Welcome to reality
Ever since I started working in IT Security more than 10 years ago, I wondered, what helps defend against malware the best?
This simple question does not stand on its own, as there are several follow-up questions to that:
- How is malware defined? Are we focusing solely on Viruses and Trojans, or do we also include Adware and others?
- What malware types are currently spread across the globe? What died of old age and what is brand new?
- How does malware operate? Is file-less malware a short-lived trend or is it here to stay?
- What needs to be done to adequately defend against malware? What capabilities are needed?
- What defenses are already in place? Are they configured correctly?
This blog will guide you through my research and thought process around these questions and how you can enable yourself to answer these for your own organization!
A quick glance into the past
As mentioned above, the central question “what helps best?” has followed me throughout the years, but my methods to be able to answer this question have evolved. The first interaction I had with IT Security was more than 10 years ago, where I had to manually deploy new Anti-Virus software from a USB-key to around 100 devices. The settings were configured by a colleague in our IT-Team, and my job was to help remove infections when they came up, usually by going through the various folders or registry keys and cleaning up the remains. The most common malware was Adware, and the good-ol obnoxious hotbars which were added to the browser. I remember one colleague calling into IT saying “my internet has become so small, I can barely even read 5 lines of text” which we later translated into “I had 6 hotbars installed on my Internet Explorer so there was nearly no space left for the content to be displayed”.
Exemplary picture of the “internet” getting smaller.
Jump ahead a couple of years, I started working with McAfee ePolicy Orchestrator to manage and deploy Anti-Malware from a central place automatically, and not just for our own IT, but I was was allowed to implement McAfee ePO into our customers’ environments. This greatly expanded my view into what happens in the world of malware and I started using the central reporting tool to figure out where all these threats were coming from:
Also, I was able to understand how the different McAfee tools helped me in detecting and blocking these threats:
But this only showed the viewpoint of one customer and I had to manually overlay them to figure out what defense mechanism worked best. Additionally, I couldn’t see what was missed by the defense mechanisms, either due to configuration, missing signatures, or disabled modules. So, these reports gave me a good viewpoint into the customers I managed, but not the complete picture. I needed a different perspective, perhaps from other customers, other tools, or even other geo-locations.
Let us jump further ahead in my personal IT security timeline to about June 2020:
How a new McAfee solution changed my perception, all while becoming a constant pun
As you could see above, I spent quite a lot of time optimizing setups and configurations to assist customers in increasing their endpoint security. As time progressed, it became clear that solely using Endpoint Protection, especially only based on signatures, was not state of the art. Protection needs to be a combination of security controls rather than the obnoxious silver bullet that is well overplayed in cybersecurity. And still, the best product or solution set doesn’t help if you don’t know what you are looking for (Question 1&2), how to prepare (Question 4) or if you misconfigured the product including all subfolders of “C:\” as an exclusion for On-Access-Scanning (Question 5).
Then McAfee released MVISION Insights this summer and it clicked in my head:
- I can never use the word “insights” anymore as everyone would think I use it as a pun
- MVISION Insights presented me with verified data of current campaigns running around in the wild
- MVISION Insights also aligns the description of threats to the MITRE ATT&CK® Framework, making them comparable
- From the ATT&CK™ Framework I could also link from the threat to defensive capabilities
With this data available it was possible to create a heatmap not just by geo-location or a very high number of new threats every day, hour or even minute, but on how specific types of campaigns are operating out in the wild. To start assessing the data, I took 60 ransomware campaigns dating between January and June 2020 and pulled out all the MITRE ATT&CK© techniques that have been used and displayed them on a heatmap:
Amber/Orange: Being used the most, green: only used in 1 or 2 campaigns
Reality Check 1: Does this mapping look accurate?
