Which antivirus solution protects best against ransomware? - None! And yet: no one needs to be encrypted!
by Svenja Koch
The question of a suitable endpoint protection solution to avert damage from current threats is understandable and is often and regularly asked by security managers. My intuitive answer as a penetration tester would be "none" and as a strategic IT security consultant "it's complicated". In fact, however, one could equally ask: "Which smoke detector helps best against fire accelerants?"
Attempting a simple answer to both questions can mostly be considered unserious - while the questioning reveals that the concrete processes (arson) and effective areas of protective measures (smoke detection) are often unknown or taken out of context.
In short, there can be no right answers to wrong questions that go beyond pure marketing. Therefore, in the following sections, I show the basics for the right questions - and even give a few answers.
How does an attack really work?
Attacks, as in the case of ransomware campaigns, are almost never automated, but involve significant amounts of manual attack activity. Typical attack tactics and techniques are documented in the MITRE ATT&CK project (https://attack.mitre.org). These attack activities can be further grouped into individual iterative phases, which are often represented in so-called kill-chain or attack-chain models:
These phases, represented in the figure by three loops, are summarised in a simplified way: Intrusion, Propagation and Endgame.
Usually, not a "single malware" is used, but different malware tools and existing mechanisms of the attacked environment itself are used in combination during the course of the attack.
The entire attack chain often extends over several days to weeks and, in individual cases, months. Financially motivated actors also work in an increasingly professionalised manner and in a division of labour, whereby different persons or even entire groups are responsible for the implementation of individual sub-areas. The observed attacks are thus very effective due to specialisation in individual attack phases or tactics and at the same time have a large broad effect due to parallelisation of campaigns on several victim organisations.
The exemplary characteristics of the individual attack phases are as follows:
Intrusion (duration seconds to minutes, partially automated).
- The intrusion is prepared by e.g. a phishing campaign, which is intended to entice one or more users to execute malicious code (social engineering, initial access).
- User executes malicious code (Execution).
- The malicious code may try to anchor itself in the system in order to survive a restart (persistence) or automatically loads further malicious software.
- The malware (C2 implant) establishes a communication channel to the outside and, if necessary, transmits data such as user name, domain, authorisations, Windows version and AV products. This communication channel is periodically used to retrieve new tasks from the attacker server (Command & Control, C2).
- The system is thus under the control of the attacker and initially serves as a bridgehead into the environment.
Propagation (duration days to weeks, mainly manual)
- From the attacker's point of view, the first step is to take stock of the environment (discovery). For this purpose, additional attack tools are often downloaded (as a file, e.g. AdFind, or directly in memory, e.g. via Powershell and .NET assemblies), but the system's on-board tools are also used (e.g. net user, WMI, cmd.exe).
- If administrative authorisations can be obtained (privilege escalation), plaintext access data or hashes are already read out on the "bridgehead system" (credential access, e.g. via Mimikatz).
- This is followed by targeted propagation (lateral movement, e.g. via RDP, PSexec, WinRM). "On the way", further access data is collected iteratively from users who grant access to further systems or resources with higher authorisations: Lateral Movement à Privilege Escalation à Credential Access à Repeat.
- Additional strategic systems are infected with C2 implants to secure alternative access paths into the environment.
- As soon as the attacker has extended control to the desired access privileges (access, e.g. domain administrator privileges), the propagation phase is completed.
Endgame (duration hours to several years, manual activities, periodic activities if necessary)
- The attacker now has all the necessary access and is sufficiently familiar with the environment (administration practices, protective measures, location of mission-relevant resources/data).
- In the case of long-term access, "maintenance" activities may take place: Regular retrieval of user access data and monitoring of detection mechanisms and processes (e.g. logging, admin email traffic).
- At a convenient time for the attacker, the implementation of the actual mission objectives takes place: Collecting and leaking trade secrets or other sensitive information (collection, exfiltration).
- Covert manipulation or targeted sabotage (target manipulation).
- Combination in the form of blackmail through encryption and additional publication of leaked data. In several cases, the deactivation of countermeasures (such as endpoint protection) was observed immediately before the final roll-out of the encryption malware in order to achieve the greatest possible effect.
- Use of access as a door opener to covertly compromise or harm third parties, e.g. partner companies or customers (supply chain attack).
Resale of access to highest bidders (especially geopolitical actors such as intelligence agencies).
The most important point: activities such as encryption or ransomware execution are mostly at the end of a typical attack chain within the endgame phase. At this point, the attacker has in most cases already been in the environment for weeks or months and has it under complete control.
This fact also means:
The attack activities were not detected beforehand, i.e. existing detection and defence mechanisms such as antivirus were ineffective as a result against all attack activities that had already been successfully carried out - including the takeover of the entire Windows domain and the unnoticed leaking of business-critical data in the amount of terabytes.
Should the endpoint protection solution still pose a potential problem for the attackers, e.g. to identify any encryption, it can be easily deactivated thanks to DA permissions.
Including other protection mechanisms.
On all Windows devices.
