What’s Your Ransomware Reaction Plan?

Ransomware is nothing new, but like Distributed Denial of Service Attacks (DDOS), over time it has evolved in its prevalence, sophistication and impact. New techniques in social engineering and methods of compromise are creating new vectors that attackers can leverage quite effectively. The damage can also be quite extensive with the three major impacts being:

  • Encryption of corporate and/or personal data:

    Typically these are important documents and data on the resident system after a cross infection to other systems.

  • Encryption of secondary and tertiary data:

    As other systems are infected these are often servers and backup resources.

  • Disclosure/Destruction (or threat of) prior to or during restoration attempts:

    If there is an attempt to circumvent the ransom, data is destroyed or disclosed to the public.

Additionally, the variety and evolution of ransomware has significantly increased as well. This is making it more difficult for traditional malware detection mechanisms to detect and react in time (much like the flu virus that constantly morphs its outer proteins to avoid the detection of the immune system). Let’s take a look at some of the major categories of ransomware:

  • CryptoLocker/Cryptowall:

    These two are similar in code base with Cryptowall evolving out of CryptoLocker. During the first six months of 2014, Cryptowall earned an estimated $1 million.

  • CTB-Locker:

    This code, discovered in 2014, distinguished itself by the use of TOR-based (dark web) server control and automated bitcoin methods.

  • TorrentLocker:

    An evolution of CryptoLocker.

  • Locker:

    Began to spread in 2016 using mass distribution channels.

  • TeslaCrypt:

    In 2015, this ransomware encrypted various types of files including online games. It’s very difficult to remediate.

This is a very limited list. Each category has several offshoots that provide for a rich jungle of each code type. The actual list would go on for pages.

Non-file-based attacks are also increasingly becoming more prevalent. First discovered in 2014, this is where the direct manipulation of systems registry and memory allow for the ability to place malware in a manner that is quite undetectable by traditional file-based anti-virus methods. It sacrifices resiliency for stealth. The code does not survive a reboot, but it doesn’t have to.

Once the access is gained the damage is done. Typically the covert encryption of data occurs very fast after code residency, but encryption is not the only method. Sometimes data may be extracted and held for ransom. The data might be email threads, web histories, internal corporate documents, etc. There may also be a C2 channel for infiltration or exfiltration. So the problem of ransomware is indeed multidimensional. It has multiple methods and can impact both corporations as well as individuals.

So the question is, “What can be done”? I call attention back to my Advanced Persistent Threat blog series. The use of micro-segmentation in a well thought out manner is the first key approach. While some users may be affected, it is important to realize that the propagation must be contained. Above all, important critical data should be separated from the compromised end point by several degrees. At a high level these relate to a good solid white-listed security demarcation between micro-segments as well as threat detection intelligence at these demarcations to pick out any anomalies in traversing traffic.

But we can’t ignore the human dimension. We are the weakest link in the chain. I hate to bang on the users again—but, after all, I’m a user as well, right? We all are. Do individuals in our organizations understand what the proper security policy is? Do our organizations have a policy for ransomware and more importantly do we have a reaction plan?

Avaya has been working with various security partners to evolve SDN Fx into a true open ecosystem for secure network communications. By utilizing stealth network topologies, hyper-segmentation and elasticity, many of the hurdles to a secure infrastructure can be eased. It also makes it much more difficult for malicious code and C2 channels to propagate and become established. This is particularly true if the micro-segmentation design is well aligned with well-designed security demarcations. This powerful combination can result in the service chaining of individual communities of interest into defined and coordinated security inspection points. We will talk about this in my next blog where I explore the importance of visibility to a proper security practice. Until then, stay secure!

Related Articles:

APTs Part 4: How Do You Detect an Advanced Persistent Threat in Your Network?

Here in part four of my APT series, we’re looking at how to detect Advanced Persistent Threats in your network. The key is to know what to look for and how to spot it.

Look for patterns of behavior that are unusual from a historical standpoint. Some things to look for are unusual patterns of session activity. Port scanning and the use of discovery methods should be monitored as well. Look for unusual TCP connections, particularly lateral or outbound encrypted connections.

Remember that there is a theory to all types of intrusion. An attacker needs to compromise the perimeter. Unless the attacker is very lucky, they will not be where they need or want to be. This means that a series of lateral and northbound moves will be required to establish a foothold. In order for any information to leave your organization there has to be an outbound exfiltration channel. This is another area where APTs have to diverge from the normal behavior of a user.

Here’s what to look for:

  • Logon Activity:

    Logons to new or unusual systems can be a flag. New or unusual session types are also a flag to watch for, particularly outbound encrypted sessions or unusual time of day or location. Watch for jumps in activity or velocity.

  • Program execution:

    Look for new or unusual program executions at unusual times of the day or from unusual locations. Execution of the program from a privileged account status rather than a normal user account should also be alarming.

