As the attack methods and strategies of our cyber adversaries continue to expand, organizations must stay ahead of those threats most likely to affect individual networks and connected resources. According to Fortinet’s most recent global Threat Landscape Report, not only are cybercriminals using new attack methods (even for older attacks), but they are also using new strategies to obscure their presence and evade detection.
This includes expending resources on reconnaissance to deliver targeted attacks better, and new evasion techniques to ensure their objectives aren’t interrupted. These few examples show how cybercriminals are leveraging speed, the expanding attack surface, and the complexity of today’s threat landscape to find and exploit weaknesses in today’s networks.
As a result, organizations must tie their integrated security strategy with relentlessly staying on top of emerging attacks. This enables them to prioritize the implementation of specific defenses as well as reinforce essential cybersecurity fundamentals.
The Evolution of Ransomware
Ransomware is a perfect example of the evolution of an ongoing threat. Just as ransomware looked like it was about to be replaced with cryptomining, it has returned with a vengeance. The first evidence was a rash of highly targeted attacks that occurred earlier in the year. LockerGoga, for example, used deep reconnaissance to identify prime targets and effectively evade security solutions already in place.
And, RobinHood (or RobbinHood), and similar ransomware variants such as Ryuk, have expanded on this strategy by actively targeting specific municipalities across the US. These new tools have expanded the usual functionality of ransomware. RobbinHood is also able to disable Windows services that prevent data encryption and the ability of systems to disconnect from shared drives, ensuring maximum exposure to malicious data encryption.
Ryuk uses advanced evasion tactics, including destroying its encryption key and deleting shadow copies on an infected system, to ensure that defenders are unaware of its presence until after it is too late. And just recently, a ransomware called Sodinokibi (aka Sodin) has surfaced that exploits a recently announced critical vulnerability that enables arbitrary remote code execution. The impact of this exploit could be severe because this vulnerability allows a system to become infected without the victim doing anything to trigger it.
The Rise of Anti-Analysis Strategies
Another critical area that security teams need to stay on top of is the growing number of new techniques being developed to avoid detection. During the last quarter, several new evasion and anti-detection strategies have been introduced.
For example, AndroMut is a downloader that rose into prominence last quarter. It is notorious for downloading malware such as the FlawedAmmyy RAT. However, it’s real claim to notoriety is that it includes not only sandbox detection, which is becoming rather common but also an emulator verification tool.
This tool checks to ensure that the malware is running in a live environment rather than in an emulator, shutting down if it detects that it is being run in a non-production environment so that security analysts can not see it. In addition, at least two other downloaders – a new tool named Brushaloader and a new version of JasperLoader – were also detected last quarter that employ similarly advanced evasion mechanisms, including location verification capabilities and sleep timers for delayed execution.
This growing use of anti-analysis and evasion tactics pose a severe challenge to enterprise organizations and underscores the need for multilayered defenses that go beyond traditional signature and behavioral-based threat detection.
Why Just Monitoring General Trends can be Misleading
The challenge is that anyone simply monitoring general ransomware trends could easily assume that it was in decline and take their eye off the ball. That’s because, in spite of recent high profile attacks, the quantity of ransomware detections has been dropping for some time, even during Q2. But part of the reason is that general opportunistic ransomware attacks are being replaced with very targeted exploits.
These combine reconnaissance with the careful disabling of security tools and services and advanced evasion techniques. And the results can be devastating. Likewise, only prioritizing those attacks that show up on the radar of general threat reports may not prepare you to discover and respond to threats that are specifically designed to avoid being detected.
Securing Today’s Networks Starts with Threat Intelligence and Integration
To effectively manage and mitigate the cyber risks organizations face today, it is essential that today’s security leaders monitor threat intelligence from a variety of sources, and then prioritize those risks that map to their unique network environment.
But that approach needs to be coupled with a security strategy designed to see and stop, or at the least, strategically limit the impact of an attack coming from an unexpected quarter. That starts with an integrated security approach that incorporates every security element deployed anywhere across the distributed network into a single security fabric.
That strategy then needs to be augmented with intent-based segmentation, consistent and relentless best security practices, and automation combined with machine learning. AI is also increasingly essential as it can take over tedious tasks such as patching, as well as find and respond to threats at digital speeds.
Any security strategy that does not include all of these essential elements will be unable to achieve the degree of visibility and control that today’s networks require. This, in turn, will unnecessarily expose the network to the efforts of today’s determined cybercriminal organizations.