In many organizations, endpoints see virtually constant change. Users access, download, and utilize applications, data, drivers, files, toolbars, widgets, etc., introducing both new security threats and undocumented changes in systems and processes. For better or for worse, all of these activities leave their mark on the endpoint.
HEAT has engaged in endpoint security at a pivotal time in IT history. In the past two years, security and IT teams have gained a renewed understanding of the importance of protecting the endpoint as part of the overall security program. In a 2015 EMA study, “Data-Driven Security Reloaded,” those IT and security pros identified that endpoint security solutions provided some of the best value to their program based on total cost of ownership. Endpoint security moved from 9th place in the 2014 report to tying for second place in the 2015 report. The reason for this renewed attention is simple: The endpoint is where all of the action happens. Malware lands, attackers launch, lateral movement originates and terminates on the endpoint, and that is where data is accessed.
One of the rising threats in the endpoint landscape is ransomware. The Federal Bureau of Investigation said it had received 992 complaints related to CryptoWall ransomware, only one of several variants, between April 2014 and June 2015 with losses totaling $18 million. The agency warned that companies may not be able to get their data back following an infection without paying a ransom.
This intriguing and potentially devastating branch of malware is generally delivered through a malicious attachment but can be delivered through a drive-by download or through a malicious link. Once delivered, if it is successful in evading antivirus, it begins to use asymmetric (public key) encryption to encrypt any files that the user has access to going through the local disk and then on to any network-attached drives. While the public key is used to encrypt the data, the private key is sent off to the attacker via a command and control channel, and all traces are wiped from the system. At some point the malware posts a screen that the data has been encrypted and that the user must pay a ransom (extortion fee) to retrieve the private key and thus the encrypted data. The only other alternative is to wipe and reimage the machine and restore the data files from any backups that were not encrypted.
As I mentioned earlier, ransomware has to get past the antivirus. This may not sound difficult, but at roughly quarterly intervals, ransomware authors/distributors initiate new campaigns using one or more code obfuscation techniques including simple tactics like modifying file names and attributes and making small code changes which changes the cryptographic hash (fingerprint) to slightly more involved approaches like repacking the code or altering the base encoding or even more advanced techniques like encrypting portions of the code and enabling processes like hijacking/piggybacking. Each of these can bypass traditional signature-based antivirus protections. At the trailing edge of ransomware campaign, a signature-based antivirus will detect and stop the malware because the new variant has been documented. However, overcoming the redeployment techniques at the leading edge of a campaign requires more than a signature-based approach to catch them. This means IT and security professionals need to look to other more advanced protections to keep their data safe from the emerging threats.
There are a number of strategies that security organizations can use to defend their systems against ransomware and other advanced malware. One of them is application control/whitelisting. With this defensive strategy, administrators and systems owners can easily identify applications authorized to run in their environment and can enforce a comprehensive policy that only allows those applications to execute. Thus, unauthorized applications such as malware are stopped before any unauthorized changes can be made. Simply put, if it is not on the list, it does not get to run. This approach has been very successful against ransomware because it does not allow the malware application to unpack, encrypt, or communicate with the command and control server.
As you look for advanced endpoint defenses, remember that “advanced” application control can overcome traditional challenges associated with standalone, point application-control products by providing innovative features that add policy-based control, flexible application identification and authorization, and overall ease of use. These kinds of advanced protections will continue to be critical defensive capabilities in the fight against malware and zero-day attacks.