In 2021 ransomware attacks have been dominant among the bigger cyber security stories. Hence, I was not surprised to see that McAfee’s June 2021 Threat report is primarily focused on this topic.
This report provides a large range of statistics using the McAfee data lake behind MVISION Insights, including the Top MITRE ATT&CK Techniques. In this report I highlight the following MITRE techniques:
- Spear phishing links (Initial Access)
- Exploit public-facing applications (Initial Access)
- Windows Command Shell (Execution)
- User execution (Execution)
- Process Injection (Privilege escalation)
- Credentials from Web Browsers (Credential Access)
- Exfiltration to Cloud Storage (Exfiltration)
I also want to highlight one obvious technique which remains common across all ransomware attacks at the end of the attack lifecycle:
- Data encrypted for impact (Impact)
Traditional defences based on anti-malware signatures and web protection against known malicious domains and IP addresses can be insufficient to protect against these techniques. Therefore, for the rest of this article, I want to cover a few recent McAfee innovations which can make a big difference in the fight against ransomware.
Unified Cloud Edge with Remote Browser Isolation
The following three ransomware techniques are linked to web access:
- Spear phishing links
- User execution
- Exfiltration to Cloud Storage
Moreover, most ransomware attacks require some form of access to a command-and-control server to be fully operational.
McAfee Remote Browser Isolation (RBI) ensures no malicious web content ever even reaches enterprise endpoints’ web browsers by isolating all browsing activity to unknown and risky websites into a remote virtual environment. With spear phishing links, RBI works best when running the mail client in the web browser. The user systems cannot be compromised if web code or files cannot run on them, making RBI the most powerful form of web threat protection available. RBI is included in most McAfee United Cloud Edge (UCE) licenses at no additional cost.
Figure 1. Concept of Remote Browser Isolation
McAfee Client Proxy (MCP) controls all web traffic, including ransomware web traffic initiated without a web browser by tools like MEGAsync and Rclone. MCP is part of McAfee United Cloud Edge (UCE).
Protection Against Fileless Attacks
The following ransomware techniques are linked to fileless attacks:
- Windows Command Shell (Execution)
- Process Injection (Privilege escalation)
- User Execution (Execution)
Many ransomware attacks also use PowerShell.
Figure 2. Example of an attack kill chain with fileless
McAfee provides a large range of technologies which protect against fileless attack methods, including McAfee ENS (Endpoint Security) Exploit prevention and McAfee ENS 10.7 Adaptive Threat Protection (ATP). Here are few examples of Exploit Prevention and ATP rules:
- Exploit 6113-6114-6115-6121 Fileless threat: self-injection
- Exploit 6116-6117-6122: Mimikatz suspicious activity
- ATP 316: Prevent PDF readers from starting cmd.exe
- ATP 502: Prevent new services from being created via sc.exe or powershell.exe
Regarding the use on Mimikatz in the example above, the new McAfee ENS 10.7 ATP Credential Theft Protection is designed to cease attacks against Windows LSASS so that you do not need to rely on the detection of Mimikatz.
Figure 3. Example of Exploit Prevention rules related to Mimikatz
ENS 10.7 ATP is now included in most McAfee Endpoint Security licenses at no additional cost.
Proactive Monitoring and Hunting with MVISION EDR
To prevent initial access, you also need to reduce the risks linked to the following technique:
- Exploit public facing applications (Initial Access)
For example, RDP (Windows Remote Desktop Protocol) is a common initial access used by ransomware attacks. You may have a policy that already prohibits or restricts RDP but how do you know it is enforced on every endpoint?
With MVISION EDR (Endpoint Detection and Response) you can perform a real time search across all managed systems to see what is happening right now.
Figure 4. MVISION EDR Real-time Search to verify if RDP is enabled or disabled on a system
Figure 5. MVISION EDR Real-time Search to identify systems with active connections on RDP
MVISION EDR maintains a history of network connections inbound and outbound from the client. Performing an historical search for network traffic could identify systems that actively communicated on port 3389 to unauthorized addresses, potentially detecting attempts at exploitation.
MVISION EDR also enables proactive monitoring by a security analyst. The Monitoring Dashboard helps the analyst in the SOC quickly triage suspicious behavior.
For more EDR use cases related to ransomware see this blog article.
Actionable Threat Intelligence
With MVISION Insights you do not need to wait for the latest McAfee Threat Report to be informed on the latest ransomware campaigns and threat profiles. With MVISION Insights you can easily meet the following use cases:
- Proactively assess your organization’s exposure to ransomware and prescribe how to reduce the attack surface:
- Detect whether you have been hit by a known ransomware campaign
- Run a Cyber Threat Intelligence program despite a lack of time and expertise
- Prioritize threat hunting using the most relevant indicators
These use cases are covered in the webinar How to fight Ransomware with the latest McAfee innovations.
Regarding the following technique from the McAfee June 2021 Threat Report:
Credentials from Web Browsers (Credential Access)
MVISION Insights can display the detections in your environment as well as prevalence statistics.
Figure 6. Prevalence statistics from MVISION Insights on the LAZAGNE tool
MVISION Insights is included in several Endpoint Security licenses.
Rollback of Ransomware Encryption
Now we are left with the last technique in the attack lifecycle:
- Data encrypted for impact (Impact)
McAfee ENS 10.7 Adaptive Threat Protection (ATP) provides dynamic application containment of suspicious processes and enhanced remediation with an automatic rollback of the ransomware encryption.
Figure 7. Configuration of Rollback remediation in ENS 10.7
You can see how files impacted by ransomware can be restored through Enhanced Remediation in this video. For more best practices on tuning Dynamic Application Containment rules, check the knowledge base article here.
Additional McAfee Protection Against Ransomware
Last year McAfee released this blog article covering additional capabilities from McAfee Endpoint Security (ENS), Endpoint Detection and Response (EDR) and the Management Console (ePO) against ransomware including:
- ENS Exploit prevention
- ENS Firewall
- ENS Web control
- ENS Self protection
- ENS Story Graph
- ePO Protection workspace
- Additional EDR use cases against ransomware
Summary
To increase your protection against ransomware you might already be entitled to:
- ENS 10.7 Adaptive Threat Protection
- Unified Cloud Edge with Remote Browser Isolation and McAfee Client Proxy
- MVISION Insights
- MVISION EDR
If you are, you should start using them as soon as possible, and if you are not, contact us.