Thwart Ransomware with Modern Endpoint Protection, Detection and Response

By David Finger | May 28, 2021

Ransomware may enter many different ways, but ultimately must compromise the endpoint devices on which data lives. And the consequences go well beyond the financial loss of paying a ransom. Loss of data, downtime of operations, damage to brand and reputation—even if a ransom is paid—are typical results. And while high-profile ransomware attacks target our supply chains and critical infrastructures, the vast majority of attacks happen below the news cycle, impacting businesses just like yours every single day.

Traditionally, organizations relied heavily on a layered defense because most of their workforce was tucked behind enterprise-grade security systems from network to email to server to endpoint. But that all changed in March of 2020 when networks were inverted, and the majority of workers inside the perimeter were suddenly on the outside. Perhaps sensing (or even monetizing) the opportunity, ransomware activity increased sevenfold just during the second half of 2020. 

Given the rapidly increasing volume and sophistication of ransomware attacks, it’s generally accepted that being the target of an attack is just a matter of time, targeting every industry and every size organization around the globe. 

Stopping Ransomware Requires More than Training End-users

Helping workers recognize malicious emails and detect phishing attacks is a critical component of any ransomware defensive strategy. But only one user needs to open a malicious attachment to expose your entire organization to an attack that can shut down your business for days and cost you thousands—or millions—of dollars. Not only that, we are seeing ransomware like DearCry exploiting vulnerabilities to install without end user activity at all. 

But the good news is, you may not be able to avoid becoming a target, but you don’t have to let ransomware succeed. With proper preparation and technology, ransomware attacks can be stopped. 

A comprehensive security strategy applying people, processes and security controls at each stage of the kill chain is recommended. Further, organizations are encouraged to keep, protect and test backups and copies of essential systems off-network. Chains of command, response teams and communication process should be identified, and recovery strategies planned and drilled.

But since these attacks must ultimately land on the endpoint device, the arguably most important technology to prevent ransomware damage is advanced endpoint security that delivers comprehensive prevention, detection, and response functions in real-time. It starts with a new approach—built on behavioral analysis rather than matching to known threat intelligence—to cover increasingly exposed endpoint devices old and new. And it’s been proven very effective, stopping previously unknown components related to the Solarwinds compromiseHafnium exploit and even Darkside ransomware campaign from day 1.

Replacing Your Traditional Endpoint Security

The purpose of a traditional endpoint protection platform (EPP) is to stop threats before they can install on your devices and start to run. Huge lists of signatures, often updated daily, are used to detect and block known threats. But what about unknown threats? What about new attacks designed to evade detections? Cybercriminals own or access the same antivirus and similar endpoint security solutions you do, and they tweak their attacks until the defensive signature no longers detects them. And then, you have to hope that an updated signature gets to you—and gets installed—before the malware does.

The purpose of modern endpoint security- combining EPP + EDR, on the other hand, is to not only block as many attacks as possible but also continue inspecting to detect threats that may have been installed and even started to run on a device in your network. Further they speed response to incidents and minimize their impact, providing your team with critical information regarding how the attack was initiated, which parts of your network have been compromised, what it is currently doing, and what steps to take to remove the attack.

Ideally, a modern endpoint securitysolution detects potentially malicious processes and defuses them in real-time by automatically blocking the potential malicious action. Pausing abnormal behavior buys time for the technology to automatically run an analysis, determine if unexpected behavior is malicious, and then remediate the attack, including stopping ransomware encryption and preventing lateral movement, credential theft, and data exfiltration. And if the behavior is not malicious, systems are released, and things return to normal. And all of this can usually happen faster than an end-user can notice.

The best solution includes both behavior-based EPP and EDR. And ideally, they should be integrated into one solution for unified protection. We know that at some point, advanced threats will inevitably get through a prevention layer, which is why EDR is so essential. 

What to Look for with Endpoint Security

The most critical feature of any modern endpoint security solution with EDR is its ability to automatically provide containment and remediation. These actions include investigating suspicious activities, terminating processes, removing malicious or infected files, eliminating persistency, notifying users, opening tickets, and more. With a combined, behavior-based EPP/EDR solution in place, endpoints can be secured in real-time, both pre-and post-infection, incident response procedures can be standardized, and security and operations resources can be optimized. It’s also essential for the solution to restore encrypted files in real-time across Windows, Mac, and Linux systems new and old. 

A Unified, Behavior-based Automated Approach is Key

As the threat landscape continues to become more sophisticated, a real-time approach that can detect, investigate and respond to threats- based on behavior rather than known threat intelligence- in real-time is critical to address the onslaught of advanced threats and ensure high availability, even during a ransomware attack. As the recent MITRE ATT&CK Evaluations showed, behavior-based detection and response is readily available but most all protection remains dependent on static analysis and known threat intelligence. For organizations looking to move from a reactive to proactive security model, it is essential that they step up to a modern endpoint security approach founded on analyzing dynamic behavior analysis.