Category: Morphisec

Attackers are going to do their best to breach you. And if they invest enough time and technology, they will probably succeed. Put enough obstacles in their path, however, and as you wear down their resources, you have a very good chance of stopping them. Today, defense-in-depth is viewed as a reliable and proven way to prevent ransomware.

Yet while the practice of defense-in-depth is recognized by agencies like CISA, many, if not most, organizations get the practice of building defensive layers against ransomware wrong. When you’re a target for threats that get past your firewalls, antivirus (AV) solutions, endpoint detection and response (EDR) platforms, etc., another layer of controls that work on the same principle of threat detection and response will do little to stop them.

Complex and evasive threats continue to evolve. Consider a Cobalt Strike beacon that loads into device memory at runtime, an evasive malware strain with polymorphic signatures, an exploit targeting a zero-day or the next big supply chain threat. These and other advanced threats won’t show up on telemetry-based controls or respect their signature libraries or behavior analysis. To stop them, you need to build redundancy and resiliency into your ransomware defensive posture.

Also called failure protection by NIST, redundancy is the security boost you get when you deploy multiple protection mechanisms within your environment that work through different mechanisms. When you have redundancy, you gain resiliency (i.e., the ability to withstand and recover from repeated attacks).

To achieve redundancy against modern ransomware threats, you need another control layer in your environment—one that defeats ransomware through a novel defensive method. Emerging technology like Automated Moving Target Defense (AMTD) can close this gap and prevent ransomware attacks at multiple phases, from early infiltration to safeguarding critical systems when ransomware attempts to execute.

Ransomware Threat Evolution

“Ransomware is a threat to national security, public safety, and economic prosperity.” The National Cybersecurity Strategy‘s description of ransomware risk is a nod to the new reality of ransomware—one of the most dangerous risks our world faces, cyber or not.

For individual organizations, betting on reaction and recovery against this risk is a failing strategy. Attacks now target backups, and it’s also no longer sustainable to rely on insurance— a recent report noted a 100% increase in insurance premiums.

Ransomware has existed for over 30 years. But what’s changed over the last few years is potential profits—as profits soar, malware developers and operators have dramatically upped their game, refining techniques to help malware successfully evade defense mechanisms.

Take the 2021 Health Service Executive Conti attack as an example. This ransomware attack on Ireland’s national healthcare system compromised over 80,000 endpoints and effectively shut down healthcare services in an entire country. The attack succeeded for several reasons, but a core one was that Conti could evade the AV and similar security solutions on the HSE’s endpoints.

Conti used fileless techniques to move laterally from endpoints to servers without raising any alarms. They could also load malicious code to encrypt DLLs into device memory and execute ransomware in this space (during runtime) that AVs and other solutions cannot scan.

More ransomware attacks are using this memory compromise method alongside other evasive techniques. From hijacking legitimate tools to relying on scripts that only load from memory during a device operation, threat actors are increasingly looking at security control weak spots and targeting their efforts toward them.

Ransomware Defense with AMTD

Automated Moving Target Defense (AMTD) is an emerging technology that morphs runtime memory environments. AMTD changes an application’s attack surface by deterministically moving attackable assets (such as hashed memory passwords) into unexpected places. It then leaves skeletons of the original assets to trap threats and isolate executables.

AMTD builds depth into ransomware defense and adds assurance by reducing exposure to known MITRE ATT&CK ransomware tactics, including initial access, persistence, privilege escalation, defense evasion, lateral movement, and impact.

This happens through four added layers of protection:

  1. Data encryption and destruction protection — Most ransomware attacks succeed in encrypting data. However, when AMTD is installed on an endpoint or server, the system resources targeted by malicious code are not where its creator expects them to be.  Instead, what looks like system resources are decoys. Code that tries to execute on a decoy and encryption is automatically terminated and captured for forensic analysis while the actual system resource remains protected, thereby denying encryption.
  2. System recovery tamper protection—According to Acronis, leading ransomware groups, such as LockBit and ALPHV, have evolved to target backups directly, necessitating robust defenses to prevent successful attacks. Specifically, ransomware attacks target the system shadow copies backups rely on. AMTD blocks access to shadow copies by ending any unauthorized processes that try to access them.
  3. Credential theft protection — Credential dumping is one of the most common MITRE ATT&CK techniques in the wild. Almost all ransomware attackers will try to access passwords stored in browsers, RDPs, SAM hashes, etc. AMTD deterministically hides the location of these passwords and stops threats from finding them.
  4. Runtime memory protection —  from Webroot found that 94 percent of attacks are now polymorphic.  Many execute in memory during runtime instead of on a device disk. AMTD protects runtime by morphing (randomizing) runtime memory to create an unpredictable attack surface. It moves application memory, APIs, and other system resources while leaving decoy traps in their place. With the adoption of Generative AI this will only increase exponentially moving forward as threat actors will have the resources to adapt malware at a never seen before accelerated pace.

