Anomali Threat Day: Using the CTI Lifecycle and XDR to Combat Ransomware, Presented by Anomali

- Up is Stephen, who will share the realities of ransomware in the world today.

Stephen, welcome, and thank you for participating today.

- Thank you.

Austin, can you hear me? OK.

- I can.

- All right, so, to start with here, my name is Stephen.

I'm the senior security engineer that supports Austin in the field and a couple of others.

My security background is largely in threat intelligence, authentication, and data theft.

- Fantastic.

Well, again, thank you for joining.

We'll jump right into it.

So I guess the big topic today is ransomware.

In your view, as somebody that deals with CTI and seeing this day in day out, what would you say the current state of ransom world is in-- the state of ransomware-- I can't talk today, ransomware in the world today.

- Alarming.

Here some quick statistics here, and I pulled this interesting quote here talking about how ransomware attackers are, by definition, liars, thieves, extortionists, members of a global criminal enterprise, and they take extreme technological measures to conceal any trace of their identity and location.

It was from John Reed Stark, security consultant and chief of the Securities and Exchange Commission office of Internet Enforcement.

So someone has dealt with this issue a lot.

And I pulled that to highlight the fact that, in many ways, ransomware is modern organized crime in a cybersecurity framework.

And some important stats here is that, to date, there's been 130% year over year growth in ransomware attacks globally.

And that's just as reported by SonicWall.

And they tracked something like over 1700 attempts per customer to date, and that is 130 year over year growth, and the year is not finished.

That statistic came from late September.

This is largely happening because of the rise of ransomware as a service.

And a great example of that is DarkSide ransomware, which is all over the place.

It is software as a service for criminals.

Just like you subscribe to any cybersecurity product on the marketplace, threat actors are subscribing to DarkSide on a service basis.

They're purchasing it from manufacturers to attack people within the wild.

And DarkSide is a great example of this.

Ransomware is beginning to exhibit very worm-like behaviors.

Some other great examples of that are Ryuk, which allows for reinfection and worm-like behaviors, which really highlights the need for proper cyber threat intelligence.

If it's a repeat behavior, it's important to be able to track that repeat behavior.

Another great example of that is Mount Locker, which is becoming more and more prevalent in the wild, and it infects through Windows Active Directory APIs.

It's been in the news quite a bit lately and functions much the same way, worm-like.

And a rise in Triple Extortion is becoming alarming for a lot of organizations.

And Triple Extortion refers to rather than historical ransomware, which is just we encrypted all your stuff now pay us, Triple Extortion ransomware like Abaddon, encrypts and exfiltrate, and threatens denial of service if you don't pay the ransom.

And overall, worldwide, a little over 50% of ransomware attacks occur just in the US.

It's a heavy focal point for the world, and approximately 50% of those attacks in the US are specifically in the public sector.

And about a quarter of those are specifically at a municipality level city governments.

- OK, wow.

That's quite a bit.

So, how would you say or how is ransomware impactful specifically to the state local governments, the higher Ed, even the K-12, as well as tribal? - I would say it's just as impactful to those organizations, but it is more prevalent in those sectors because of whether this is a fair assessment or not, there's at least a perceived view of being behind the technological curve because of tight budgets in governments and municipalities.

And it's not always the case, but that perception leads to a large number of attacks because they're seen as low-hanging fruit.

And municipalities and governments tend to have access to large scale volumes of data with private information, health information, financial information.

So they're lucrative targets.

And it is interesting because the trend in ransomware lately has been that the actual ransom demands are dropping in terms of overall dollar value, which seems to indicate that a lot of the ransomware attacks against governments are motivated more by malicious disruption and less by financial gain.

And I think that has a lot of ties in political and social activism because the main, I think, crisis for governments when they're attacked by ransomware is not so much the dollar value that they get hit with, which was huge cost government entities over $18 billion in 2020 alone, but it's the erosion of public trust when they can't rely on critical services like power, water, billing, et cetera because government systems are under attack.

- It's quite a bit.

So the topic today that you brought to the table is cyber threat intelligence, specifically the CTI lifecycle.

Go ahead and if you would describe the CTI lifecycle today.

- So, the CTI lifecycle is very useful in this world.

It is it's two things.

It's a maturity ladder that you can start at the bottom and work your way up to toward a responsive, mature cyber threat intelligence program.

And it also describes the information flow in an ideal cyber threat intelligence program.

So this is a build-out slide.

We're going to go through a piece by piece here.

You start with a level one, planning and direction, where you define your intelligence requirements.

What information do I need to gather to fit my security goals and strategies? And these are things like hypothesis generation, tracking adversary types like ransomware actors like DarkSide or Mount Locker, or any of these other ones.

Identification of your critical assets that could be targeted by a ransomware attack.

We move up the ladder to collection.

How do we actually get that data that we've defined in our intelligence requirements? Do we need to track assets internally? What information sources do we actually collect? How do we get them? Who do we buy? That sort of thing.

We move up the ladder to processing.

What do we do with the data? This is where we start manipulating it into shapes and formats that suit those security goals.

So curating threat data, documenting, making sure that the data we have subscribed to remains reliable and relevant.

And that's especially important these days when threats come fast and furious, and they change very frequently.

We move up the ladder to analysis further.

What do we do with this data? We track historical relevant data.

We tag for future use.

