This is one of many articles in the Empowering Modern Security Operations Center (SOC) blog series. We will discuss ransomware along with emerging cybersecurity threats. We will discuss how to detect and prevent malware using VMware Carbon Black Cloud NGAV, Endpoint Detection and Response (EDR), and Audit & Remediation Vulnerability solution.
In February 2019, when the global pandemic began, companies faced the unprecedented challenge of mobilizing their workforces to accommodate remote working immediately. The world became significantly more connected and consequently more vulnerable digitally.
COVID-19 has forced cybersecurity professionals to change their priorities/activities and focus on ways to support remote work securely. Bring-your-own-device (BYOD) became the new norm which means now employees can connect to corporate servers and data using their personal computers or devices. Enabling employees to use their personal devices has significantly contributed to the increase of the attack surface and threat landscape and requires new methods of protection. Threat detection and response solutions must include advanced capabilities supported by next-generation technologies to combat the risks that surfaced after enabling remote work during the pandemic.
In computer security, a vulnerability is a security flaw or weakness that allows an intruder to reduce a system’s information assurance. A vulnerability requires three elements: a system weakness, an intruder’s access to the weakness, and the intruder’s ability to exploit the weakness using a tool or technique.
An endpoint can be a physical computer or a virtual machine that communicates with a corporate network to which it is connected to access corporate servers and data. For more than a decade, corporations have leveraged antivirus solutions to secure endpoints. However, those traditional solutions can no longer protect endpoints from modern and highly sophisticated attacks.
As remote work is increasing, vulnerability management is becoming paramount to ensuring company assets are not being accessed by vulnerable endpoints.
The lifecycle of endpoint vulnerability management used to be a split between the operating systems and applications installed on the operating system. Operating system examples are Windows, Linux, macOS, etc. and application examples are Microsoft Word, Google Chrome, Adobe PDF reader, etc.
According to OWASP2 Vulnerability Management Guide (OVMG), there is a need for a unified platform to address operating system and applications vulnerabilities to provide a complete picture of the threat posed to an endpoint at any given time.
Wide adoption of remote work and bring your own device, also known as endpoints, has increased. Ransomware is the top endpoint security threat. There is also a lack of visibility, and identity and access management issues. The FBI definition of ransomware is a type of malicious software, or malware, that prevents you from accessing your computer files, systems, or networks and demands you pay a ransom for renewed access.
VMware Carbon Black Enterprise EDR is an advanced threat hunting and incident response solution delivering continuous visibility for top security operations centers (SOCs) and incident response (IR) teams. VMware Carbon Black's efficacy strategy is based on the adversaries’ lifecycle. Take ransomware for example, in the case of ransomware the adversary often operates with a goal of dumping credentials and escalating privileges.
Know your endpoints
In a vulnerability management lifecycle, the important steps are: Discover, Prioritize Assets, Assess, Report, Remediate, Verify.
VMware Carbon Black sensor queries the endpoint’s operating system such as Windows 7 or 10, server 2016 or 2019, and application vulnerabilities regardless of the device location. This gathered vulnerability information is reported to Carbon Black Cloud (CBC) for reporting and analysis.
Carbon Black Cloud console is a unified platform to manage alerts, configure prevention policies and investigate alerts that need further analysis. It also provides a list of context-aware vulnerabilities that are present on your endpoints across the organization.
Figure 1: Carbon Black Cloud Console | Vulnerabilities screen, view by endpoints
In figure 1, the Carbon Black Cloud (CBC) Console view is set to show all endpoints. It provides complete visibility into the operating systems such as Windows 7 or 10, server 2016 or 2019, and installed applications vulnerability on each endpoint. This is a way to prioritize patching efforts for high-valued endpoints.
Figure 2: Carbon Black Cloud Console | Vulnerabilities screen, view by vulnerabilities
If you have limited manpower and need to address critical vulnerabilities first, VMware Carbon Black Cloud (CBC) console allows you to view the vulnerabilities, sort, and filter by either endpoint, risk score, or vulnerability (CVE) to identify the key issues and export in a format you can tailor for change management approvals or IT operation reporting.
In figure 2, the vulnerabilities view is set to sort by vulnerabilities, you can view the operating system and installed applications risk per vulnerability and the affected endpoints. When a new CVE is published, the CVSS score is a fixed number. A critical piece of the prioritization puzzle is the right context to understand the true level of risk that a vulnerability poses to an organization. Kenna Security’s Risk Score—a score you’ll be able to find within VMware Carbon Black Cloud—ingests and processes billions of data points from internal and external sources, including more than 18 threat and exploit intelligence feeds. Kenna then automates the analysis of this data leveraging proven data science techniques like predictive modeling and machine learning to deliver an accurate risk score for every vulnerability.
Ransomware prevention by VMware Carbon Black Cloud (CBC)
In the following screenshots, we will show using the VMware Carbon Black solution, how ransomware attacks can be stopped.
The most common ransomware technique used by adversaries is a phishing email. The term “phishing” is a spin on the word fishing because criminals are dangling a fake “lure” (the legitimate-looking email, website, or ad) hoping users will “bite” by downloading or clicking on a link in the phishing email.
Figure 3: Phishing email with a ransomware attachment
If a user clicks on a phishing email accidentally. VMware Carbon Black Cloud prevention policies will block the attack to keep the endpoint safe based on configured policies in Carbon Black Cloud (CBC) console.
Figure 4: Notification about the blocked ransomware attack
The user is notified by a pop-up (figure 4) that he has clicked on a ransomware file in a phishing email. The user is notified about the threat and action is automatically taken by Carbon Black Cloud (CBC) to keep the endpoint secure, no further action is required from the user. A policy can be configured to disable this notification for end users.
In the next blog, we will discuss alerts shown in the Carbon Black Cloud console when ransomware is prevented and how to leverage that data for threat hunting.