  • File access:

    Look for unusually high volume access to file servers or unusual file access patterns. Also be sure to monitor cloud-based sharing uploads as these are a very good way to hide in the flurry of other activity.

  • Network activity:

    New IP addresses or secondary addresses can be a flag. Unusual DNS queries should be looked into, particularly those with a bad or no reputation. Look for the correlation between the above points and new or unusual network connection activity. Many C2 channels are established in this fashion.

  • Database access:

    Most users do not have access to the database directly. But also look for manipulated applications calls doing sensitive table access, modifications or deletions. Be sure to lock down the database environment by disabling many of the added options that most modern databases provide. An application proxy service should be implemented to prevent direct access in a general fashion.


    The goal is to arrive at a risk score based on the aggregate of the above. This involves the session serialization of hosts as they access resources. The problem with us as humans is this: if we’re barraged with tons of data and forced to do the picking out of significant data, we are woefully inefficient. First of all, we have a propensity for missing certain data sets. How often have you heard the saying, “Another set of eyes”? Never manually analyze data alone, always have another set of eyes go over it.


    At Avaya we’ve developed a shortest path bridging networking fabric we refer to as SDN Fx™ Architecture that is based on three basic self-complimentary security principles:

    • Hyper-segmentation: This is a new term that we’ve coined to indicate the primary deltas of this new approach to traditional network micro-segmentation. First, hyper-segments are extremely dynamic and lend themselves well to automation and dynamic service chaining, as is often required with software-defined networks. Second, they are not based on IP routing and therefore do not require traditional route policies or access control lists to constrict access to the micro-segment. These two traits create a service that is well suited for security automation.
    • Stealth: Due to the fact that SDN Fx is not based on IP, it is dark from an IP discovery perspective. Many of the topological aspects to the network, which are of key importance to APTs, simply cannot be discovered by traditional port scanning and discovery techniques. So the hyper-segment holds the user or intruder in a narrow and dark community that has little or no communications capability with the outside world, except through well-defined security analytic inspection points.
    • Elasticity: Because we are not dependent on IP routing to establish service paths, we can extend or retract certain secure hyper-segments based on authentication and proper authorization. Just as easily however, SDN FX can retract a hyper-segment, perhaps based on an alert from security analytics that something is amiss with the suspect system. There may even be the desire to redirect them into Honey pot environments where a whole network can be replicated in SDN Fx for little or no cost from a networking perspective.

In the End

Hardly a day goes by without hearing about a data breach somewhere in the world. To combat these breaches, it’s imperative to understand how APTs work and how you can detect them. Remember—prevention is ideal, but detection is a must!

With this blog series, I hope I’ve helped you see how to limit the impact of APTs on your enterprise. If you missed a blog post, here’s the whole series:

APTs Part 1: Protection Against Advanced Persistent Threats to Your Data

APTs Part 2: How the Advanced Persistent Threat Works

APTs Part 3: Prevention is Ideal, But Detection is a Must

APTs Part 4: How Do You Detect an Advanced Persistent Threat in Your Network?

APTs Part 3: Prevention is Ideal, But Detection is a Must

In my last blog I spoke about the first steps in the kill chain. Now that the Advanced Persistent Threat (APT) has gained residence, it’s time to get to work. To refresh your memory, here’s our illustration of a kill chain:


In this step there is some method established for the final phase, which is either data exfiltration or complete command and control (C2). Note that execution is a process that will have a multitude of methods ranging from complete encryption (ransomware) to simple probes or port and keyboard mappers to gain further intelligence.

Exfiltration and C2

Exfiltration and Command & Control (C2) go hand in hand. C2 is required for exfiltration. It turns out that both require a common trait: two way outbound traffic. At this point if the APT wants to pull data out of the target it must establish outbound communication. This is sometimes referred to as a call back. These channels are covert. They are typically encrypted and mixed within the profile of normal data.

Remember, while there are well known ports assigned (to which we all should comply), an individual with even limited skills can generate a payload with counterfeit port mappings. DNS, ICMP and SMTP are three common protocols for this type of behavior. It’s key to look for anomalies in behavior at these levels. The APT needs systems to communicate in order for the tools to work for them. This means that they need to leave some sort of footprint as they look to establish outbound channels. (We will come back to this in my next blog.)

Remember, unlike the typical traditional threat, which you probably are well prepared for, the APT will look to establish a permanent outbound set of channels. These may jump sessions, and port behaviors or even whole transit nodes, if the APT is deep enough into your network. If the APT has compromised a series of systems it has a choice on how to establish outbound behaviors. Below is a representation of established exfiltration channels.


The larger the footprint the APT has, the better it can adjust and randomize its outbound behaviors, which makes it more difficult to tease out. So catching the APT early is of key importance. Otherwise it’s very much like trying to stamp out a fire that’s quickly growing out of control.