We associate it with actors, campaigns, events, et cetera.

Enrich repeat, and then we disseminate it.

This is where we get actual concrete value out of all of this work that we've done so far by taking all of this processed data and all of this analysis and put it into point products that can take an action, and actually prevents us from being attacked in the future, or immediate attacks that are occurring now that we may not have been aware of previously.

And that's where I'm talking about maybe writing reports or integrating intelligence with point products like a firewall or SIEM or a SOAR, et cetera, to actually take an action.

- All right.

Well, thanks for sharing that.

Now, let's put this into practice.

How would a state or local government use the CTI lifecycle to combat, specifically ransomware? And what specific security tools actually enable this approach? - So that's a really good question.

A good place to start, especially since we're talking about a threat intelligence lifecycle, is a toolset like an intelligence platform that allows you to aggregate large quantities of data because this process does involve very large quantities of data.

And to use that efficiently, you need a tool that allows you to take that huge data set and work with it on a level playing field.

When you have overlapping feeds, and you have huge, huge, huge swaths of data to duplicate, you need to normalize, you need to be able to manipulate that data.

So an intelligence platform is a great place to start.

SIEMs and SOARs are very important in this process, too, because the SIEM, and for many organizations, is going to be part of the toolset that allows you to do this analysis and the processing of the data.

For many organizations, that's where the intelligence that you curate is correlated with the real-world events that you see via telemetry inside of your environment.

So firewall logs, IPS, IDS logs, that sort of data.

And a SOAR can be intrinsic in this process because that's one of the many tools that you'll use in the dissemination process to actually create an action plan or a playbook, or this event happened, do this thing about it.

- OK, it sounds like you're leaning into the XDR space or Extended Detection Response.

Well, before I even ask it, talk to me about XDR.

How would you define XDR? - So XDR is a fun thing to talk about because it is not very well defined in the marketplace so far because it's a very new idea.

So Gartner describes XDR as a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.

And that is a big mouthful of word salad that I sort of disagree with a little bit from having lived in this space for a while now.

And the main area where I kind of disagree with Gartner's approach is that I don't see it as a single tool, so much as a framework that you approach your security strategies with.

And it equates very nicely to the CTI lifecycle.

I'm going to switch over to another screen here.

But keep this in mind as we look at this next one because here's an example of-- we call it intelligence in action, but this is XDR in a nutshell.

And it fits with that CTI lifecycle very well, where you collect data, you aggregate it in a toolset, you define strategies.

That's the detection, the collection, and you output that information-- that works that you did and deploy products like a SIEM or like SOAR or firewall, or big data platforms, or endpoint detection systems.

And that is the response part of it.

So, if we go back one to the CTI lifecycle here, detection, response.

And to me, that is kind of the platonic ideal of what XDR is meant to be.

Not a tool, but a framework more of a strategy, more of an approach to data-driven cyber threat intelligence and security in general if that happens.-- - Is there anything that you would do specifically to combat ransomware in this situation? - Yes.

So I'm going to close this.

I'm going to show my favorite example here.

Does that come in through clear? Everybody, see that? - Looks good.

- So this is an example that I put together that shows how I can take all of my data feeds that I have access to.

And again, going back to that collection plan, the detection part of this process.

I have curated data sets that have well-vetted ransomware threat information in them.

And I've created this dashboard that helps me track over a time period, in this case, 30 days the DarkSide ransomware family of attacks so I can see the last 30 days, some trend analysis, indicators specific to the DarkSide ransomware, DarkSide supplying actors.

This is an interesting use case here because, again, DarkSide is a ransomware as a service.

So it's not just DarkSide.

It is several people using DarkSide as a tool.

And then breaking this information down by things like different indicator types or country of origin.

Again, we're seeing huge spike in US as compared to the rest of the world, and then some trend analysis about confidence levels of those indicators.

So very high, very dangerous severity down to medium-high severity stuff.

And then where it gets very useful for me from more of the analyst side of the house is links to all of these threat bulletins, these contextualized reports that explain behaviors and help me understand how DarkSide affects industries and organizations in the real world.

And this is all great from an informational perspective.

But then, looking back at XDR and the intelligence lifecycle, I can approach the response side of this by taking all of this information that I've curated and collated via tagging and integrations and things like that to dump it into a SOAR where an action occurs, or into a firewall, which can create dynamic blocklists and automate a lot of this process.

So this is one great example of how I can take a data-driven approach to ransomware, specifically in a cyber threat intelligence world.

- So, is there a good example maybe that you could point to? Is there where you've seen this in action? - Yes, actually.

Two come to mind.

The Texas Department of Information Response.

They have done a fantastic job with ransomware.

In 2020, Texas led the US in terms of ransomware attacks against government entities, particular municipalities, something like 15% of all the ransomware attacks against governments in the US were in Texas.

However, because of the efforts of Texas' DIR, not a single municipality paid the ransom.

They orchestrated a coordinated effort at the federal and state level to combat ransomware, and it was very, very effective.

So it's a great example of somebody doing it correctly.

And then another great example.

You'll actually hear from later today is the state of Oklahoma, as they have adopted the CTI lifecycle and XDR at a state level by creating an information-sharing platform to enrich all of the state organizations.

And I'm not going to talk any more about it.

I don't want to steal of any chance of thunder, but it's a great example of how to do this correctly.

- OK, well, thank you.