The Central Texas IT Guy

Web Development Austin, SEO Austin, Austin Search Engine Marketing, Internet Marketing Austin, Web Design Austin, Roundrock Web Design, IT Support Central Texas, Social Media Central Texas

Simple Guide To Threat Detection & Response

By

On November 25, 2020

In Security

What Is Threat Detection & Response (TDR)?

Threat detection & response is an application of big data analytics, where data analysis is conducted across large and disparate data sets to find anomalies, their threat level and response actions required to tackle these anomalies. TDR facilitates security professionals to detect and neutralize attacks before they can cause a breach.

What Is The Need For TDR?

Following are some reasons that emphasize on the requirement of TDR:

  • The large amount of data has made it difficult for cyber security teams to investigate and act on cyber attacks across widespread networks and operating environments in an effective and efficient manner.
  • The cyber threats have become more evolved and stealthier. They implement advanced evasion techniques such as making use of native OS tools. These techniques enable them to infect the systems without alerting the cyber security team.
  • Cyber attacks are directed by human operators, who are efficient in testing and adapting different pathways, if encountered by an obstacle. Thus, once inside the network, they are highly efficient in surpassing security systems.

In these circumstances, TDR helps in forming strong line of defense in layered next-generation security system.

  • The analysts and threat detectors uncover the attacks by looking for suspicious events, anomalies and patterns in regular activity. These anomalies are then tested to see if they involve malicious agents.
  • The human insight is coupled with AI technologies such as AI-guided detection. This makes it easier to analyze a large amount of data in a short period and efficient manner.
  • The TDR system does not only find the hidden threats, but also works towards finding a response to neutralize it.

What Is TDR Framework?

The TDR framework consists of four pillars:

  • Observe: What do you see in the raw data?
  • Orient: What is the context or how does it map against existing attack TTPs (tactics, techniques and protocols)?
  • Decide: Is it malicious, suspicious or benign?
  • Act: Mitigate, neutralize and re-enter the analysis loop

What Are The Components Of TDR?

TDR has five core components:

  • Prevention: Effective prevention requires the knowledge about the location of critical data and computational resources over the network. It involves effective and regular configuration of technology and access controls. Maintaining efficient prevention techniques reduces the number of security alerts generated on a daily basis.
  • Collecting Security Events, Alerts And Detections: Security data may be collected and reviewed by adopting any of these methods; Event-centric, Threat-centric, or Hybrid.
  • Prioritizing Signals That Matter: Once the events are detected, it is important to prioritize them to find actual threats. Apply well-managed security filters to separate security incidents from event logs.
  • Investigation: After isolating the key signals, measure them against industry frameworks and models for further investigation. The aim of the investigation is to check if the signal is indicative of an actual attack and where does it fall in the attack sequence.
  • Action: This involves identifying and implementing relevant response for containing the threats.

For more information on threat detection & response, contact Centex Technologies at (254) 213 – 4740.

What Is CryptoWall Ransomware?

By

On November 23, 2020

In Security

A ransomware is a type of malware that encrypts user files on victim computer or network. The attacker then demands a ransom from the victim in exchange for the decryption key. CryptoWall is a family of such file-encrypting ransomware. It first appeared in early 2014 and has numerous variants including Cryptorbit, CryptoDefense, CryptoWall 2.0, and CryptoWall 3.0. The early variants used RSA public key for file encryption, however, the new versions use AES key for file encryption. The AES key is further encrypted using a public key. This makes it impossible to get the actual key needed to decrypt the files.

Mode Of Infection:

Traditionally, CryptoWall ransomware was distributed via exploit kits. But, now spam emails are also used to infect the victims. The spam email contains RAR attachment that includes a CHM file. When the victim opens the CHM file, it downloads ‘CryptoWall binary’ to the system and copies itself into the %temp% folder.

CHM file – Compiled HTML or CHM file is an interactive html file that is compressed inside a CHM container and may hold other files such as JavaScript, images, etc. inside it.

Execution:

  • The Cryptowall binary downloaded on the system is compressed or encoded. Useless instructions and anti-emulation tricks are deliberately inserted in the coding to break AV engine protection.
  • On execution, it launches a new instance of explorer.exe process.
  • In the next step, the ransomware injects its unpacked CrytoWall binary and executes the injected code.
  • The original process automatically exits itself after launching the injected explorer process.
  • The files are encrypted and the ransomware deletes the volume shadow files using ‘vssadmin.exe’ tool. This makes sure that the encrypted files may not be recovered.
  • The CryptoWall binary is copied to various locations such as %appdata%, %startup%, %rootdrive%, etc. The copies are added to the auto start key to help them stay persistent even after the infected system is rebooted.
  • A new svchost.exe process is launched with user privilege and malicious binary code is injected into it.
  • The ransomware connects to I2P proxies to find live command and control server.
  • The server replies with unique encryption key generated specifically for the target system. The key starts the file encryption thread and drops ransom notes in all directories.
  • Finally, it launches Internet Explorer to display ransom notes and the hollowed svchost process kills itself.

