This limits the malware to the decoy environment, reducing the risk of a successful data compromise.
Traditional endpoint protection or endpoint detection and response products work by signature matching or behavioural anomaly detection, which are open to evasion by human attackers.
According to Attivo, such human-operated "Ransomware 2.0" attacks start with APT-style tactics designed to bypass traditional security controls and gain an initial foothold. From there, the attacker conducts network discovery, probes Active Directory, moves laterally, and identify high-value assets to target by encrypting critical data or taking control of other assets.
According to recent Mandiant threat intelligence research, in 75% of cases at least three days passed between the first evidence of malicious activity and ransomware deployment.
EDN, within the Attivo Networks ThreatDefend platform, obscures production files, folders, removable disks, network shares, and cloud storage from attackers; detects attempted exploitation and encryption of decoy file shares (when used in conjunction with BOTsink deception servers); slows attackers by distracting them with high-interaction deception techniques; detects credential theft and attempted enumeration of local administrator accounts and Active Directory for privilege escalation; and provides native integrations that deliver automated isolation and reduce response time.
More information is available here.
“Advanced human-controlled ransomware can evade endpoint security controls and after initial compromise, move laterally to cause maximum damage, do data exfiltration and encrypt data,” said Attivo Networks senior vice-president of engineering Srikant Vissamsetti.
“This advanced protection by the Attivo EDN solution disrupts ransomware’s ability to move laterally and prevents unauthorised access to data by concealing production files, folders, removable disks, network shares, and cloud storage.”
EDN's ransomware protection capabilities are available immediately.