Confident Endpoint Visibility Responds to Modern Data Protection Problems

Consumer tech adoption has outpaced tech evolution in business for more than ten years. SaaS and cloud solutions, new apps and devices are at the disposal of empowered workers, making it very easy for employees to get what they need to work anywhere or—despite policies forbidding it—take career-making IP as they exit one company for the next. Legacy backup can neither unlock nor disarm these threats.

At the same time, data has become the new currency: cyber-crime syndicates have boomed with new variations on stealing or disabling data, particularly spear phishing and ransomware targeted at employees. As for breach, the headlines say it’s not a matter of if. It’s when. Legacy backup, long rejected by workers, simply cannot address these threats.

Finally, encrypted data moving through the network has made the intelligence it houses opaque—even to its stewards. A CISO recently shared with us that more than 75% of his network traffic is encrypted, making it nearly impossible to identify the threats facing his organization.

While it’s safe to say encryption is a must, it also means the focus of security must shift to the endpoints to mitigate risk and regain control.

Modern endpoint backup sees what you can’t
Modern endpoint backup gives IT and InfoSec the ability to see, monitor movement of and recover data housed on every employee device.

It neutralizes the threat of ransomware by making up-to-the-minute data recovery simple and fast. It decreases the cost of litigation by leveraging a complete dataset for legal holds, and it supports rapid response and remediation of breach via data attribution—with or without the device. From a productivity perspective, modern endpoint backup makes everyday challenges like data migration a lighter lift for IT and end users.

In response to modern data security problems, more than 39,000 businesses—including ten of the most recognized brands in the world, the 7 of the top 10 technology brands, and 7 of the 8 Ivy League schools—have adopted Code42 to regain visibility and mitigate risk.

In 2008, Code42 launched its enterprise endpoint backup software—knowing it was time for backup to catch up. Now approaching its sixth-generation platform, Code42 provides visibility of all the data through a single console and the real-time recovery and security tools the enterprise needs to be more resilient, more accountable, and more defensible.

Modern endpoint backup imparts the right to “Be Certain” in the face of modern data protection and security problems. We invite you to find out how.

Joe Payne, President and CEO, Code42

[Cloud Security Alliance Blog]

Extending AutoFocus Threat Intelligence With New Tag Types

In previous posts we have discussed how AutoFocus accelerates the analysis, hunting, and incident response workflows by providing full context for threat events seen on your network, as well as high-level visibility into how targeted a threat is against you or your industry peers.

This visibility into the threat landscape enables teams to move away from chasing alerts, instead prioritizing response activities for the most critical threats, and proactively implementing new defensive measures. The real power of AutoFocus is its ability to not only consolidate billions of indicators from WildFire customers around the globe, but more importantly to provide a platform for deriving intelligence and context around those indicators through crowd-sourced tags. AutoFocus customers can develop their own private tags for internal company use, or they can choose to share them publicly for the benefit of all AutoFocus users. And of course, all AutoFocus customers benefit from the expertise of Unit 42, our threat intelligence team, which is constantly monitoring the front lines and dark recesses of the web to identify new malware families and attack campaigns, publish research, and develop new tags.

Previously, AutoFocus tags were targeted in two areas:

  • Malware Family tags, based on any combination of behavioral and atomic characteristics of a malware family. These are highly durable, and allow security teams to detect and gain context on new variants and other tweaks the malware authors make to avoid detection.
  • Campaign tags, which provide a way to “bucketize” atomic indicators such as hashes and domains related to a threat campaign or Unit 42 report, providing responders with the additional context to know that an alert is not just bad but related to a known adversary or campaign. These Campaign tags can also be used proactively to implement defenses in advance of an actual attack on your company or industry.

AutoFocus is constantly evolving, and with the release of the 1.0.7 version of AutoFocus today, we have further enhanced our ability to provide context into events and facilitate speedy educated response. AutoFocus tags can now differentiate between tag classes, such as Malware Family and Campaigns (See Figure 1), which helps responders know immediately if an tagged event is based on internal intelligence or from Unit 42 researchers.