The Overall Pattern

Due to its advanced and persistent nature (hence the APT name) the threat cannot be absolutely eliminated. To do so would make systems totally isolated. And while this might be desired to a certain level for certain systems, we have to expose ourselves to the external Internet if we wish to have any public presence. The intent of the APT is long-term residence and preferably total stealth. The figure below shows a different way to view these decision trees.


The goal is to establish a network of pivot points that can allow for better exposure of the target. The series of decision trees all fall inward toward the target; this will be the footprint of its web within the target. It is always looking to expand and extend, but not at the cost of losing secrecy. Its major strength lies in its invisibility.

So the concept of a linear flow to the attack has to go out the window. Again, this is the key to persistence. This is very cyclic is the way it evolves over time. The OODA loop comes to mind. Typically taught to military pilots and quick response forces, the OODA loop stands for Orient, Observe, Decide, Access. The logic that the APT uses is very similar. This is because it is raw constructive logic. Note how everything revolves around that center set of goals. If you are starting to see a strategy of mitigation then my hat’s off to you. If not, then I have a clue for you … It’s all about the data!

Now that we have uncovered the methods of the APT it should be obvious that they are extremely difficult to catch. Their whole goal is to remain under the surface even during and after an attack. They want to be able to come back. In short, if an APT has targeted you it’s unlikely that you will prevent compromises from it. They will get in if they work long enough. The question is: How far can they get and how much damage can they do before they’re detected? I will close with a new security motto that we all should memorize. “Prevention is an ideal, BUT detection is an absolute MUST!” In my next blog we’ll talk about detection and the methods that you can incorporate into your security practice to limit your exposure, containing any compromises that are bound to occur over time.


APTs Part 2: How the Advanced Persistent Threat Works

In my last blog I introduced the concept of Advanced Persistent Threats (APT) and provided some background on what these groups are about. APTs want to be invisible in your network. They want to become residents and remain for the long term. Given this, it is of key importance to detect their presence. But before we can do that, we need to look at the methods that APTs use to compromise network security and remain hidden within the flurry of day-to-day data. This will be the focus of this second blog: how do APTs go about their nefarious activities?

So What are the Methods?

Copious amounts of research exist on the methods that APTs will use. Due to the fact that this is largely driven by humans, the range can be wide and dynamic. Basically it all boils down to extending the traditional kill chain. This concept was first devised by Lockheed Martin to footprint a typical cyber-attack. This is shown in the illustration below.


The concept of infiltration needs to occur in a certain fashion. An attacker can’t just willy-nilly their way into a network. Depending on the type of technology, the chain might be rather long. As an example, an open core network will be much easier to compromise than an implementation with strong hyper-segmentation. There are many degrees of delta in the complexity of the two methods.


In the past, this was treated lightly at best by security solutions. Even now with highlighted interest in this area by security solutions, it tends to be the extended main avenue of knowledge acquisition. The reason for this is that much of this intelligence gathering can take place off line. There is no need to inject probes or pivots at this point. Instead the method is to gain as much intelligence about the targets as possible. This may go on for months or even years, and it continues as the next steps occur. Note how I say “targets.” This notes that the target network, when analyzed, will result in a series of potential target systems. APTs are more interested in the users or edge devices. These devices are typically more mobile with a wider degree of access media type. Additionally they have you or me at the interface. We are gullible—and we also can make rash decisions.


Once the attacker feels that there is enough to move forward the next step is to try to establish a beach head into the target.

The end user is typically the target. No one is immune. In the past a phishing attempt was easier to see. This has changed recently in that many times these attempts will be launched from a disguised email or other correspondence with an urgent request. There are also methods to create watering holes, which is basically an infiltration of websites that are known to be popular or required with the target. Cross site scripting is a very common set of methods to make this jump. In the past this would have been felt immediately. Now you might not feel anything at all. But APTs are now inside your network. They’re wreaking no damage, yet. They remain invisible.


If APTs are successful in their exploitation, you won’t know it. It’s a scary point to note that most APT infiltrations are only pointed out after the fact to the target by a third party such as a service provider or law enforcement. This is concerning. It means that both the infiltration and exploitation capabilities of the APT are extremely high.

How is this accomplished? The reality is that each phase in the chain will yield information and the need to make decisions as to the next best steps in the attack. The truth is that this is the next step in the tree. As shown in the figure below, there are multiple possible exploits and further infiltrations that could be leveraged off of the initial vector. It is in reality a series of decisions that will take the intruder closer and closer to its target.

Advanced Persistent Threat

What the APT finds will dictate how it moves its strategy forward and how it will adapt and optimize over time. It will morph to your environment in a very specific and targeted way. While many may think that initial exploitation is it, it’s really not. The exploitation phase is used to further implant into the network.

Join me in my next blog where we’ll look at the final steps in the kill chain and how they’re used by APTs.