For me it does, and here is why:
- Initial Access comes from either having already access to a system or by sending out spear phishing attachments
- Execution uses various techniques from CLI, to PowerShell and WMI
- Files and network shares are being discovered so the ransomware knows what to encrypt
- Command and control techniques need to be in place to communicate with the ransomware service provider
- Files are encrypted on impact, which is kind of a no-brainer, but on the other hand very sound-proof on what we feel what ransomware is doing, and it is underlined by the work of the threat researchers and the resulting data
Next, we need to understand what can be done to detect and ideally block ransomware in its tracks. For this I summarized key malware defense capabilities and mapped them to the tactics being used most:
MITRE Tactic | Security Capability | Example McAfee solution features |
Execution | Attack surface reduction | ENS Access Protection and Exploit Prevention, MVISION Insights recommendations |
Multi-layered detection | ENS Exploit Prevention, MVISION Insights telemetry, MVISION EDR Tracing, ATD file analysis | |
Multi-layered protection | ENS On-Access-Scanning using Signatures, GTI, Machine-Learning and more | |
Rule & Risk-based analytics | MVISION EDR tracing | |
Containment | ENS Dynamic Application Containment | |
Persistence | Attack surface reduction | ENS Access Protection or Exploit Prevention, MVISION Insights recommendations |
Multi-layered detection | ENS Exploit Prevention, MVISION Insights telemetry, MVISION EDR Tracing, ATD file analysis | |
Sandboxing and threat analysis | ATD file analysis | |
Rule & Risk-based analytics | MVISION EDR tracing | |
Containment | ENS Dynamic Application Containment | |
Defense Evasion | Attack surface reduction | ENS Access Protection and Exploit Prevention, MVISION Insights recommendations |
Multi-layered detection | ENS Exploit Prevention, MVISION Insights telemetry, MVISION EDR Tracing, ATD file analysis | |
Sandboxing and threat analysis | ATD file analysis | |
Rule & Risk-based analytics | MVISION EDR tracing | |
Containment | ENS Dynamic Application Containment | |
Discovery | Attack surface reduction | ENS Access Protection and Exploit Prevention |
Multi-layered detection | ENS Exploit Prevention, MVISION EDR Tracing, ATD file analysis | |
Sandboxing and threat analysis | ATD file analysis | |
Rule & Risk-based analytics | MVISION EDR tracing | |
Command & Control | Attack surface reduction | MVISION Insights recommendations |
Multi-layered detection | ENS Firewall IP Reputation, MVISION Insights telemetry, MVISION EDR Tracing, ATD file analysis | |
Multi-layered protection | ENS Firewall | |
Rule & Risk-based analytics | MVISION EDR tracing | |
Containment | ENS Firewall and Dynamic Application Containment | |
Impact | Multi-layered detection | MVISION EDR tracing, ATD file analysis |
Rule & Risk-based analytics | MVISION EDR tracing | |
Containment | ENS Dynamic Application Containment | |
Advanced remediation | ENS Advanced Rollback |
A description of the McAfee Solutions is provided below.
Now this allowed me to map the solutions from the McAfee portfolio to each capability, and with that indirectly to the MITRE tactics. But I did not want to end here, as different tools might take a different role in the defensive architecture. For example, MVISION Insights can give you details around your current configuration and automatically overlays it with the current threat campaigns in the wild, giving you the ability to proactively prepare and harden your systems. Another example would be using McAfee Endpoint Security (ENS) to block all unsigned PowerShell scripts, effectively reducing the risk of being hit by a file-less malware based on this technology to nearly 0%. On the other end of the scale, solutions like MVISION EDR will give you great visibility of actions that have occurred, but this happens after the fact, so there is a high chance that you will have some cleaning up to do. This brings me to the topic of “improving protection before moving into detection” but this is for another blog post.
Coming back to the mapping shown above, let us quickly do…
Reality Check 2: Does this mapping feel accurate too?
For me it does, and here is why:
- Execution, persistence, and defense evasion are tactics where a lot of capabilities are present, because we have a lot of mature security controls to control what is being executed, in what context and especially defense evasion techniques are good to detect and protect against.
- Discovery has no real protection capability mapped to it, as tools might give you indicators that something suspicious is happening but blocking every potential file discovery activity will have a very huge operational impact. However, you can use sandboxing or other techniques to assess what the ransomware is doing and use the result from this analysis to stop ongoing malicious processes.
- Impact has a similar story, as you cannot block any process that encrypts a file, as there are many legitimate reasons to do so and hundreds of ways to accomplish this task. But again, you can monitor these actions well and with the right technology in place, even roll back the damage that has been done.
Now with all this data at hand we can come to the final step and bring it all together in one simple graph.
One graph to bind them…
Before we jump into our conclusion, here is a quick summary of the actions I have taken:
- Gather data from 60 ransomware campaigns
- Pull out the MITRE ATT&CK techniques being used
- Map the necessary security capabilities to these techniques
- Bucketize the capabilities depending on where they are in the threat defense lifecycle
- Map McAfee solutions to the capabilities and applying a weight to the score
- Calculate the score for each solution
- Create graph for the ransomware detection & protection score for our most common endpoint bundles and design the best fitting security architecture
So, without further ado and with a short drumroll I want to present to you the McAfee security architecture that best defends against current malware campaigns:
For reference, here is a quick breakdown of the components that make up the architecture above:
MVISION ePO is the SaaS-based version of our famous security management solution, which makes it possible to manage a heterogenous set of systems, policies, and events from a central place. Even though I have mentioned the SaaS-based version here, the same is true for our ePO on-premises software as well.
MVISION Insights is a key data source that helps organizations understand what campaigns and threats are trending. This is based on research from our Advanced Threat Research (ATR) team who use our telemetry data inside our Global Threat Intelligence (GTI) big-data platform to enhance the details that are provided.
