- 05. Juli 2017
- von Rebecca Vlassakidis
Using network monitoring tools to identify ransomware attacks in real-time
Being prepared to deal with the next security breach
More than 200,000 computers in more than 150 countries around the world were infected by the ransomware attack “WannaCry“ in May 2017. The size of this attack and the speed at which it spread make clear that organizations need to do more to be prepared for the next security breach. Recording the history of network activity can help to analyze and mitigate security breaches and provides solid evidence if data has been stolen.
The ransomware attacks “WannaCry” and “Petya/NotPetya” infected Windows systems that had not been kept up to date - WannaCry propagates using EternalBlue, an exploit of Windows' Server Message Block (SMB) protocol. Like other modern ransomware it finds and encrypts a range of data files, then displays a "ransom note" informing the user and demanding a payment in bitcoin . The problem is, a lot of companies did not know the full extent of the breach for some time and were unsure whether data had been exfiltrated or what data had been affected. So, how can organizations quickly analyse any kind of security breach without suffering downtime?
Network monitoring tools: how to tell what data was stolen or affected
If there is a security breach, it invariably occurs across the network. Most enterprises use many different security tools, but often these tools are not integrated. This makes it very difficult to get a single, authoritative view of what’s happening on the network. These tools, such as firewalls, Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) provide point-in-time alerts based on activity that they see on the network. However, the transient nature of network traffic means that we don’t get a second chance to examine that traffic – unless you record it. With a recorded history of the traffic on your network, you always can go back in time to see exactly what happened, even if your security tools missed the threat the first time around.
Network history can be recorded using continuous packet capture. This provides a complete and detailed history of network activity that offers a single source of truth for investigating security alerts and breaches. Rob Earley, Senior Sales Engineer from Endace: “Having a detailed recording of an event means that an organization can quickly and accurately assess exactly what happened, what was lost and how to remediate the vulnerabilities that led to the breach.”
Capture and record network traffic unlocks the power of detection tools
Endace’s network history recording can be integrated with security and network monitoring tools such as firewalls, IDS, IPS etc. This allows security investigations to be streamlined and automated. When an alert is detected, analysts can click to jump directly to the related packet history for analysis. Or, using the API, related network history can be automatically retrieved and attached to the alert so that an analyst can review it. In the case of the ransomware attacks, many organizations could have reduced their downtime if they had access to an accurate recording of network traffic. Once the ransomware was detected, analysts could have quickly reviewed the related network history to see how the ransomware was being spread and prevented other machines on the network from being infected.
Without access to network traffic, the alternative is to attempt to reconstruct events by assembling evidence from a wide variety of other sources such as system and application logs and authentication systems. Rob Earley: “Having an accurate record of network activity enables SecOps teams to quickly and accurately reconstruct events even when an attack is sophisticated and well camouflaged.”
Be better prepared to deal with security breaches and learn why recording network history really helps enterprises to response effectively. Register here to read the whitepaper “Network History – The missing piece in the cybersecurity puzzle“
Whitepaper: „Network History – The missing piece in the cybersecurity puzzle“Whitepaper: „Network History – The missing piece in the cybersecurity puzzle“
1 Wikipedia WannaCry ransomware attack https://en.wikipedia.org/wiki/WannaCry_ransomware_attack
Bildquelle: Fotolia © swillklitch
Haben Sie Fragen oder Anregungen?
Schreiben Sie uns an