTI C T E CHN I Q UE TE CHNIQUE T E CHNIQUE S PR ODUCTS
Scheduling Persistence T1053 - DTE0001 - An active defense The BOTsink server BOTsink
tasks to execute Scheduled Admin Access strategy allows offers several deception BOTsink
programs at Task defenders to capture campaigns deployable to server
system startups DTE0017 - all ransomware a DMZ or externally facing
or on a scheduled Decoy System activities and provides networks. Attivo provides EDN suite
basis for deep forensic data for decoys of over 30 well-
persistence DTE0034 investigation. Decoy known web applications ADSecure
- System systems can examine out of the box and provides
Activity ransomware behavior a generic way to build
Monitoring when compromised decoys for custom web
and observe how they applications to push to a
perform a specific task. decoy. The customization
capability allows a defender
to change the network
footprint for every decoy.
Steal and abuse Persistence T1078 - Valid DTE0010 Create deceptive user The EDN ThreatStrike EDN suite
credentials Accounts - Decoy accounts for attackers solution deploys decoy
Privilege Account, to target. In an
with varying credentials as lures for
Escalation adversary engagement
privileges DTE0012 relevant applications
scenario, deploy decoy
during initial Defense - Decoy in production systems
credentials across
access to Evasion Credentials various locations to and redirects attackers
bypass access increase the chances of to decoys systems for
controls or DTE0008 - an attacker finding and engagement. Additionally,
establish Burn-In using them. it provides visibility into
persistence exposed user accounts
and identifies any such
exposures that attackers
can steal.
Gain initial Credential T1110 - DTE0034 Monitor logs The EDN solution deploys BOTsink
foothold Access Brute Force - System for attempts to decoy credentials on server
via RDP, Activity authenticate. endpoints. The BOTsink
EDN suite
obtain valid Monitoring Defenders can server identifies
credentials, detect attacks like brute force attempts
or collect password spray and and the use of any
password credential stuffing decoy credentials.
hashes for by monitoring the It can also monitor
offline cracking event logs for these credentials by
authentication integrating with SIEM
attempts. solutions to detect their
use for any successful or
failed attempts.
Acquire Credential T1555 - DTE0012 A defender can The EDN solution EDN suite
credentials Access Credentials - Decoy create deceptive deploys decoy
from web from Credentials credentials across credentials as lures for
browsers Password various locations to relevant applications
or Windows Stores increase the chances in production systems
Credential of an attacker finding and redirects attackers
Manager and using them. to decoys systems for
engagement.
Whitepaper ANWP070921 www.attivonetworks.com © 2021 Attivo Networks. All rights reserved. 8R ANSOM WAR E AT T & CK AT T &CK SH IE L D ACT IVE DE FE NSE H OW AT T IVO HE L PS ATTIVO
T E CHNIQUE TACT I C T E CHN I Q UE T E CHNIQUE T E CHNIQUE S PR ODUCTS
Harvest Credential T1056 DTE0011 A defender can feed The EDN solution EDN suite
credentials Access - Input - Decoy decoy data to an intercepts several
by capturing Capture Content adversary using a commands from post-
GUI input or key-logger or other exploitation tools to
use fake login tool to shape the manipulate and interlace
windows encounter. the results with decoy
data. An adversary trying
to follow through on such
decoy data will engage
with decoys and get
detected.
Use credential Credential T1003 - OS DTE0012 A defender can The EDN solution deploys EDN suite
dumping Access Credential - Decoy create deceptive decoy credentials
techniques Dumping Credentials credentials across as lures for relevant
to obtain various locations to applications in
credential increase the chances production systems and
hashes or clear of an attacker finding redirects attackers to
text passwords and using them. decoys for engagement.
from the OS and
software
Abuse valid Credential T1558 DTE0025 An active defense The BOTsink server BOTsink
Kerberos Access - Steal - Network strategy projects projects several high Server
ticket-granting or Forge Diversity several high interactive network
tickets (TGT) Kerberos interactive network decoys like Switches, EDN suite
and obtained Tickets DTE0032 decoys like Switches, Routers, Printers, and
ticket-granting - Security Routers, Printers, Server Decoys like
service (TGS) Controls and Server Decoys Windows Active Directory
tickets which like Windows Active Domain Controllers.
are vulnerable Directory Domain Additionally, the EDN
to brute Controllers for solution deploys
force attacks subsequent Lateral deceptive credentials,
and expose Movement activities. including hashes, access
plaintext tokens, and Kerberos
credentials tickets. The solution
also helps to detect
attackers using decoy
tickets and redirects
them to decoys systems
for engagement.
