Responding to Events that Indicate Ransomware, Insider Threats, and other Egregious Attacks

Aidan Simister by   10.26.2017   Ransomware

blog-img

Dial in on malicious modifications

Devastating threats, such as Ransomware and Malicious Insiders, are knocking at your door. Global ransomware damage costs will exceed $5 billion in 2017, up from $325 million in 2015, says the Ransomware Damage Report from Cybersecurity Ventures. Sixty-two-percent of insider threats involve employees profiting from sensitive company data, says “Understanding Insider Threats” from Gartner. Increasing cyberattacks are forcing organizations like yours to find solutions that stop these and other threats and return systems to their prior state in a cost-effective manner.

Contrary to widespread assumption, neither native auditing nor Security Information and Event Management (SIEM) software efficiently address security incidents. Native auditing cannot notify you of system changes and cyber attacks in progress. SIEM software is costly, bringing unforeseen management and support expenses in addition to a considerable price tag. Security groups who implement SIEM to expose cyberattacks find the systems excessive, demanding too much time to configure. SIEM installations inundate organizations with so many alerts and false positives that they cannot keep up.

As a result, security teams cannot answer simple questions about the source, timing, and purpose of critical alterations to Microsoft products like Active Directory, Group Policies, or SQL Servers. LepideAuditor sifts the raw information that systems create, unites connected events in a single change record, and displays it in a human-readable format. Using LepideAuditor, you can detect indicators of compromise and significant threats such as Ransomware, Malicious Insiders, and other harsh attacks and revert systems to normal.

Diagnose system inconsistencies

LepideAuditor lets you diagnose system events and changes across premiere tools such as Microsoft’s Active Directory, Group Policy, SQL Server, Exchange Server, SharePoint Server, File Servers, and Office 365. LepideAuditor creates a change record for each unauthorized adjustment to your environment, including relevant events, leaving confusing raw data noise out of view. The Lepide dashboard continually updates security teams, displaying new unwarranted system modifications

Lepide’s change records pinpoint who accessed, deleted, or modified files and configurations together with the associated timestamp and system location. Lepide shows you the file or configuration values before and after the incident so you can revert to the previous, known-good configurations.

Identifying Ransomware

A Ransomware attack would appear in the LepideAuditor dashboard as a series of high-volume file modifications because the malware is encrypting many files in rapid succession. You can set a threshold where X number of file changes in Y minutes triggers an action.

Available actions include email alerts, notices via live feed, and alerts via the LepideAuditor mobile app. You can also execute a script using a standard scripting format such as Visual Basic or PowerShell. You can trigger a script to shut down the affected file server or disable the compromised user account.

Unmasking Malicious Insiders

You can isolate insider threats by monitoring environmental reports together with additive and subtractive filtering. Let us say you have a user who should only access certain folders and systems, such as the file notes folder on a file server. You can exclude that activity from LepideAuditor alerts, and alert on user modifications to Active Directory instead. Unauthorized changes to Active Directory are potentially the acts of a malicious insider. You can revert these changes via scripts as they happen.

In another example, an administrator account modifies a security group in Active Directory in an environment with hundreds of domain controllers. There are two problematic events here. First, the administrator adds a user to a security group; then they add the security group to the member’s attribute of the user object in Active Directory.

LepideAuditor can disclose the affected domain controller, the administrator’s location during the modification, the security group event, the Active Directory event, and the state of the systems before and after the change. With this information, you know the source of the modification and where and how to revert it.

While modifications by a single user could be a malicious insider, you could have an APT attack on your hands if many accounts are making these kinds of changes in ways that only an automated system could orchestrate.

Detecting other threats

Whenever you can identify system modifications and intersect those with known behaviors of specific threats, you can gain visibility into attacks as they happen and act to mitigate the onslaught.


Lepide® is a Registered Trademarks of Lepide Software Private Limited. © Copyright 2018 Lepide Software Private Limited. All Trademarks Acknowledged.