Coming off a year in which ransomware attacks reached record levels, it’s safe to assume attackers will continue their assault through 2024. For businesses, it’s time to go on the offensive and your best bet is to double down on ransomware assurance with defense-in-depth and AMTD.

Brad LaPorte- Chief Marketing Officer at Morphisec and former Gartner Analyst

Brad LaPorte is a seasoned cybersecurity expert and former military officer specializing in cybersecurity and military intelligence for the United States military and allied forces. With a distinguished career at Gartner as a top-rated research analyst, Brad was instrumental in establishing key industry categories such as Attack Surface Management (ASM), Extended Detection & Response (XDR), Digital Risk Protection (DRP), and the foundational elements of Continuous Threat Exposure Management (CTEM). His forward-thinking approach led to the inception of Secureworks’ MDR service and the EDR product Red Cloak—industry firsts. At IBM, he spearheaded the creation of the Endpoint Security Portfolio, as well as MDR, Vulnerability Management, Threat Intelligence, and Managed SIEM offerings, further solidifying his reputation as a visionary in cybersecurity solutions years ahead of its time.

The post How to stop ransomware for good — and add the missing layer to ransomware resiliency appeared first on Cybersecurity Insiders.

[By Oren Dvoskin, Director of Product Marketing at Morphisec]

The global cybersecurity market continues to soar, and for good reason, cybercriminals are becoming increasingly sophisticated and effective. In fact, it’s safe to say that the sophistication of today’s criminals is far outpacing the evolution of the defenses they are attacking.

A great example of this mismatch is the explosion of malware executing modern battlefield attacks. These attacks first started emerging in the mid-2010s, but it was until recent years that there has been a surge in activity—recent Aqua Nautilus research shows there’s been a 1,400% increase in modern-battlefield attacks in 2023. That’s a staggering figure, and when you consider that most security teams rely on detection-based solutions to detect and mitigate these attacks, there’s good reason for concern.

Detection-Based Solutions Come Up Short

Endpoint protection platforms (EPP), endpoint detection and response (EDR/XDR), and antivirus (AV) are effective when malware relies on executables. That’s because these leavebehind evidence, such as attack patterns and signatures, that help teams identify them. But today, with attack chains increasingly targeting device memory during runtime, the signatures to detect or behavior patterns to analyze are no longer there. This leaves traditional defenders with limited visibility. It’s true that evidence of these threats can surface over time, but by then, it’s usually too late for defenders to do anything.

Going Inside Modern Cyber Battlefield Attacks

For those less familiar with modern cyber battlefield attacks, they can be installed with or without associated files, and their preferred area of operation lies in a very specific lane, where an end user starts an application and turns it off. The reason attackers target this space is because what occurs in device memory during an application’s runtime is mostly invisible to defenders.

To understand this invisibility, consider how a security solution might try to scan an application while it’s in use. It would need to scan device memory multiple times during the application’s lifetime while listening to the correct triggering operations and finding malicious patterns to catch an attack in progress. That might not sound too daunting but try scaling this to an organization with 1,000 or more employees.

A typical application’s runtime environment could have 4GB of virtual memory. To scan this volume of data effectively AND frequently would slow the application down to the point where it was unusable. Consider how that would impact an organization’s productivity or bottom line.

This leaves us with memory scanners that examine specific memory regions at specific times and specific parameters. At the end of the day, teams might gain insight, but it would be limited to three to four percent of application memory. I say might because modern battlefield threats often leverage obfuscation techniques that make them more difficult to detect. Now, the challenge of finding a single needle in a single haystack grows to finding a single needle in 100 haystacks.