Extract Credential T1552 - DTE0012 A defender can The EDN solution EDN suite
credentials Access Unsecured - Decoy create deceptive deploys decoy
stored Credentials Credentials credentials across credentials as lures for
insecurely or various locations to relevant applications
misplaced increase the chances in production systems
on a system, of an attacker finding and redirects attackers
including and using them. to decoys systems for
plaintext engagement.
files and in
the Windows
registry
Whitepaper ANWP070921 www.attivonetworks.com © 2021 Attivo Networks. All rights reserved. 9R ANSOM WAR E AT T & CK AT T &CK SH IE L D ACT IVE DE FE NSE H OW AT T IVO HE L PS ATTIVO
T E CHNIQUE TACT I C T E CHN I Q UE T E CHNIQUE T E CHNIQUE S PR ODUCTS
Obtain Discovery T1078 - DTE0036 1. Defenders can The BOTsink server BOTsink
credentials Account - Software hosts a decoy deploys decoy systems server
with varying Discovery Manipulation system with different with varying Operating
levels of OS and software Systems and software EDN suite
privileges DTE0010 configurations that configurations.
during initial - Decoy look authentic. Additionally, the EDN
access for Account solution deploys decoy
continued 2. Defenders can feed credentials on production
DTE0013 or redirect requests
access endpoints. The solution
- Decoy for credentials with
to remote detects attackers
Diversity false data to redirect
systems and trying to use deceptive
services, attackers to a decoy credentials and redirects
such as VPNs, system. them to decoys systems
Outlook Web for engagement.
3. Defenders can
Access, and
detect ransomware
remote desktop
activity early in
the cycle and raise
relevant alerts with
information on the
tools and techniques
it uses.
Find group and Discovery T1069 - DTE0036 Defenders can The ADSecure solution EDN suite
permission Permission - Software manipulate a defends essential Active
settings Groups Manipulation system’s software to Directory objects such ADSecure
Discovery alter the results of an as user and system
attacker enumerating accounts, privileged
permission group group members, domain
information. controllers, and service
principal names from
malicious data gathering
activities. The solution
also Local Administrator
group members to
protect against privilege
escalation.
Use remote Discovery T1018 - DTE0036 1. Defenders can The ADSecure solution EDN suite
system Remote - Software alter the output from alters the output of
discovery System Manipulation system discovery attacker discovery ADSecure
techniques Discovery techniques that techniques. Additionally,
to collect DTE0011 attackers use to the EDN solution deploys
IP address, - Decoy direct them to a deceptive credentials
hostname, or Content decoy system. on endpoints to lure the
other logical attacker toward decoy
identifiers 2. Defenders can systems.
for lateral create breadcrumbs
movement to influence
attackers to engage
with decoy systems.
Whitepaper ANWP070921 www.attivonetworks.com © 2021 Attivo Networks. All rights reserved. 10R ANSOM WAR E AT T & CK AT T &CK S H IE L D ACT IVE DE FE NSE H OW AT T IVO HE L PS ATTIVO
TE CHNIQUE TACT I C T E CHN I Q UE TE CHNIQUE T E CHNIQUE S PR ODUCTS
Use Domain Discovery T1482 - DTE0014 Defenders can create The BOTsink server BOTsink
Trust discovery Domain Trust - Decoy a decoy network can create a mesh of Server
techniques Discovery Network that contains easily endpoints that can
to enumerate discoverable systems appear to be part of a EDN suite
domain trusts DTE0012 that are appealing domain. It also allows a
and move - Decoy to an adversary. In defender to build a one-
laterally in Credentials addition, they can way trust to the decoy
Windows multi- embed deceptive AD. Additionally, the EDN
domain/forest credentials across an solution deploys decoy
environments array of locations to credentials as lures for
increase the chances relevant applications
of an attacker finding in production systems
and using them. and redirects attackers
to decoys systems for
engagement.
