Deceptions Everywhere

Insights on threat and cyber risk trends, use cases for deception technology and strategies for combatting targeted attacks

3 Facts About MITRE Shield and Targeted Ransomware

You’ve probably heard me write or speak about ransomware a lot more recently, and for good reason. Targeted, APT-like ransomware attacks against large healthcare organizations and other enterprises have been all over the news. 

Recently, I had the opportunity to present a webinar along with MITRE that focused on MITRE Shield, the concept of Active Defense, and how we can use some of these proactive techniques against ransomware attackers. Below, I’ll look at 3 key facts for security teams to understand when planning your active defense strategy against ransomware threats. 

Moving from passive to active defense


First, a bit of background about Shield. I was thrilled to be joined during the webinar by Christina Fowler, Chief Cyber Intel Strategist at MITRE and MITRE Shield Team Member. 

MITRE Shield is a recently released knowledge base of common defense techniques and tactics that can help IT security teams mature their capabilities and establish an Active Defense posture. MITRE Shield looks at the defender side of active defense concepts, while MITRE ATT&CK catalogs adversary behavior and is widely used throughout the cybersecurity industry.

Christina mentioned that Shield is intended to “get people to think about moving away from a passive defensive stance to a more active defensive stance,” and to “counter current attacks, learn more about that adversary, and better prepare for future attacks.”

<blockquote class="twitter-tweet"><p lang="en" dir="ltr">Christine Fowler from <a href="https://twitter.com/MITREcorp?ref_src=twsrc%5Etfw">@MITREcorp</a> provided a great intro to <a href="https://twitter.com/hashtag/mitreshield?src=hash&amp;ref_src=twsrc%5Etfw">#mitreshield</a> on today&#39;s webinar. By moving organizations from a passive to <a href="https://twitter.com/hashtag/activedefense?src=hash&amp;ref_src=twsrc%5Etfw">#activedefense</a> stance, they can impose costs on their adversaries and reduce the value of their attacks!</p>&mdash; Illusive Networks (@illusivenw) <a href="https://twitter.com/illusivenw/status/1329463505091760136?ref_src=twsrc%5Etfw">November 19, 2020</a></blockquote> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
I think that the release of Shield is a monumental moment for cybersecurity. As attackers have become more sophisticated and their methods continue to evolve, existing security tools simply haven’t been enough to stop or even detect some of these attacks. As we’ve seen from so many attacks this year, attackers are successfully penetrating network perimeter defenses, and are too often undetected by anomaly-based detection methods. Security teams need to mature beyond just passive defense capabilities and think outside the box. And ransomware is a major example of this.

Ransomware and APTs - a deadly combination 


The threat coming from the types of ransomware attacks that are taking place today needs to be clearly understood, so I want to share 3 facts to focus on.  

Fact #1 - Advanced Ransomware Threats are NOT like the old “spray and pray” attacks 

Traditional ransomware attacks, often called “Spray and Pray,” act as quickly as possible on the beachhead system on which the attacker lands. Ransomware hits the machine, immediately encrypts the local system, and reaches out across the network to encrypt any other system it can gain access to.    

Yet the new type of ransomware attacks that we’re seeing in the past 6 months are undeniably different. Often carried out by nation-state actors or criminal enterprises, they combine ransomware encryption techniques with Advanced Persistent Threat (APT) methods. Unlike the old attacks, once attackers have established a beachhead, they don’t release the payload right away. The attacker moves laterally from endpoint to endpoint across the network, attempting to identify Crown Jewel systems and moving very surgically. Only once he/she has found the most critical assets in the environment do they release the ransomware on it.   

<blockquote class="twitter-tweet"><p lang="en" dir="ltr">A new wave of Advanced Ranswomware Threats have become apparent in the last 6 months, taking their time to identify critical assets. More importantly, seeking out back-up and recovery systems for intentional attacks. <a href="https://twitter.com/WadeLance1?ref_src=twsrc%5Etfw">@WadeLance1</a> highlights Illusive&#39;s capabilities in this area.</p>&mdash; Illusive Networks (@illusivenw) <a href="https://twitter.com/illusivenw/status/1329468228070993927?ref_src=twsrc%5Etfw">November 19, 2020</a></blockquote> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
Fact #2 - Ransomware attackers exploit risky credentials and connectivity but you can use that against them 

How do attackers move laterally? Most often through living off the land (LoTL) techniques. These include leveraging existing privileged credentials and tools already on the machine in order to learn more about the connectivity between other hosts on the network, eventually landing on an attractive target to release the payload. 

