Way back in 2018, cyber threats were prevalent, but those were simple attacks that penetrated the data center and randomly encrypted data, holding it hostage. If you paid the ransom, it was hit or miss if the unlock keys delivered by the criminals would, in fact, unlock your data. These were attacks by unorganized, unsophisticated rouge cyber thugs.
By Jim McGann, Vice President Marketing & Business Development, Index Engines
Fast forward to 2020, amid a global pandemic, these cyber thugs have transformed into cyber opportunists. They have invested in technology and resources that make them smarter and their attacks far more sophisticated. Let’s review some of their latest tactics:
- Cyberattack as a Service (CAaaS): Cyber organizations now run as global enterprises. They offer a service where you can call them and they will plan and execute an attack based on your request and share in the revenue. They have help desks and financing to make it easy to monetize the attack on the organization of your choice. Disgruntled students, employees, or customers can now attack any size organization without any technical expertise.
- New Approaches: Cybercriminals are deploying new and intelligent approaches that easily circumvent real-time security solutions to penetrate the data center. The Ragnar Locker ransomware deploys virtual machines to dodge security and bypasses most common security scanners – once inside the data center they deploy. WastedLocker evades traditional security products that are scanning files on disk by hiding in cache memory. Once real-time security and behavioral analytics solutions are updated to protect against these new approaches, the cybercriminals will move on and continue to find new successful methods of attack.
- Data Breaches: Cyberthreats are now becoming data breaches. Cybercriminals have quickly realized they can make money by holding data ransom, but even more money by finding sensitive data and extracting it from the data center and threatening to publish it to the world. What used to be an internal attack that could potentially be hidden from the public now has become a global data breach that severely impacts the company’s reputation with customers.
The ransomware market has transitioned this year from a bunch of independent cybercriminals to sophisticated technology organizations that are smarter and more profitable than their predecessors. These organizations have invested in technology and expanded their activity ensuring that every organization can expect to face an attack regardless of the security defenses they have deployed.
The Last Line of Defense
With cybercriminals circumventing real-time protection and behavioral analytics, what can you do? The answer is to continue to strengthen your existing security solutions, assuming they will protect you from the bulk of the threats. Beyond real-time security, you should also continually validate the integrity of your data to ensure it is protected and reliable and has not already been corrupted by ransomware.
Some technology providers approach validating data integrity by looking at file metadata; others look at event logs or user behavior for unusual activity, and others rely on signature-based tools to check for suspicious files. But will those approaches be effective? Cybercriminals have many sophisticated approaches that will hide their tracks and circumvent these common security approaches. In fact, many of these approaches do not observe enough evidence of an attack and make “guesses” as to signs of corruption. This approach is fraught with false positives and even worse false negatives that miss hidden types of data corruption.
We know that cyberattacks corrupt data in a number of predictable ways. The most common approach is encryption. Encryption can mean many things. Encrypting a file – this is common. But more sophisticated approaches will encrypt content inside a file and avoid impacting the metadata, which is much harder to detect. Another approach will encrypt the content inside a database page. Again, this is difficult to detect, especially if you’re only analyzing metadata.
Another ransomware approach is corrupting data. The most common method is changing or appending the extension of a file with .lol or .encrypted. This is easy to detect. However, more sophisticated approaches use known valid extensions to corrupt a file, such as .fun, which is a known extension for an obscure application. If you are just inspecting metadata a .fun file would be detected as a valid file extension and not set off any alarms.
When cybercriminals see their simple approaches failing, they will go deeper inside files and databases to execute data corruption. They will hide their tracks and make it more difficult to detect their activity, especially if you rely on metadata-only analytics.
Content-Based Analytics and Data Integrity
The only confident approach towards checking data’s integrity is through the use of full-content-based analytics. These analytics look inside every file and database for signs of corruption. This approach will not only find the more sophisticated signs of corruption mentioned above but will provide a high level of confidence that data has integrity and is clean from tampering allowing for informed and streamlined recovery in the event of an attack.
Content-based analytics that looks inside every file is a technology challenge. Some vendors accept that this is difficult or impossible, based on their architecture, and will simply examine file metadata, stating that this approach is “good enough.” This has its flaws, as previously discussed, and more importantly, when cybercriminals see these types of attacks on metadata are detected, they will go deeper to hide their tracks inside the content. Basing your cyber analytics on metadata-only will hurt you in the long run.
Another compromised approach is only using content-based analytics on a small subset of the data. One vendor looks for signs of metadata corruption in the first analytics pass and then sends those corrupt files for more comprehensive content-based analytics. But again, when cybercriminals detect that the metadata analytics are uncovering their tracks, they will go deeper and utilize more extensive content-based approaches. This will render this two-step approach (metadata followed by content analytics) approach useless.
Find a Cybersecurity Product that Works Smarter, Not Harder
Metadata based analytics can only provide up to 88% level of confidence that corruption exists, and when cybercriminals go deeper into the corruption of content, this level of confidence will plummet. Checking the integrity of files through full-content analytics provides a 99.5% level of confidence that data has not been corrupted by malware. If corruption is detected, the solution should have the ability to report on the last good version of files for rapid recovery and minimized disruption.
Enterprises need a solution that inspects both the metadata and content inside every file and database at scale to validate the integrity of files and databases efficiently. By implementing a solution with full-content analytics using a single-pass approach, organizations will have confidence in their data’s integrity while minimizing false positives and negatives.
As cybercriminals get smarter and more organized, it is critical that organizations deploy more advanced and diverse approaches that will help thwart these attacks. Without a new layer of defense that checks the integrity of data using content-based analytics, organizations will continue to be vulnerable.
The obvious choice, the best choice is to ensure that critical data assets have integrity. The only way to achieve this is with a data analytics product that offers full-content analysis rather than just scanning metadata. Knowing what was attacked, who was impacted, where the source of the attack occurred and when it happened is the only way to quickly recover and minimize business interruption. Without this, you will be at the mercy of ever-increasing and sophisticated cyberthreats.
About the Author
Jim McGann has extensive experience with the eDiscovery and Information Management in the Fortune 2000 sector. Before joining Index Engines in 2004, he worked for leading software firms, including Information Builders and the French-based engineering software provider Dassault Systemes. He is a frequent writer and speaker on the topics of big data, backup tape remediation, electronic discovery, and records management.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.