Use port scan Discovery T1046 - DTE0036 1. Defenders can The BOTsink server BOTsink
techniques Network - Software alter the output from supports deploying Server
to discover Service Manipulation system discovery network decoys across
services Scanning techniques to direct multiple remote and EDN suite
running on attackers to a decoy branch locations.
remote hosts, system. Additionally, the EDN
DTE0017
including Deflect function
- Decoy 2. Defenders can
vulnerable monitors attacker
System implement a decoy
systems, discovery techniques as
to carry system running a they scan for ports and
out remote remote service (such services to exploit on
software as telnet, SSH, and remote endpoints.
exploitation VNC) and see if an
attacker attempts to
log in to the service.
Enumerate Discovery T1083 - File DTE0011 Defenders can The EDN solution deploys EDN suite
files and and Directory - Decoy deploy deceptive lures on production
directories on Discovery Content content to see if an machines in the form of
compromised adversary attempts deceptive credentials
endpoints to to manipulate data and network shares.
collect valuable on the system or In addition, the EDN
information connected storage DataCloak function
within a file devices. They can enables organizations to
system also seed decoy hide files, folders, and
network shares to network or cloud mapped
see if an attacker shares and restrict
uses them for access from untrusted
payload delivery or processes.
lateral movement.
Whitepaper ANWP070921 www.attivonetworks.com © 2021 Attivo Networks. All rights reserved. 11R ANSOMWA R E AT T &CK AT T &CK SH IE L D ACT IVE DE FE NSE H OW AT T IVO HE L PS ATTIVO
TE C HNI Q UE TACTI C T E CHN I Q UE T E CHNIQUE T E CHNIQUE S PR ODUCTS
Collect valuable Discovery T1135 - DTE0011 Defenders can The EDN solution deploys EDN suite
information Network - Decoy deploy deceptive lures on production
from shared Share Content content to see if an machines in the form of
network drives Discovery adversary attempts deceptive credentials
and folders DTE0013 to manipulate data and network shares.
and identify - Decoy on the system or In addition, the EDN
potential Diversity connected storage DataCloak function
targets of devices. They can enables organizations to
interest also seed decoy hide files, folders, and
for lateral network shares to network or cloud mapped
movement see if an attacker shares and restrict
uses them for access from untrusted
payload delivery or processes.
lateral movement.
Use system Discovery T1007 - DTE0003 Defenders can The ADSecure solution BOTsink
service System - API monitor and analyze monitors all console and server
discovery Service Monitoring, operating system PowerShell commands.
techniques Discovery function calls for In addition, it detects EDN suite
to collect detection and and alerts on attempts
information alerting. to collect information
about such as system services.
registered They can also
services manipulate the
command to display
services an adversary
would expect to see
on a system or show
them unexpected
services.
Exploit remote Lateral T1210 - DTE0004 - Defenders can deploy The BOTsink server BOTsink
services Movement Exploitation Application several application offers decoys for Server
and gain of Remote Diversity decoys that mimic over 70 different
unauthorized Services production-grade kinds of services and EDN suite
access to DTE0036 services and applications. These
- Software ADSecure
internal appear attractive decoys completely
systems Manipulation to an attacker. customizable mimic
Defenders can production services and
also use software applications.
manipulation to
intercept commands The ADSecure solution
adversaries execute offers a unique capability
and change the to detect the attack
resulting output to and misdirect malicious
detect and protect activity by hiding and
production services. denying access to
sensitive or critical data
while giving the attacker
fake data that redirects
them to decoys for
engagement.