And I haven’t even touched on the fact that these attacks also sidestep or tamper with the hooks most solutions use to spot attacks in progress.  This allows attackers to linger undetected for extended periods—a remote access trojan (RAT), infostealer, and loader using application memory stay in a network for an average of around 11 days. For advanced threats like RATs and info stealers, this figure is closer to 45 days.

Modern Battlefield’s Many Faces

The modern cyber battlefield compromises of more than a single type of threat — it’s a feature of attack chains that leads to a wide range of outcomes. For example, ransomware is not necessarily associated with memory runtime attacks. But to deploy ransomware, threat actors usually must infiltrate networks and escalate privileges. These processes tend to happen in memory at runtime.

These threats also don’t just target memory processes on Windows servers and devices. They target Linux. For example, a malicious version of Cobalt Strike was created by threat actors specifically for use against Linux servers. In industries like finance, where Linux is used to power virtualization platforms and networking servers, there’s been a violent surge in attacks. Attacks often compromise business-critical servers in-memory to set the stage for information theft and data encryption.

Stopping the Modern Cyber Battlefield Madness

From businesses to government entities and everything in between, the key is to begin focusing on stopping threats against application memory during runtime. It’s no good focusing exclusively on detection. That’s because the modern cyber battlefield and fileless malware are essentially invisible, and traditional security techniques, which build a castle wall that surrounds protected assets and relies on detecting malicious activity, won’t do you any good.

One proven answer is Defense-in-Depth, which features a security layer that prevents memory compromise from occurring in the first place. One technology option is Automated Moving Target Defense (AMTD). What makes AMTD so effective is that it creates a dynamic attack surface that even advanced threats cannot penetrate. This is because AMTD morphs application memory, APIs, and other operating system resources during runtime. It does this while applications are being used while having no impact on performance.

Think of this from a home security perspective. To keep the burglars out, AMTD continuously moves the doors to a house (front, back, basement — you name it) while simultaneously leaving fake doors behind in their place. These fake doors are what trap the malware for forensic analysis. In the event a burglar finds an actual door, it won’t be there when they come back. As a result, they cannot reuse an attack on the same endpoint or any other endpoint.

Now, rather than detecting attacks after they’ve happened, AMTD technology does what other detection-base solutions cannot, it proactively blocks attacks without the need for any signatures or recognizable behaviors and, in doing so, makes Modern Battlefield attacks ancient history.

Oren T. Dvoskin, Product Marketing Director, Morphisec

Oren T. Dvoskin is Product Marketing Director at Morphisec, delivering endpoint protection powered by Automated Moving Target Defense. Before joining Morphisec, Oren was VP, of OT & Industrial Cybersecurity marketing at OPSWAT, overseeing the company’s portfolio of OT and ICS security solutions. Previously, Oren held marketing and business leadership positions in cybersecurity, healthcare, and medical devices, with a prior extensive career in software R&D. Dvoskin holds an MBA from the Technion – Israel Institute of Technology, an undergraduate degree in computer science, and graduated from the Israeli Defense Forces MAMRAM programming course.

The post Shining a Light on Modern Cyber Battlefield Attacks appeared first on Cybersecurity Insiders.

By Jayakumar (Jay) Kurup, Global Sales Engineering Director at Morphisec

Securing operational technology (OT) creates unique challenges.

Zero tolerance of downtime in factories, ports, banks, treatment plants, and other OT environments means that standard security practices like patch management or deploying protective solutions onto endpoints can be almost impossible to uphold.

Sometimes this is due to cultural reasons (management’s fear of even the slightest chance of disruption); other times, it is technological. OT systems often come as closed systems with firmware and software installed by a supplier.

Despite these challenges, securing OT environments is still something that needs to happen. So, what do you do with an inherently vulnerable system that you don’t want to touch? You try to air-gap it. Great in theory. In practice, however, air-gapping an OT system or firewalling its protected network is only the beginning of hardening its overall security.

OT Attacks Are on the Rise

Whether for geopolitical purposes or to collect a ransom, disrupting or threatening the performance of OT systems can be a huge win for threat actors. This has always been the case, but with OT cyberattacks rising by 87% last year, the threat level to OT is higher than ever.

