Attivo Networks has added new capabilities to its endpoint detection net (EDN), which are designed to increase protection against the next generation of ransomware.
The capabilities aim to improve file protection against ‘human-operated' ransomware, also known as ransomware 2.0 – which is more advanced and complex than standard ransomware. It is designed to bypass traditional security controls and often do not encrypt data on the first networks that they compromise. Instead, they seek to conduct network discovery, move laterally, identify high-value assets, and use Active Directory to explore a network. A ransom demand takes place only after the attackers have the highest-value assets to hold to ransom.
Attivo Networks created ransomware protection capabilities by hiding key locations, such as cloud storage, mapped shared networks, production files, removable disks, and selected files or folders. This means the ransomware operates within a decoy environment, thus limiting the potential for full network compromise – including an organisation's most valuable assets.
“Advanced human-controlled ransomware can evade endpoint security controls and after initial compromise, move laterally to cause maximum damage, do data exfiltration and encrypt data,” comments Attivo Networks senior vice president of engineering, Srikant Vissamsetti.
According to a 2019 Attivo Networks Top Threat Detection Trends Survey, 66% of respondents indicated that ransomware remained a top security concern.
Attivo Networks states that traditional security controls only prevent the initial compromise of a system, leaving it exposed when advanced attacks bypass a system's security and quietly work to elevate their attack.
“Combatting sophisticated ransomware requires a new approach with new methods of disrupting these attackers. Attivo is now offering a comprehensive and unique solution that is shifting power back to the defenders. These innovative capabilities not only prevent successful attacks but will also quickly and efficiently derail any attacker attempting to move undetected through the on-premises or cloud networks.
There are five primary techniques that the Attivo Networks EDN ThreatDefend platform provides to reduce the risk and prevent the spread of a ransomware attack.
These work collectively to stop infections and detect in-network threats and other activities criminals would employ to escalate their attack. It:
- Prevents attackers from seeing or exploiting production files, folders, removable disks, network shares, and cloud storage
- Detects attempted exploitation and encryption of decoy file shares (when used in conjunction with BOTsink deception servers)
- Slows an attack by distracting it with high-interaction deception techniques
- Detects credential theft and attempted enumeration of local administrator accounts and Active Directory for privilege escalation
- Provides native integrations that deliver automated isolation and reduce response time.