Tick … Tick … Boom

What happens when tens of thousands of back doors have been opened? Priceless data and corporate IP stolen, espionage, but by far the most prevalent threat will be ransomware. Strap in tight – the $50M Acer ransomware attack is just the beginning.

What do you do when threat actors are already deep inside the network?

Between the SolarWinds attack and MS Exchange server hack, countless organizations across nearly every industry have been laid bare, and it’s the Wild West for ransomware operations right now. REvil, Black Kingdom, Clop, Conti, Evil Corp – the gang’s all here.

Ransomware is so dangerous because it is instantly weaponized. It does not require any form of reconnaissance, any form of lateral movement, or privilege escalation. It blows up on impact and the damage is done. Threat actors don’t have to know where they are in your environment or understand what’s of value. They simply encrypt everything, and it’s irreversible.

Ransomware is most damaging when it moves laterally from desktops to servers, which are online 24/7/365. The opportunity for devastating loss is much higher on servers than on endpoints because they house all the critical applications and data necessary to keep an organization operational. On the server workload, malicious code that executes undetected during runtime can bring the entire system down.

Many companies are accustomed to extensive cyberattacks and have an enhanced cybersecurity infrastructure to safeguard information integrity and business continuity. But the threat actors behind the SolarWinds attack and MS Exchange server hack both leveraged remote code execution techniques that security tools were unable to detect.

There’s a big gaping hole in cybersecurity; it’s in runtime.

The workloads themselves are the new attack surface. To effectively protect them, security solutions must include system assurance, application control and memory protection. Code that executes during runtime can be almost undetectable, and conventional security tools and a blacklisting approach cannot possibly detect all the malware that is generated each day. Adopting a positive security model and arming the workloads to defend themselves is the best protection against the most sophisticated and evasive ransomware attacks.  

Host, Memory and Web Protection

Virsec is the first and only application-aware workload protection platform that provides System Integrity Assurance, Application Control and Memory Protection in a single solution. This technology delivers in-depth visibility into the entire workload – no matter where it resides and instantly detects and stops runtime attacks – from ransomware to remote code execution.

“Detecting and blocking rogue processes in memory is one of the most important ways to secure servers.” – Aite Group

Unlike heuristic or endpoint solutions, Virsec technology identifies threats the moment they happen – without latency, probabilistic detection models, prior threat knowledge, analysis, or threat hunting. Virsec’s deterministic defense enacts a kill chain process the moment an application, OS, file library or process deviates from the norm, with zero dwell time, zero tuning and zero noise. 

Additional Learning

Webinar: Demonstration of the Hafnium-MS Exchange Attack

Webinar: Analysis of the Hafnium / MS Exchange Cyberattack

Webinar: SolarWinds Attack End-to-End Demo

Webinar: Analysis of the SolarWinds Attack

White Paper: The Need for Application-Aware Workload Protection

White Paper: Virsec Zero Trust Workload Protection: Essential Security to Stop Advanced Cyberattacks

*** This is a Security Bloggers Network syndicated blog from Virsec Blog authored by Virsec. Read the original post at: https://www.virsec.com/blog/tick-tick-boom