Recently, Security Bull released the Application Guide for Ransomware Attack Protection Technology (2024 Edition), and NSFOCUS was selected as one of the top 10 representative vendors in the field of ransomware attack protection technology in 2024 for its deep precipitation in the direction of ransomware attack protection.
With the deepening of digital China, the application value of public data, enterprise data, and personal data is getting higher and higher, and attacks on networks, information, and data are emerging one after another, bringing great threats to cyberspace security. With a 73% increase in the number of ransom attacks in 2023 and a total ransom of more than $1.1 billion, it has become one of the most costly cybercrimes.
A comprehensive solution for ransomware attack protection
NSFOCUS's "Comprehensive Ransomware Attack Protection Solution" has been recognized by the industry for its scientific, reasonable and effective ransomware attack protection. An all-weather, all-round, and full-scenario scheme of all-round monitoring and collection, adaptive collaborative analysis, automatic orchestration and response, and whole-process management collaboration has been formed. In particular, the plan proposes three modules and nine core capabilities, including pre-event risk investigation, in-process emergency response, and post-event threat removal, which have been unanimously recognized by industry experts and service customers.
* Comprehensive ransomware attack protection solution
Pre-event risk screening
Core capability 1: Rapid warning of ransomware attacks
From the perspective of ransomware attacks, pay attention to the attack before, during, and after the attack, so as to respond to ransomware in advance and perceive it in advance, so as to minimize the probability of risk.
Ransom threat intelligence services
Customer risk warning within the scope of the ransomware intelligence platform's perception is real-time and accurate.
Extortion Attack Techniques (Blues) intelligence subscription service
Provide technical and tactical intelligence of the field organization, provide technical and tactical guidance for the customer's blue army, help customers improve their offensive and defensive drill capabilities, and promote customers to complete threat simulation and verification more effectively, and assist in determining the priority of risks and threats.
Core capability 2: Special assessment of ransomware protection
Perimeter Protection Assessment
Focus on inspecting the two-way security defense strategy in the border area; Common security devices that are currently mainly evaluated in boundary scenarios include NF, WAF, IPS, etc.
Intranet penetration assessment
From the customer's internal network computer A simulates attack computer B, that is, the east-west network simulation attack, the intranet evaluation scenario currently mainly evaluates and detects security products, including UTS, IDS, bypass IPS, WAF, etc.
Endpoint hardening assessment
An automated BAS appliance simulates an attack on an endpoint device to check if endpoint security software can defend against and detect malware and behavior-based attacks. Currently, terminal security products such as EDR and EPP are mainly evaluated in terminal scenarios.
Ransom attack simulation assessment
Built-in common ransomware attack use cases and scenarios, support simulation verification of domain name resolution, ransomware disk placement, ransomware execution, and simulated execution.
Core capability 3: Regular ransomware attack drills
Replace training with drills and promote prevention with training to help build anti-ransomware security.
Scenography
The drill plan specifies the type, purpose, and description of the drill scenario.
Walk through the organizational structure
Drill teams (attack teams, emergency response teams, detection and operation and maintenance personnel, business departments, regulators, and security enterprises).
Walkthrough the process
Clarify the participants and sort out the disposal process in combination with the safety plan.
Drill package
The drill involves the preparation of assets, the preparation of drill tools (protection software, attack tools, etc.), and the drill involves the preparation of the environment.
Walkthrough scenarios
Before the occurrence of the incident, the occurrence of the ransomware incident, emergency investigation, fault recovery, drill reporting, and summary and improvement.
2. Emergency response during the event
Core capability 4: Emergency response to ransomware attacks
In response to ransomware attacks that have already occurred, carry out emergency response and handling of ransomware attacks as soon as possible, and provide emergency response services. Include:
Initial response phase
Ransomware Confirmation - Notification to Senior Management - Notification to Legal Team - Initiation of Cybersecurity Incident Emergency Response.
Containment phase
Identify Affected Hosts - Isolate Affected Hosts - Reset Affected Hosts.
Analysis phase
Conduct comprehensive analysis by preserving evidence, identifying ransomware family information, and identifying attack vectors & infection vectors.
Remedial action phase
Add threat indicators to the management platform, run antivirus and antimalware scans, remediate known vulnerabilities, and eradicate ransomware.
Recovery phase
Restore the infected host to a healthy state, restore data and policy configurations from backups.
Finally, conduct a review of the incident.
