With the advent of COVID19, the Cyberthreat Landscape has certainly changed, and unfortunately, it has been for the worse. Obviously, things were bad before it really hit, but now, things have gotten even crazier. It is only now that we are starting to get some grasp as to what the Cyber impacts have been, and what we have learned from them.
We are only yet at the tip of the iceberg of understanding all of this, but yet, there is much more to come as we finish out the year and start to roll into 2021 (can’t believe that I am actually talking about the new year already).
But there is one common denominator with all of this. And that is, the existing threat vectors will be there. They have been around for a long time, but what is different this time is the variants, or subsets of these will be coming out that are much more covert and stealthier to detect.
Heck, these new variants have become so sinister that they can even bypass the traditional antivirus and antimalware software packages that are available these days.
One such example of this is what is known as Ransomware. Yes, I have written about this before, and it is a term that is for the most part well heard of as a threat. But what really is it? Here is a technical definition of it:
“Ransomware is malicious software that infects your computer and displays messages demanding a fee to be paid in order for your system to work again. This class of malware is a criminal moneymaking scheme that can be installed through deceptive links in an email message, instant message or website. It has the ability to lock a computer screen or encrypt important, predetermined files with a password.”
So long story short, this is a kind of Malware that enters into your device, totally locks up the screen, and encrypts all of your files. The only way to gain access back to your device is to literally pay a ransom fee to the Cyberattacker usually via a virtual currency, and in theory, they are supposed to send you the decryption algorithms by which you can gain access to your files once again.
But things have evolved to the point now that there are telltale signs if you are actually going to become a victim of a Ransomware attack. Here is what to keep your eye out for:
*Keep track of your Active Directory log files:
This is also known as “AD” and is actually now available an accessible directly through Microsoft Azure. This is a tool in which you can create and keep track of all of your end user profiles, as well as all of their rights, privileges, and permissions that have been assigned to them. So, it is no wonder that AD is now becoming a favored target, especially with the WFH scenario. So in this regard, keep your eye on your log files, especially for those with failed login attempts. This is a strong clue that something could be coming down your way and fast.
*Keep monitoring your WynSysLog files:
In this regard, use the information and data that is presented here for any anomalous behavior that could be leading to credence that a brute force attack could be happening in your company. This is a threat variant in which the Cyberattacker throws everything they have (and yes, including the kitchen sink) at your lines of defense in order to gain access to the passwords that are currently being used. Also, be on the sharp lookout for any weird file copying behavior making use of such extensions as .bat, .zip, and .txt. Also make sure that wbadmin.exe is being used legitimately, as this is the command line tool that is used to create backups on Windows based systems.
*Watch for rogue internal network activity:
In this regard, you will want to centrally collect all of the logs and files that are outputted by all of your network security devices, which typically include the routers, firewalls, and the network intrusion devices. A great way to do this via a Security Incident and Event Manager (also known as a “SIEM”) software package. Everything can be tracked fairly quickly through just one view or dashboard, which will make looking for malicious activity in your network much easier to do. Also, it is very important that you keep a keen eye out for any unusual domains that could filter through your internal network that have never been seen or used before.
*Monitor VPN activity:
With the remote workforce now a reality for quite some time to come, the use of Virtual Private Networks (also known as “VPNs”) has become heavily used and is not starting to show its signs of pure strain and breakdowns. They were designed to work at certain network throughput levels, not the levels that we are seeing today. Because of this, the Cyberattacker is now penetrating through these particular vulnerabilities, in order gain access to the either or even both the home and corporate networks. So in this regard, you need to keep track of unusual time stamp activities (that fall typically outside your normal business hours) as well as the points of origin of these time stamps.
*Keep track of external network activity:
This is just as important as monitoring your internal network activity. In this instance, you want to keep track of any odd sounding DNS web requests that are made, especially those that are being redirected to what is known as a “TOR” based browser. This is a specialized tool that has been especially created to access the Dark Web in a more safe and secure manner.
*Make sure that your network security devices are working:
This is of course a no brainer, but when a Ransomware attack is looming, one of the typical signs is that your devices will be either redirected to conduct some sort of activity that it was not authorized to do, or they get shut down completely for unknown reasons. This is a strong clue that the Cyberattacker has broken through your lines of defenses, and that is something is going to transpire soon, which needs quick action to be taken.
My Thoughts On This
Well, there you have it, some top tips that you can use to sort of tell ahead of time if you are going to possibly become a victim of a Cyberattack. Obviously, everybody is at risk, but if you take heed of some of these warning signs, then hopefully that risk will become mitigated to some degree.
Probably two of the best ways to combat a Ransomware attack is to create backups constantly and create what are known as Virtual Machines (“VMs”) and Virtual Desktops (“VDs”) in the Cloud, such as using the AWS or Microsoft Azure. That way, you have an offsite place in which you can store your backups, and you also have other devices that you and your employees can use while you discard the ones that have been infected by a Ransomware attack, and find new devices to use.
In other words, if you are impacted, just throw out the infected devices, and start with new ones. That is why data backup is so crucial, especially in these cases.
So, this begs the question: Should you ever pay the Cyberattacker the ransom that they are demanding? I have my views on this, and there other people who have different opinions. But this is a topic for a future blog, so stay tuned!!!