This article was written and contributed by our partner, ExtraHop. 

During the initial intrusion stage of a ransomware incident, attackers have the advantage. They get to choose how, when, and where they attack an organization. They act stealthy and cautious, as they wait for the perfect moment to strike.

However, once attackers have achieved initial access to their target's network and entered the post-initial compromise stage of the attack, their control over the environment weakens. They must loop through attack TTPs and move laterally in order to maximize their impact and ensure the largest possible payout. But these activities are noisy, and this is where attackers are most susceptible to being caught, if you know how to look for them. Yet this post-compromise stage is frequently overlooked by defenders.

Instead of watching for key events in a ransomware attack campaign that take place post-compromise, such as command and control (C2) beaconing, network enumeration, lateral movement, and domain escalation, security teams and their defenses continue to focus on the bookends of an attack: initial intrusion and data exfiltration. Perimeter-based prevention strategies have repeatedly proven fallible against social engineering and phishing attacks, zero day attacks, exploitation of software vulnerabilities, attacks on unsecured cloud assets and vulnerable mobile devices, and good old-fashioned brute force. The alternative? Deploy visibility, detection, and response measures inside the network you want to protect.

Network Visibility and Detection Enable Proactive Ransomware Defense

The time between initial intrusion and ransomware deployment is crucial for defenders. This increasingly small time interval provides defenders with the most opportunities to detect and disrupt attacks before threat actors can achieve their objectives. Why? Because threat actors, as stealthy as they try to be, have to communicate over the very corporate network they're trying to compromise. Any transaction or activity remotely executed by the attackers must, by definition, be visible on the network. Ransomware attacks require at least five actions, all of which are visible from network telemetry. These five actions include:

  1. Movement and reconnaissance internal to the defender's network to locate and identify the defender's critical data artifacts for exfiltration and encryption;
  2. Establishment of an exfiltration path;
  3. Creation of a remote control framework, either through an independent C2 node with escalated privileges or through acquisition of an identity that provides escalated privileges;
  4. Replication, transmission, and exfiltration of the defender's critical data out of the defender's environment; and
  5. Command to execute, followed by execution of encryption routines to remotely encrypt the defender's critical data.

In each of these actions, the network plays an essential role in threat detection because it's where the attacker must operate. It's where the attacker establishes C2 communication, expands his access, and escalates privileges. Thus, the network alone has the ability to observe and identify the ground truth of what attackers are doing. And unlike logs and endpoint detection and response (EDR) agents, the network can't be evaded or disabled. An out-of-band and virtually undetectable network telemetry monitoring solution cannot be disabled because the attacker cannot gain access to a completely passive monitoring solution that works by viewing network traffic through taps or port spanning/mirroring.

Many early midgame attacker behaviors, such as C2 beaconing, discovery, lateral movement, privilege escalation, and domain escalation, are best detected on the network. I would argue that the only solution that can detect those actions and TTP categories is a network-based solution. To detect those activities without full network visibility, organizations will need a combination of both server syslogs or event logs, and analysis of processes from endpoints.

Later midgame ransomware activities, including data staging and data exfiltration, are also best detected on the network. Every MITRE ATT&CK Framework tactic associated with the midgame encompasses techniques that are only visible via network monitoring and analysis. Because most of these activities only take place in the East-West corridor, internal to the enterprise network, they can't be detected by next-gen firewalls, which only monitor North-South traffic. And on-premises, network-oriented perimeter solutions are unable to defend cloud assets in a hybrid, virtual, or private cloud. In addition, because most TTPs are behavior-based, signature-based security tools such as IDS, IPS, and antivirus cannot observe the attacker's actions. Meanwhile, EDR tools only provide visibility into processes on endpoints, and thus, can only detect the behaviors originating from endpoints protected and monitored by an EDR agent.

Observing attacker behavior on the network requires the ability to monitor and analyze raw network traffic feeds, including packets, in real time. It is vital to understand and be able to observe three elements of network traffic:

  • Protocols – Some types of protocols used by defenders, such as HL7 and ICCP, are industry specific; these could provide indications of atypical protocols used by attackers. These indications would also include the use of protocols frequently utilized by ransomware attackers, such as RDP.
  • Traffic volume – The sheer volume of network traffic can be an indicator of an attack, especially if the high volume occurs at an unusual time.
  • Volume and protocols combined – Trends in both volume and the use of protocols are an indicator of a gradual deployment of capabilities by ransomware actors in the defender's business environment.

Decryption Matters

Defense against ransomware actors also requires the ability to decrypt encrypted network traffic (SSL, TLS 1.3, Kerberos, NTLM, MSRPC, LDAP, WINRM, SMBv3) for two reasons. One, in most environments, as much as 70% of an organization's network traffic is encrypted. Two, since many ransomware actors often utilize custom or atypical encryption techniques to obfuscate their activity, defenders must be able to see both what should be encrypted and to identify unexpected encryption.

The ability to decrypt encrypted protocols like Kerberos, MSRPC, WINRM, and SMBv3 is essential to detecting PowerShell remoting, living off the land techniques, and lateral movement—activities that have been repeatedly documented in ransomware and other attacks. Only network visibility enables a full awareness of both the use and misuse of encryption in the defender's environment.

It's important to note that modern methods of decryption don't decrypt any packets on the wire, so they preserve end-to-end encryption. They also don't rely on "man-in-the-middle" or "break-and-inspect" approaches, so they don't degrade network performance.

Granular, packet-level data and decryption capabilities are also essential to incident response and forensic investigation, as only full packets can tell incident responders exactly how a ransomware attack took place.

Learn more about Cyber Resilience and ExtraHop Contact an expert

Technologies