In this release of AutoFocus, Unit 42 researchers have also added an additional class of tag, Malicious Behavior, to provide additional insight into the capabilities or intent of a piece of malware. Even if a malware sample is unique enough that an existing Malware Family tag has not been developed, it very likely will match an existing Malicious Behavior tag that provides the responder immediate insight into what a piece of malware is trying to do. Additionally, because the Malicious Behavior tags are behavior-based, they can even apply to benign samples that may exhibit some questionable behavior, thus warranting further research.

Figure 1 Malicious Behavior and Malware Family tags represented in AutoFocus.

To showcase the power and flexibility of the Malicious Behavior tags, we have selected a range of new Malicious Behavior tags to help you visualize the wide range of capabilities this new tag class provides.

Since malware normally has to communicate to an external server for command and control or to download additional malware, it frequently takes steps to lower the security posture of the affected system by modifying the Windows Firewall settings or even disabling it altogether. This tag detects a wide variety of mechanisms malware can utilize to modify the firewall, including the legitimate command line utilities and changes to the system registry.

A common goal of Android malware is to intercept, read, or delete SMS messages from an infected device. Not only are there privacy and data theft implications, but also this tactic can be used to prevent detection or hide ongoing activity. (Note that this behavior does not include sending SMS messages, which is a different tag.)

There are a wide variety of malware families that attempt to steal digital currency such as Bitcoin, and often this capability is bundled with other common malware families that may normally lack that “feature”. This tag highlights the common approaches taken to access or steal the most prevalent digital currencies.

PowerShell is a powerful command-line shell with an associated scripting language, commonly used for administrative activities and automation. Of course our adversaries also leverage this tool to perform a wide range of nefarious activities. One capability that PowerShell provides is the ability to query the system to identify installed Antivirus software, which obviously is useful information for avoiding detection, taking steps to disable AV, or otherwise gaining insight into the system or environment for reconnaissance purposes.

Malicious software is often injected into legitimate running processes on affected systems to make identification and recovery of the malware more difficult. There are a wide variety of mechanisms for injecting code, and more often than not this is indicative of malicious activity that warrants further investigation.

Browser Helper Objects (BHO) were designed by Microsoft to provide a way to add third-party extensions to Internet Explorer to enhance functionality, but BHO have also been leveraged for malicious intent. The addition of a BHO to a system could be a legitimate activity, or it could be more nefarious such as an adware toolbar or even malware designed to hijack or intercept internet browsing.

One of the primary goals of Advanced threat actors is credential theft, and normally this starts with the local system credentials which are then used to attempt to spread laterally across the network. Legitimate software should rarely, if ever, attempt to access the local SAM database.

Microsoft Windows has security measures to prompt the user before executing files downloaded from the internet, and malware often tries to avoid this prompt, which would alert the user that something malicious was potentially happening and help prevent it. Unfortunately there are system changes that malware can implement to prevent the “Open File – Security Warning” dialog box from appearing.

The Volume Snapshot Service, also known as Shadow Copy, is a backup and recovery technology in Windows that can be used to restore a system to a previously “known good” state after a system crash or faulty software installation. Shadow copies can also be used to restore from malware infections, so malware, especially ransomware, will often attempt to delete these backups to prevent the user from being able to restore his or her system.

Attackers and malware authors often want to get a quick snapshot of a compromised system, or even a more complete local network recon, which is then uploaded to the command and control server. Usually this reconnaissance is performed with a variety of common built-in Windows commands, which while commonly used by Administrators are rarely executed by benign software.

Hopefully this introduction into Malicious Behavior tags gave you some insight into the power of this capability and its ability to provide as much context as possible to responders immediately. The goal of AutoFocus is to empower security teams to protect their organizations from unique and targeted attacks, and the use of real-time, full-context insight into the events happening not only on their network but across the Palo Alto Networks customer base is the first step in that process.

[Palo Alto Networks Research Center]

English
Exit mobile version