Urgences 24 sur 7 – (888) 287-5858   Connexion au Portail TitanSupport    Contactez-nous      Blogue

Adversary versus target; all organizations participate in this daily cat-and-mouse. Organizations initially fought this battle on the technology front. Miss something? Find another new technology to address the gap. Over time, technology delivered interesting intel, but malicious activity still slipped through. Organizations then went on the hunt to find the “right” person with the “right” skill. And this cycle continues unabated – tech, people, tech, people, tech, people, etc.

Are things better? Undeniably. Can they be better still? Without question. But as long as the tech/people cycle continues, most organizations will never reach their cybersecurity goals because the goal will always be just out of reach by one person or one technology. To illustrate this, we’ll use the recent Exorcist 2.0 ransomware.

The Exorcist ransomware first appeared earlier in 2020. While not unheard of, it was still fascinating to find such a quick iteration to Exorcist 2.0 within only a couple of months. Quickly iterating malware tactics is commonplace for adversaries as it allows them to stay ahead of technique-based cybersecurity solutions. Think of traditional antivirus and its signature-based detections. Signatures are, in essence, a collection of tactics and techniques. Use a new technique, and it’s easy to bypass traditional antivirus. Next-Generation Antivirus attempts to address this limitation by adding automated analysis and correlation (i.e., machine learning) but, in reality, is only marginally more effective than traditional antivirus.

Now consider a behavior-based approach. Rather than relying on a relatively binary decision (is it known to be good or bad?), a behavior-based approach looks at the full sequence of events. Adversaries frequently change tactics, but the goal behind the tactics are universal – compromise an endpoint, move laterally, steal credentials, etc. So, when the GoSecure Active Response Center (ARC) saw familiar, yet slightly different, behaviors in late September, they knew something was up.

Running setup_install.exe is not, in itself, unusual, although the file name is suspicious. And a setup file creating several temp files is standard. But when the temp files start copying data from the installed browser’s directory into random text files, the game is afoot. Keep in mind, however, that none of this activity (so far) is known malicious. It has taken a behavior-based approach, combined with human review, to generate a level of suspicion. Even at this early stage, the GoSecure ARC is on high alert.

Screen Shot 1
High alert becomes well-founded when, almost immediately, outbound traffic to a highly suspicious IP address is detected. The return communication instructs the “setup” process to perform many actions using standard operating system files like cmd.exe. Here again, not entirely unusual but, based on the previous suspicious activity, the GoSecure threat hunters keep a close eye on all activity associated with the original EXE.

What follows are many actions not entirely unrelated to safe installer activities (delete temp files, install new files, create processes, etc.). But analyzed very closely, as the GoSecure ARC does every day, these actions are increasingly suspicious (create file oewvcabkhaw.exe, create a new process using this file, create more suspiciously named files such as poawhepvtl.exe). The coup de grâce comes when a malicious shortcut link, SmartClock.lnk, is added to the user’s startup folder. This shortcut links to a file that is activated using a Registry RunOnce entry, which is, subsequently, deleted.

Screen Shot 2
It was GoSecure’s combination of behavior-based technology and human review that allowed us to detect and mitigate this malicious activity. There was no way for traditional solutions to define the action as malicious as none of these tactics had been observed in just this way prior. And it took GoSecure Threat Hunters to identify suspicious activity, correlate all behaviors, and accurately classify the full sequence of events as malicious. Neither technology nor people, by themselves, could have resulted in the correct classification – it took the synergy between the two to stop this latest ransomware attack. It’s not technology OR people. Protecting your organization from today’s advanced attacks requires technology AND people, but…the right technology and the right people. And very few organizations have the resources to provide both.

Détection et réponse gérées et étendues GoSecure TitanMC (MXDR)

Détection et réponse gérées et étendues GoSecure TitanMC (MXDR) Fondation

Gestion des vulnérabilités en tant que service GoSecure TitanMC (VMaaS)

Surveillance des événements liés aux informations de sécurité gérée GoSecure TitanMC (SIEM gérée)

Défense du périmètre gérée GoSecure TitanMC (pare-feu)

Détection et réponse des boîtes de messagerie GoSecure TitanMC (IDR)

Passerelle de messagerie sécurisée GoSecure TitanMC (SEG)

Modélisateur de menaces GoSecure TitanMC

Identity GoSecure TitanMC

Plateforme GoSecure TitanMC

Services de sécurité professionnels de GoSecure

Services de réponse aux incidents

Évaluation de la maturité de la sécurité

Services de confidentialité

Services PCI DSS

Services de piratage éthique

Opérations de sécurité

MicrosoftLogo

GoSecure MXDR pour Microsoft

Visibilité et réponse complètes au sein de votre environnement de sécurité Microsoft

CAS D'UTILISATION

Cyberrisques

Mesures de sécurité basées sur les risques

Sociétés de financement par capitaux propres

Prendre des décisions éclairées

Sécurité des données sensibles

Protéger les informations sensibles

Conformité en matière de cybersécurité

Respecter les obligations réglementaires

Cyberassurance

Une stratégie précieuse de gestion des risques

Rançongiciels

Combattre les rançongiciels grâce à une sécurité innovante

Attaques de type « zero-day »

Arrêter les exploits de type « zero-day » grâce à une protection avancée

Consolider, évoluer et prospérer

Prenez de l'avance et gagnez la course avec la Plateforme GoSecure TitanMC.

24/7 MXDR

Détection et réponse sur les terminaux GoSecure TitanMC (EDR)

Antivirus de nouvelle génération GoSecure TitanMC (NGAV)

Surveillance des événements liés aux informations de sécurité GoSecure TitanMC (SIEM)

Détection et réponse des boîtes de messagerie GoSecure TitanMC (IDR)

Intelligence GoSecure TitanMC

Notre SOC

Défense proactive, 24h/24, 7j/7

À PROPOS DE GOSECURE

GoSecure est un leader et un innovateur reconnu en matière de cybersécurité, pionnier de l'intégration de la détection des menaces au niveau des terminaux, du réseau et des courriels en un seul service de détection et réponse gérées et étendues (MXDR). Depuis plus de 20 ans, GoSecure aide ses clients à mieux comprendre leurs failles en matière de sécurité et à améliorer leurs risques organisationnels ainsi que leur maturité en matière de sécurité grâce aux solutions MXDR et aux services professionnels fournis par l'une des équipes les plus fiables et les plus compétentes de l'industrie.

CALENDRIER D’ÉVÉNEMENTS

No upcoming events.

DERNIER COMMUNIQUÉ DE PRESSE

AVIS DE SÉCURITÉ

Urgences 24 sur 7 – (888) 287-5858