MVISION Endpoint Detect & Response (EDR) is present in multiple boxes here, as it is a sensor on one side, which sits on the endpoint and collects data, and it is also a cloud service which receives, stores and analyses the data.
EPP is our Endpoint Protection Platform, which contains multiple items working in conjunction. First there is McAfee Endpoint Security (ENS) that is sitting on the device itself and has multiple detection and protection capabilities. For me, the McAfee Threat Intelligence Exchange (TIE) server is always a critical piece to McAfee’s Endpoint Protection Platform and has evolved from a standalone feature to an integrated building block inside ePO and is therefore not shown in the graphic above.
McAfee Advanced Threat Defense (ATD) extends the capabilities of both EPP and EDR, as it can run suspicious files in a separated environment and shares the information gathered with the other components of the McAfee architecture and even 3rd-party tools. It also goes the other way around as ATD allows other security controls to forward files for analysis in our sandbox, but this might be a topic for another blog post.
All the items listed above can be acquired by licensing our MVISION Premium suite in combination with McAfee ATD.
Based on the components and the mapping to the capabilities, I was also able to create a graph based on our most common device security bundles and their respective malware defense score:
In the graph above you can see four of our most sold bundles, ranging from the basic MVISION Standard, up to MVISION Premium in combination with McAfee Advanced Threat Defense (ATD). The line shows the ransomware detection & protection score, steadily rising as you go from left to right. Interestingly, the cost per point, i.e. how much dollar you need to spend to get one point, is much lower when buying the largest option in comparison to the smaller ones. As the absolute cost varies on too many variables, I have omitted an example here. Contact your local sales representative to gather an estimated calculation for your environment.
So, have I come to this conclusion by accident? Let us find out in the last installment of the reality check:
Reality Check 3: Is this security architecture well suited for today’s threats?
For me it does, and here is why:
- It all starts with the technology on the endpoint. A good Endpoint Protection Platform can not only prevent attacks and harden the system, but it can also protect against threats when they are written on a disk or are executed, and then start malicious activities. But what is commonly overlooked: A good endpoint solution can also bring in a lot of visibility, making it the foundation of every good incident response practice.
- ATD plays a huge role in the overall architecture as you can see from the increase in points between MVISION Premium and MVISION Premium + ATD in the graph above. It allows the endpoint to have another opinion, which is not limited in time and resources to come to a conclusion, and it has no scan exceptions applied when checking a file. As this is integrated into the protection, it helps block threats before spreading and it certainly provides tremendous details around the malware that was discovered.
- MVISION Insights also plays a huge role in both preventative actions, so that you can harden your machines before you are hit, but also in detecting things that might have slipped through the cracks or where new indicators have emerged only after a certain time period.
- MVISION EDR has less impact on the scoring, as it is a pure detection technology. However, it also has a similar advantage as our McAfee ATD, as the client only forwards the data, and the heavy lifting is done somewhere else. It also goes back around, as EDR can pull in data from other tools shown above, like ENS, TIE or ATD just to name a few.
- MVISION ePO must be present in any McAfee architecture, as it is the heart and soul for every operational task. From managing policies, rollouts, client-tasks, reporting and much more, it plays a critical role and has for more than two decades now.
And the answer is not 42
While writing up my thoughts into the blog post, I was reminded of the “Hitchhikers Guide to the Galaxy”, as my journey in cybersecurity started out with the search for the answer to everything. But over the years it evolved into the multiple questions I prompted at the start of the article:
- How is malware defined? Are we focusing solely on Viruses and Trojans, or do we also include Adware and others?
- What malware types are currently spread across the globe? What died of old age and what is brand new?
- How does malware operate? Is file-less malware a short-lived trend or is it here to stay?
- What needs to be done to adequately defend against malware? What capabilities are needed?
- What defenses are already in place? Are they configured correctly?
And certainly, the answers to these questions are a moving target. Not only do the tools and techniques by the adversaries evolve, so do all the capabilities on the defensive side.
I welcome you to take the information provided by my research and apply it to your own security architecture:
- Do you have the right capabilities to protect against the techniques used by current ransomware campaigns?
- Is detection already a key part of your environment and how does it help to improve your protection?
- Have you recently tested your defenses against a common threat campaign?
- Are you sharing detections within your architecture from one security tool to the other?
- What score would your environment reach?
Thank you for reading this blog post and following my train of thought. I would love to hear back from you, on how you assess yourself, what could be the next focus area for my research or if you want to apply the scoring mechanism on your environment! So please find me on LinkedIn or Twitter, write me a short message or just say “Hi!”.
I also must send out a big “THANK YOU!” to all my colleagues at McAfee helping out during my research: Mo Cashman, Christian Heinrichs, John Fokker, Arnab Roy, James Halls and all the others!