Since the kinetic conflict between Russia and Ukraine began, a cyber war has been fought in parallel. The result has been a global wave of OT attacks compromising companies like Rosent, Nordex, the UK postal service, and more.

Threat actors are also finding more ways to compromise OT environments.

Only a minority of infrastructural attack chains are the kind of “pure” OT compromises we famously saw in 2010 with Stuxnet, the 2018 Shamoon attacks on Saudi Aramco and more recently with 2020 EKANS ransomware attacks against Honda and Enel. Instead, attacks can come from various vectors, including insiders, the business networks that connect to protected networks and OT assets, and downstream supply chain compromise, i.e., “Chinese Spy Cranes.”

These different vectors are all a threat to OT systems because fully air-gapping an OT system is impossible.  Industrial control systems (ICS) need to connect to corporate TCP/IP networks periodically, and when they do, they can end up plugged into the wider network, exposing the system to potential vulnerabilities and risks.

Ransomware or malware that disrupts the flow of data into a system threatens connections between endpoints (as we saw in the Nordex attack), or infiltrates proprietary information, can shut down operations too.

The rise of remote access capabilities and business connectivity also means that OT networks are plugging into IT environments more than ever. Even in the most secure networks, blind spots and security gaps will emerge. OT users need point solutions to plug these gaps in a way that complements their legacy systems and security technology.

What OT Security Controls Need to Do

No single layer of security can be relied on to protect OT systems, and layering security (aka “defense in depth”) is critical. However, defense in depth isn’t possible without effective security controls. This is where many OT security programs struggle. Security solutions must overcome three serious challenges to stop threats in and around unconventional, resource-constrained, and reliability-focused OT systems.

First, anything deployed on an OT or OT adjacent system needs to avoid the problem of false positive alerts. In OT environments, processes cannot be shut down due to false positives.

Second, protection must happen efficiently when deployed on resource-constrained devices and within low bandwidth with complex network topologies. In OT environments, solutions reliant on downloading updates (which can inadvertently expose assets) create risks.

Third, and most importantly, any OT security solution needs to stop advanced threats from propagating from an IT (IT/business) network to the IT/OT DMZ and into the OT (operational) network. This is critical because these environments are targets for some of the world’s most well-resourced ATPs, who can and will use zero days, fileless worms, trojans, and customized ransomware and malware to attack valuable targets.

Outside of OT environments, scanning-based solutions such as endpoint detection and response (EDR) platforms are being used to protect IT endpoints. In OT environments, however, they are not suitable solutions and will often heavily underperform. This is important since EPPs and EDRs rely on continual telemetry for signature and behavioral pattern updates and threat feeds. As a result, EDRs cannot operate properly in an air-gapped situation.

As these solutions scan for malware hooks, they use up scarce computing resources. Most EDRs are also incompatible with the diverse range of legacy OS, hardware, and applications that exist in a typical OT environment and create many false positives. None of which bodes well for their longevity in any sensitive site.

Most importantly, the biggest issue with using EDRs to protect OT adjacent systems and networks is that they fail to detect fileless and evasive attacks reliably. Many threats don’t create the recognizable signatures EDR looks for. Advanced threats (such as Cobalt Strike) also operate in unscannable environments like device memory during run time.

The same applies to solutions that use similar technology in other parts of the IT environment, such as NDRs deployed to analyze network traffic.

Protecting OT Environments with AMTD

Automated Moving Target Defense (AMTD) is a super lightweight, preventative solution that can be deployed in and around OT systems to shut down attack pathways.

AMTD is fundamentally suitable for OT environments because it stops threats without needing to detect them. It also does not require an internet connection, updates to date telemetry, or modern OS versions.

Able to stop zero days, fileless, and evasive attacks, AMTD randomly morphs runtime memory environment to create an unpredictable attack surface and leaves decoy traps where targets were.

OT threats don’t follow standard playbooks. They are often unknown and dynamic, and, with OT systems firewalls dissolving, coming from more places. This is what a changing threat landscape looks like. As always, the best response is to double down on prevention. AMTD is a proven solution for preventing the worst threats OT security teams will ever experience.

The post How to Protect Operational Technology (OT) from Cyber Threats appeared first on Cybersecurity Insiders.