Security Flowchart

Malware and ransomware attacks are growing by over 300 percent per year. Hackers are also getting more proficient at evading existing protection systems by employing polymorphic attacks. Pervasive networks and the rapid growth of IoT devices mean that there are many more possible attachment and attack points available for exploitation. The average 2017 loss to a successful attack, considering business disruption, emergency consulting and assistance fees and ransoms paid, was $3.8 million.

This is an older but still viable way to insert ransomware and other malware into a networked PC. The malware can be inserted into a picture or a PDF, and is activated when the picture or document is opened from the thumb drive.

This is the classic trick to insert malware into a network: offer a link to a file that contains malware or ransomware that automatically inserts itself on the user PC. Or offer a link pasted to a supposedly legitimate website – recent example of a successful exploit:

Your Adobe reader is out of date; click this link to update it.

This is the newest type of exploit, where external hackers probe public-facing servers, websites, and network routers for security violations. When they find vulnerabilities and it’s from one of their target markets they’ll use that new hole to access other network resources and plant ransomware and other malware. Internal hackers find ways to access restricted resources like servers, by connecting to a networked printer port.

Once a hacker or hacker program has found its way onto the internal network by bypassing the firewall as an email attachment or on a thumb drive, or has attached to a public-facing website, or has attached directly to an internal network, it does lateral reconnaissance to find vulnerable and exploitable resources.

Reconnaissance is used to discover and appropriate user credentials so that protected systems can be accessed. This can allow a hacker to pose as a user of an online banking application to transfer an account balance to some other account; looting the account. It can also allow a hacker to access customer files and financial information.

Hackers that have gained access will attempt to install ransomware on as many critical devices as possible. This installed software will wait for a command from an external computer to detonate on a device; locking it up and displaying a ransom demand. Newer versions of ransomware are designed to remain dormant until they are also on all viable backups, which makes the ‘destroy and rebuild from backup’ strategy no longer effective.

Hackers work to install control software on workstations that allow them to do part-time work for the hacker, under the control of a remote device. Hackers use these controlled devices to participate in Distributed Denial of Service, or DDoS attacks on some other organization, or to send out SPAM or to distribute more malware by sending out phishing messages.

This has fallen out of fashion, but is still possible (most hackers now intend financial gain, rather than disruption). External attacks from other, less protected organizations are possible (see the section on Bot Network Recruitment and Deployment) can disrupt target networks. Internal attacks from local devices are also possible.

We have created a new system using several well-established and Common Criteria-approved security products, working together as an integrated whole.  This system installs on any network quickly, and the three year total cost of even the larger system is less than one-thirtieth the cost of the average attack.  The system has advantages: 

• It works automatically to disconnect and mitigate threats as they happen
• It doesn’t rely on signatures to find and deal with malware but relies on activity, which is harder to evade
• It integrates with most existing networks and firewalls to improve protections
• You don’t have to be a security expert to run it
• It only sends you alerts when actual attacks are discovered and handled, instead of bombarding you the usual large volume of security alerts

The system creates a protected space where users can send suspect emails, and it then automatically opens the attachments or clicks on the embedded links, to make sure that the contents are safe. If the links and attachments contain malicious content, it rebuilds its local image, destroying the launched or opened malware. It notifies both the security team and the customer of what it finds: safe to open or not. This frees the IT staff from having to respond to user requests to look at emails, and the quick and automatic review makes users more liable to request email checks before opening suspicious emails.

The system creates a set of vulnerable servers, workstations or controllers that look like exploitable resources to any hacker doing reconnaissance. These instances can be configured to look like public-facing servers, internal servers, SCADA controllers, PC-based controllers, infusion pumps, monitors, or regular workstations. When the hacker engages with one of these fake instances the system traps the hacker into a relationship and learns its IP address, an IP address that the hacker is sending information to or receiving external control from, what kind of exploit it is, and what signatures it presents.

The system then communicates with the network switches and wireless access points, automatically telling them to disconnect and quarantine the hacker device. The system also links back to the serving Active Directory, RADIUS, TACACS or custom databases, correlates the IP address with the machine or user name, and gives those names to security; removing another manual step from a response. The system can also compare a device connecting to a restricted VLAN (example: a printer VLAN) with a list of authorized devices and disconnect and quarantine it. This disconnection also automatically blocks the lateral spread of malware on the internal network; limiting the number of devices that can be infected from a single compromised machine.

If the hacker device is on an external network the system sends a message to the firewall telling it to block that IP address; terminating the connection. This not only disconnects a hacker from the network, it also blocks any subsequent entry attempts. Most hackers doing reconnaissance will simply move on and exploit some other organization. The firewall can also block the external IP address of control machines, which means that if other malware from the same system remains on the network its connection for control or for sending data out of the network will be blocked.

The system learns the destination (relay) address of any external device that is scanning for receiving sensitive (credit card, Social Security Number, account) information and tells the firewall to block it. This means that malware designed to take sensitive or valuable information from the network and relay it to an outside destination is blocked.

A piece of software installed on critical servers and workstations can automatically redirect ransomware to one of the set of fake servers or workstations installed on the system, where it safely detonates there. The system then sends an alert to security, telling them the IP address and the name of the infected server or workstation. The server or workstation with ransomware continues to run for a while, allowing people to get to it and ‘rescue’ the data. This offers a defense against ransomware that has successfully penetrated the network and is already installed on a critical machine.

The system creates a protected site on one of the fake servers or workstations where the malware is analyzed and the signature of the malware is sent to the firewall for blocking, so that no local workstation or other networked device can originate an external attack. The system also then quarantines the infected workstation. This prevents the spread of the malware in yet another way.

A piece of software installed on servers and workstations can automatically run and continually assess the paths an attacker might use to compromise the system. This software creates a detailed topographical map of the resources, all possible network connections between them, and discovers all devices susceptible to compromise by outdated or incomplete passwords. It highlights vulnerabilities on the system caused by misconfigured systems and misused or orphaned credentials. Double-clicking on the device needing remediation can automatically pass alerts to workflow and incident management systems like ServiceNow and Jira.

The system is designed to feed directed alerts to external systems.  This can be as simple as sending an email to security staff when some real attack happens, or it can be an automatic remediation task generated by the vulnerability analysis component to a trouble ticketing system.  All system components can send alerts to a SIEM system; the difference between these alerts and the usual alerts received by a SIEM system is that they indicate actual attacks and not spurious background noise.

The individual components of system also send information between themselves; for example, the deception component telling the quarantine component to take action to exclude a local device or telling the firewall to block an external device.