Virus scanners usually find viruses, don't they? No, they don't!
Why did the AV solution actually fail before? I would probably need a separate blog post for this, but the short version is: From pentesting and red-teaming experience I can say that most AV/EDR solutions can be circumvented with simple to moderate effort and the providers also only boil with water. This is not only a finding in the pentester community - others are increasingly coming to the same conclusion: https://www.mdpi.com/2624-800X/1/3/21
If one also considers the end-game phase of the attack chain, it is obvious that endpoint protection is hardly relevant at this point. Or - to come back to the comparison made at the beginning and take it completely ad absurdum: Which smoke detector is best able to extinguish a fire when the entire house is on fire and someone has taken out the battery?
How do I protect myself effectively against ransomware?
In contrast to the title of this post, this is a much better question - it is not just about "ransomware/extortion", but any form of business-critical consequential damage caused by attacks. The above does not mean that endpoint protection is completely useless, but that the benefits of such an endpoint protection solution should be seen in the context of a comprehensive security strategy. This also includes classifying the effective ranges and limits of such a solution. Based on IR, pentesting and red-teaming experience, it must not be assumed that an endpoint protection system could reproducibly detect or even prevent real attacks. Instead, it should be seen exclusively as an additional detection mechanism, which as a further security component can in some cases identify and possibly hinder individual attack artefacts - which ideally provides the impetus to forensically examine the affected system and determine the previously concealed "successful" attack activities.
The security of an environment is fundamentally based on the areas of protection, detection and recovery. It is important to note that these areas are interdependent in an ascending order:
- General prevention, hardening and resilience
- Reduction of attack surfaces through e.g. patching, hardening and whitelisting approaches
- Limitation of harmful effects through e.g. network segmentation and authorisation architecture
- Regularly tested backups
- Equally validated disaster recovery strategy
- Proactive testing and controls, e.g. penetration testing, red teaming, phishing simulations, vulnerability scans
- Guidelines and processes for compliance with basic security standards
- Define responsibilities, emergency communication techniques, coordination and decision-making, and processes to declare a security incident.
- Testing and practising emergency measures
- Monitoring of network communication, IDS/IPS, proxy filtering
- Search for attack artefacts independent of cause (threat hunting)
- Capture relevant logs over a sufficient period of time (e.g. security logs, Powershell transcripts, AV)
- Placing traps for early detection (e.g. Canary tokens, honeypots)
- Endpoint protection/AV/EDR
- Event centralisation and its continuous evaluation
- Continuous development of detection capability for new threats
- Already before security incidents: DFIR contact persons, retainer contracts, provision of necessary hard & software, training of personnel, prepared checklists.
- Incident response: implementation of containment measures as early as possible, isolation, preservation of evidence
- Forensic evaluation of the seized material to iteratively identify further damage and initiate necessary containment and evidence preservation measures
- Continuous situation assessment, prioritisation and crisis communication
- Implementation of disaster recovery
- Lessons Learned
Deficiencies in the protection area make detection difficult due to excessive background noise and insufficiently limit the damage effect. Inefficient detection increases damage and recovery costs in the event of an incident, as detection takes place much later - sometimes with effects on business processes that threaten the existence of the company. This is exacerbated above all by the fact that there is often no effective detection and therefore an already long-standing compromise is only uncovered through information from third parties (or encryption). Resulting ineffective recovery activities lead to protracted reconnaissance and repair processes with further accompanying failures, which in some cases cannot be solved economically and threaten the continued existence. From this overload situation it often follows that incident handling is only carried out until the basic working capacity is restored, while the security incident is not finally dealt with and no significant structural improvement can occur. Instead, a continued unsafe practice leads again to significant safety incidents in the future.
No one needs to be encrypted!
In my personal experience and the resulting subjective assessment, all cases of encryption and extortion (or generally business-critical effects of IT attacks) could have been avoided, provided that appropriate organisational and technical measures had been taken in advance with corresponding awareness, moderate effort and a suitable budget - it would have been more than worth it, because the consequential costs of the damage clearly exceed the necessary investments in prevention.
The expectation of being able to exclude certain types of security incidents by choosing a certain endpoint security solution does not fit the reality of IT - apart from marketing slides - but is equally symptomatic of cybersecurity practice in practice. In comparison, however, no one would think of reducing a fire protection concept to just smoke detectors - it is rather a complex of conceptual planning, prevention of causes, isolation into fire compartments, various detection mechanisms, provision and implementation of countermeasures, communication, effective alerting, professional help or even signage, escape routes and much more.
The goal should therefore be to be proactively prepared for an emergency and to develop an awareness of how such scenarios work - also from an attack perspective. It is helpful to accept the occurrence of security incidents as inevitable in order to create the necessary focus: Because the framework conditions for the emergency can then not only be positively influenced by prior measures, but rather actively shaped: Throwing attackers out again on day 1 with empty hands, briefly replacing the defective lock and getting back to the normal daily routine is definitely a realistic perspective - as long as you want to create the conditions for this.