These vulnerable data that attackers might exploit include (but aren’t limited to):
  • Usernames and passwords that are inadvertently captured in browser history
  • Domain admin and other privileged credentials which can be retained in system memory after a remote support session
  • Access data stored in applications to enable software updates or other maintenance
An active defense can be used to trap and paralyze attackers and prevent them from succeeding. How? Though a two-faceted approach:
  • Actively reducing the attack surface - through constant attack pathway discovery and elimination
  • Deception-powered threat detection - deceptively redirect ransomware attackers away from production hosts and detect lateral movement early in the campaign before the ransomware is deployed
Our Attack Surface Manager covers the first bullet point above by automating discovery and clean-up of credential violations, allows drill-down inspection of pathways to critical assets, and provides risk insights that inform intelligent decision-making to reduce attacker mobility.

And deception...well, that is our bread and butter. Illusive is able to plant deceptive data in real environments (note - this is very different from a honeypot approach) that - as soon as the attacker interacts with one of them - they are caught. Deception completely tips the scales against the actor, making it virtually impossible for them to escape undetected and carry out their attack. 

<blockquote class="twitter-tweet"><p lang="en" dir="ltr">How do we support <a href="https://twitter.com/hashtag/activedefense?src=hash&amp;ref_src=twsrc%5Etfw">#activedefense</a>? By reducing the <a href="https://twitter.com/hashtag/attacksurface?src=hash&amp;ref_src=twsrc%5Etfw">#attacksurface</a> to remove low-hanging fruit, and then confuse and paralyze attackers in a deceptive environment, diverting them away from production hosts. <a href="https://twitter.com/MITREcorp?ref_src=twsrc%5Etfw">@MITREcorp</a> speaks with <a href="https://twitter.com/WadeLance1?ref_src=twsrc%5Etfw">@WadeLance1</a> in today&#39;s webinar.</p>&mdash; Illusive Networks (@illusivenw) <a href="https://twitter.com/illusivenw/status/1329470356193677316?ref_src=twsrc%5Etfw">November 19, 2020</a></blockquote> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
Which MITRE Shield techniques work well here? Some examples include:
  • Decoy Content - data used to tell a story to an adversary 
  • Decoy Credentials - putting deceptive credentials in a wide range of locations to significantly increase chances of engagement with an attacker 
  • Decoy Systems - Good for threat intelligence to monitor attacker behavior 
Fact #3 - Security automation against ransomware attackers creates manual work for the attacker

As part of the shift of using MITRE Shield techniques to go from a reactive to an active defense, security automation needs to also be active. 

I want to stress that we at Illusive are big fans of automation. But let’s not confuse traditional security automation with an active defense. A lot of automated tools are reactive. These tools are responding to something that has already happened in our environment. 

Deception really changes the game, as we are now being proactive in setting traps for the attacker. Without deception, everything the attacker sees in the environment is real. They are learning about our security capabilities and deficiencies as well as the structure and layout of our network during every interaction. With deception, most of what the attacker is “learning” about our environment isn’t real - we are literally wasting their time and effort. 

For so long, attackers have been using automation to create manual work for the security team - a fight which security teams will never win. But the opposite can happen thanks to a deception-powered approach. You can use automation to create manual work for attackers.   

Advantage - security team. 

Learn more about MITRE Shield and stopping ransomware attackers


Watch the full webcast at any time, Stop Advanced Ransomware Now: MITRE Shield’s Active Defense and Illusive Lateral Movement Prevention

Also, make sure to check out our Decision Point Brief, Illusive and MITRE Shield Enabling ‘Active Defense’ With Distributed Deception, in which Illusive capabilities are mapped to MITRE Shield along with a brief description of how the Illusive Platform helps you address a given technique.