Protection:

  • Keep antivirus up-to-date
  • Back up the files
  • Apply windows update regularly
  • Avoid clicking random emails
  • Disable remote desktop connections
  • Block binaries running from %appdata% and %temp% paths

For more information on Cryptowall ransomware, contact Centex Technologies at (254) 213 – 4740.

 

Common Malware Entry Points

By

On November 20, 2020

In Security

View Full Image

Understanding The Concept Of Ransomware As A Service

By

On October 30, 2020

In Security

Ransomware is a type of malware that extorts money from the target victim by infecting and taking control of the victim’s systems or secured documents stored in the system. Ransomware attacks either locks the computer from normal use or encrypts the documents using a key available with the attacker only.  ‘Ransomware as a Service’ is a kind of ‘Software as a Service’ provided by tech vendor. RaaS can also be defined as a ransomware infrastructure that is rented to hackers on dark web. It is an easy platform for novice hackers (with zero to low knowledge of coding malware) to access ransomware attacks and implant these ransomwares on victim’s machines for claiming extortion money.

How Does RaaS Function?

Here is a simple map of events to explain the functioning of RaaS model:

  • A deceitful vendor offers a tool containing Ransomware on Dark web
  • The package contains all the software and related files needed for a successful ransomware attack
  • Hackers and malicious actors purchase this tool package
  • They use the tools for attacking a victim’s system or network to get hold of computer files and information
  • Depending upon the type of ransomware, it may either lock or encrypt the files
  • The hackers now demand financial ransom in exchange of returning data access to the victim

Similar to other ‘Software as a Service’ models, RaaS involves user services such as provision of desktop, infrastructure, ERP, customer relationship management or other digital services. The buyers of RaaS have the option to order up the capability of the ransomware for launching a more severe attack.

Some important points to note include:

  • RaaS users take deliberate steps to conceal their identity and take deliberate steps to make their actions hard to track. A common practice is to demand payments in digital currency as it is comparatively difficult to trace.
  • Once the victim makes the ransom payment, it is not guaranteed that the hacker will provide the decryption key to the victim. Also, making the ransom payment does not ensure that the hacker will not leak any files or documents.

What Measures Can Be Taken To Combat RaaS Attacks?

Organizations need to take following measures to secure themselves against RaaS attacks:

  • Employees are the most vulnerable entry point but they may be used as first line of defense, if properly educated. Regularly educate them on the latest ransomware attacks and cyber security practices they should employ.
  • Secure the system and network by continuously auditing for any vulnerability. Also, regularly update the cyber security tools for latest versions.
  • Maintain a backup of all the files at a location from where they can be easily retrieved. This helps the business to keep functioning even if the systems are attacked.

For more information on understanding the concept of ‘Ransomware as a Service’, contact Centex Technologies at (254) 213 – 4740.

Tips To Reduce Cyber Crime In Inbound Call Centers

By

On October 28, 2020

In Security

Business security is one of the prime priorities for every business and as the number of cyber attacks is on a rise, the cyber security practices have become a necessity. Cyber criminals tend to find weak entry spots for targeting a business. Due to the nature of operations, inbound call centers act as an easy target for cyber criminals. The inbound call centers receive customer calls and acquire customer information to answer their queries. If hackers breech the inbound call system, they can get hold of consumer’s personal information.

Thus, businesses need to be vigilant and take proper steps to secure consumer information. Here are some tips to reduce cyber crime in inbound call centers:

  • Regularly Audit The Environment: Audits are generally overlooked, but regularly auditing the network environment of the call center can help in detecting any intrusion at an early stage. Audits can also help businesses in detecting any vulnerability in the system. A simpler way is to automate the network audit using a remote monitoring and management system (RMM). Also, businesses should consider password audit for all the staff in the inbound call center. This helps in tracking the users with weak or outdated password.
  • Strengthen The Authentication Process: Passwords alone may not be sufficient for proper authentication of users. So, inbound call centers should strengthen the system by incorporating multi-factor authentication.  Also, it is important to backup the authentication data with either a knowledge based, possession based, or inherence based requirement such as having a physical key or smartphone for receiving one-time password.
  • Boost Weak Security Through Automation: A great approach to ensure security of the systems is to automate the security process. A common example is to automate password generation such that the users themselves don’t know their passwords until the time of login. This eliminates the risk of knowingly or unknowingly leak of passwords by the users. This can be achieved by using software such as Password Management System or privileged Identity Management.
  • Secure The Endpoints: Endpoints are highly vulnerable because cyber criminals attack these endpoints to create holes in the network security perimeter. Inbound call centers can use advanced endpoint detection solutions to improve system’s ability to defend itself.

For more information on tips to secure network in inbound call centers, contact Centex Technologies at (254) 213 – 4740.

© Copyright 2022 The Centex IT Guy. Developed by Centex Technologies
Entries (RSS) and Comments (RSS)