Whitepaper ANWP070921 www.attivonetworks.com © 2021 Attivo Networks. All rights reserved. 12R ANSOM WAR E AT T & CK AT T &CK SH IE L D ACT IVE DE FE NSE H OW AT T IVO HE L PS ATTIVO
T E CHNIQUE TACT I C T E CHN I Q UE T E CHNIQUE T E CHNIQUE S PR ODUCTS
Use scripts Lateral T1570 - DTE0027 1. Defenders can The EDN solution deploys EDN suite
or file-sharing Movement Lateral Tool - Network monitor network decoy network shares
capabilities Transfer Monitoring traffic for anomalies on endpoints mapping
to transfer that eventually result to decoy servers,
tools or other DTE0026 in transferring tools detecting attackers
files between - Network or scripts. attempting to transfer
systems in a Manipulation tools or scripts to these
compromised 2. Defenders can locations. Additionally,
environment, alter the network the EDN solution detects
such as over configuration to attackers enumerating
SMB, Windows disrupt attackers network shares and
Admin Shares, trying to transfer prevents access to
or Remote tools. them.
Desktop
Protocol
Use valid Lateral T1021 - DTE0027 1. Defenders can The EDN Deflect function BOTsink
domain Movement Remote - Network implement network monitors the traffic Server
credentials Services Monitoring monitoring and alert on endpoints and can
to log into on abnormal traffic direct a suspicious EDN suite
a remote DTE0017 patterns, significant connection to the
service using - Decoy or unexpected data decoy environment.
remote access System transfers, and other The BOTsink server
protocols such activities that may can deploy systems
as telnet, SSH, reveal an attacker’s hosting native services
and VNC presence. (RDP, SSH) and popular
enterprise services like
2. Defenders can VPN and Citrix. The EDN
implement a decoy solution distributes SSH
system running a keys and credentials to
remote service (such these decoy servers.
as telnet, SSH, and
VNC) and see if the
adversary attempts
to log in to the
service.
Use alternate Lateral T1550 – Use DTE0007 – Defenders can look The ADSecure solution EDN suite
authentication Movement Alternate Behavioral for anomalies in monitors and alerts on
material, such Authentica- Analytics where an account attempts to harvest ADSecure
as password tion Material is authenticating authentication materials
hashes, and what it is like password hashes,
Kerberos authenticating with Kerberos tickets, and
tickets, and to detect potentially application tokens.
application malicious intent. The solution can alert
access tokens defenders to these
to move attempts in real-time,
laterally within allowing them to craft a
an environment policy to mitigate such
attacks.
Whitepaper ANWP070921 www.attivonetworks.com © 2021 Attivo Networks. All rights reserved. 13R ANSOM WAR E AT T &CK AT T &CK S H IE L D ACT IVE DE FE NSE H OW AT T IVO HE L PS ATTIVO
TE CHNI Q UE TACTI C T E CHN I Q UE TE CHNIQUE T E CHNIQUE S PR ODUCTS
Compress Collection T1560 – DTE0036 Defenders can The EDN suite DataCloak EDN suite
and encrypt Archive – Software alter the APIs to function protects against
collected data Collected Manipulation expose data that activities attempting
for exfiltration Data the system is to access sensitive or
archiving, encoding, critical data. The suite
or encrypting. Such monitors several APIs
capability can also used to enumerate and
take actions like collect data. It can hide
hiding the data or data and deny access to
corrupting them to protect against threat
make them unusable. actors attempting to
compromise it
Find files of Collection T1005 DTE0030 Defenders can The BOTsink server BOTsink
interest and – Data – Pocket place decoy data on supports deploying decoy server
sensitive data from Local Litter systems that include documents on endpoints
from the local System documents, registry that detect and alert EDN suite
file systems entries, log history, when attackers exfiltrate
or databases browsing history, them. In addition, the
before connection history, EDN solution can hide
exfiltration and other user data. and deny access to
When attackers sensitive data on the
access these data local system.
elements, defenders
can detect the
attack early and alert
on data exfiltration.