Core capability 5: Ransomware isolation and blocking
One of the most important parts of ransomware attacks is endpoint attacks. NSFOCUS Unified Endpoint Security Management System (UES) relies on NSFOCUS's self-developed terminal abnormal behavior analysis engine and efficient and accurate threat intelligence data to effectively detect known and unknown threat scenarios such as APT attacks, ransomware mining, zombie worms, and zero-day vulnerabilities, and provides rapid response measures to block the spread of threats, providing real-time and effective protection on the device side. Prevent the spread of ransomware.
Step1 - "Open the Door"
Hackers attack hosts and set up SSH backdoors to maintain persistent access. The UES network threat model is fully applied to detect host security from the perspective of network security, and brute-force cracking is currently supported, and mainstream cracking methods such as SSH, RDP, SMB, etc. can be monitored and discovered, and the status of successful cracking and continuous cracking can be distinguished. Provides persistent backdoor detection capabilities to detect and effectively block shell behaviors initiated by attackers.
Step2 - "Anchor Alignment"
Run PowerShell commands to perform an asset scan to identify attack targets. UES has a malicious sample detection function. Currently, it supports the detection of malicious programs, phishing programs, hacking programs, Powershell, Webshell, and mining programs.
Step3 - "Poison"
Leverage command and control and remote monitoring and management software to push files to compromised hosts. The UES ransomware protection model accurately identifies the characteristics and families of known ransomware viruses, uses host behavior analysis + dynamic trapping capability as an active defense technology for unknown ransomware viruses, and uses the behavioral characteristics of deploying bait files and detecting malicious programs to encrypt bait files to judge the extortion behavior.
Step4 - "Usurpation"
Disable and uninstall security solutions and privilege escalation from web browsers and local security system services. UES has the function of detecting abnormal behavior of hosts, and detects malicious operations from the characteristics generated by malicious programs when they are running, such as the current process name, process command line, parent process, and registry behavior.
Step5 - "Infection"
Lateral movement, data exfiltration, and ransomware deployments enable the compromise of other hosts and the compromise of the corporate intranet. Based on the concept of zero trust, the intelligent adaptive algorithm model is used to determine the micro-isolation strategy, and the inbound and outbound stack traffic of the host is controlled and audited, so as to reduce the external leakage of terminals and effectively prevent the east-west spread of attacks.
Core capability 6: Continuous monitoring of ransomware viruses
Based on machine learning and security event analysis models, it analyzes the reported security data in real time, predicts the security risks/major risks existing in the network and presents them in a visual manner, helping customers identify ransomware attacks and take measures in a timely manner. Multi-dimensional display of threat events, risk endpoints, attack chains, assets, and other statistical information to facilitate daily management by administrators.
3. Eliminate threats after the fact
Core competency 7: Data recovery eliminates the impact
Data encryption is a common practice to protect data security, and four encryption modes are set to support various application scenarios. Forced encryption: Encryption policies are set based on the relationship rules of processes and file types, which can enforce encryption and protection for all files, and the encryption and decryption process is not aware. Intelligent encryption: Formulate identification rules based on file type, file attributes, file size, and file content, and combine encryption technology to achieve accurate protection of important data. Combination of clear and dense: Under the condition of ensuring that the core data is encrypted throughout the process (opening, editing, saving, etc. are still in the encrypted state), the plaintext storage of general data is allowed (creation, editing, saving, etc. are still in plaintext). On-demand encryption: You can authorize some personnel to encrypt data that needs to be encrypted. Achieve the perfect combination of data security and flexible applications.
While encrypting data, it provides local, remote, and multi-version backup capabilities to identify and prevent ransomware-infected encrypted files from overwriting normal file backups. In the face of double extortion, there is no fear of data leakage, and at the same time, it can quickly restore and restore data to eliminate the impact of data extortion.
Core capability 8: Ransomware attack source tracing and forensics
On the endpoint side, the event activity track is comprehensively recorded, and the host, malicious process, child/parent process of the process file, process running time, detailed path, security attributes, network access relationship, and mutual call relationship are analyzed from multiple angles, and the compromised host is quickly located and the event process is restored, forming a complete event evidence chain and building a complete threat scenario for three-dimensional presentation.
Core competency 9: Initiate a ransom insurance claim
With the concept of risk sharing, we have cooperated with insurance companies to innovatively launch data extortion insurance. Through the complete insurance procurement, insurance claims, and full-lifecycle service process, the real-time and effective protection against ransomware attacks is ensured.
Procurement process
1) Sell "Insurance + Risk Management + Service" solutions.
2) Provide a graded protection evaluation report.
3) Provide risk assessment services.
4) Output quantitative risk data.
5) Confirm the premium and sign the policy.
Insurance process
Underwriting stage - underwriting stage - claims stage.
Service process
It includes pre-event identification and reduction, in-event monitoring and discovery, and post-event response and compensation.