Collect Collection T1039 - DTE0030 Defenders can host The BOTsink server BOTsink
sensitive data Data from - Pocket decoy systems that deploys decoys that can server
from remote Network Litter appear as legitimate host open network file
systems via Shared Drive file systems and shares or anonymous EDN suite
network shared DTE0030 network file shares FTP servers. The EDN
drives before - Pocket that can detect suite can also map
exfiltration Litter attacks early these fake file servers
and alert on data as hidden shares on
exfiltration. It can endpoints. As a result,
detect ransomware ransomware attempting
collecting data from to collect data from
a monitored decoy them will lead to early
share or system. detection.
Leverage Command and T1219 - DTE0017 Defenders can install The BOTsink server proxy BOTsink
legitimate tools Control Remote - Decoy remote access internet access from server
for redundant Access System tools on decoy the decoy environment.
remote access Software systems across the Defenders can watch the
to compromised network to see if the interactions between
networks adversary uses these decoys and the C2
tools for command servers. This capability
and control. provides the intel
to build an effective
response and protect the
customers.
Whitepaper ANWP070921 www.attivonetworks.com © 2021 Attivo Networks. All rights reserved. 14R ANSOM WAR E AT T &CK AT T &CK S H IE L D ACT IVE DE FE NSE H OW AT T IVO HE L PS ATTIVO
TE CHNI Q UE TACTI C T E CHN I Q UE TE CHNIQUE T E CHNIQUE S PR ODUCTS
Encrypt files Impact T1486 - Data DTE0034 Defenders can use The EDN suite has two EDN suite
or data on Encrypted - System process monitoring specific offerings that
the victim’s for Impact Activity to look for the can help prevent or
local and Monitoring execution of utilities decrease the impact of
remote drives, commonly used ransomware attacks:
then extract DTE0005 - for ransomware
monetary Backup and and other data 1. It monitors and alerts
compensation Recovery encryption. They on behavioral anomalies
from the can back up data at the endpoints. These
targeted regularly and store abnormal behaviors could
organization in them offline from be employing techniques
exchange for the system. If an like collection, evasion,
decryption adversary destroys or impact.
or alters data, the
2. It also offers the
defender could
capability to take
selectively restore
backups of sensitive
data from backup
data automatically
to see how the
within the endpoints.
adversary reacts.
CONCLUSION
As long as cybercriminals can make money, ransomware will remain a problem for the foreseeable future.
Organizations may feel that having sufficient backups can help recover from ransomware infections, though this is
not a foolproof strategy. It is far better to prevent the compromise in the first place than deal with ransom payments,
disruption of business, and the costs to restore services. While perimeter security solutions can catch commodity
malware, advanced ransomware attacks repeatedly demonstrate that they can evade these defenses to infiltrate
and infect an internal system. Catching these attackers early as they use advanced tactics to move laterally, encrypt
critical systems, and compromise data is paramount in limiting the damage they can cause.
ABOUT ATTIVO NETWORKS®
Attivo Networks®, the leader in identity detection and response, delivers a superior defense for preventing privilege
escalation and lateral movement threat activity. Customers worldwide rely on the ThreatDefend® Platform for
unprecedented visibility to risks, attack surface reduction, and attack detection. The portfolio provides patented
innovative defenses at critical points of attack, including at endpoints, in Active Directory, and cloud environments.
Data concealment technology hides critical AD objects, data, and credentials, eliminating attacker theft and misuse,
particularly useful in a Zero Trust architecture. Bait and misdirection efficiently steer attackers away from production
assets, and deception decoys obfuscate the attack surface to derail attacks. Forensic data, automated attack
analysis, and automation with third-party integrations serve to speed threat detection and streamline incident
response. ThreatDefend capabilities tightly align to the MITRE ATT&CK Framework and deception and denial are now
integral parts of NIST Special Publications and MITRE Shield active defense strategies. Attivo has 150+ awards for
technology innovation and leadership. www.attivonetworks.com
© 2021 Attivo Networks. All rights reserved. ANWP070921 Follow us on Twitter @attivonetworks
www.attivonetworks.com Facebook | LinkedIn: AttivoNetworksYou can also read
