November 8, 2024
Detecting Windows-based Malware Through Better Visibility
Despite a plethora of available security solutions, more and more organizations fall victim to Ransomware and other threats. These continued threats aren't just an inconvenience that hurt businesses and end users - they damage the economy, endanger lives, destroy businesses and put national security at risk. But if that wasn’t enough – North Korea appears to be using revenue from cyber

Despite a plethora of available security solutions, more and more organizations fall victim to Ransomware and other threats. These continued threats aren’t just an inconvenience that hurt businesses and end users – they damage the economy, endanger lives, destroy businesses and put national security at risk. But if that wasn’t enough – North Korea appears to be using revenue from cyber attacks to funds its nuclear weapons program.

Small and mid-size businesses are increasingly caught in the dragnet of ongoing malware attacks – often due to underfunded IT departments. Exacerbating the problem are complex enterprise security solutions that are often out of reach for many companies – especially when multiple products are seemingly needed to establish a solid defense. Volume-based products that incentivize users to collect less data in order to conserve funds work backward, dampening the anticipated benefits.

But what if you could detect many malware attacks holistically with a set of tools that are part of a single solution:

  • Highly customizable log monitoring & consolidation with a sophisticated real-time monitoring engine
  • Comprehensive validation checks of important security & audit settings in Windows – organized by compliance – provide a solid foundation for defense.
  • Complete inventory of software, patches and browser extensions
  • Status & change detection of all scheduled tasks, services/drivers & processes
  • Detect unusual behavior such as processes & logins
  • Sysmon integration
  • Detailed monitoring of every single Active Directory object
  • Network, NetFlow & Performance Monitoring

Log Power

Logs contain a wealth of data that are the foundation for any monitoring effort – especially on the Windows platform, which provides a well-structured logging framework (that can be supercharged with the free Sysmon utility!):

However, the logs going into a SIEM are only as good as the logs produced by the OS. Audit & collect too much and you pollute your log database – but if you audit too little then you’ll miss key indicators. EventSentry solves that problem by routinely validating your audit settings on the end points – and a flexible rule set that can block unnecessary events at the source.

More Visibility

Visibility is key to detecting and defending against any malicious activity – you can’t defend against what you cannot see. Yet, many organizations have limited insight into their network, making it easy for malware and APTs to establish themselves.

While logs are an integral component of any monitoring & defense system, relying on them alone inevitably creates blind spots through which malicious software can slip through. For example, most SIEMs are unaware of installed software, scheduled tasks, services & drivers – yet that is exactly where a lot of malware slips through. And getting through it does.

EventSentry improves on these shortcomings with a robust agent-based monitoring framework where all important metrics of an endpoint are monitored in detail – regardless of the location of the endpoint. EventSentry also proactively strengthens the security of any monitored network with its validation scripts. Active Directory, System Health & Network Monitoring provide additional operational coverage.

In fact, EventSentry’s comprehensive feature set has encouraged many users to reduce the number of monitoring tools they are using significantly. The result is a better-integrated, leaner monitoring suite with a superior ROI.

Who has the upper hand?

When it comes to traditional combat, the general rule is that the attacker needs a 3:1 ratio of troops compared to the defending force. So, if the army you are attacking has 1000 soldiers, then you’ll need about 3000 to beat them.

This rule doesn’t always apply to other types of warfare though, for example naval warfare. Back in 2005, a $30 million Swedish submarine would have managed to sink the USS Reagan during an exercise – a Nimitz-class aircraft carrier that cost almost $5 billion to build and is protected by about half a dozen of destroyers and cruisers.

In this specific example, the attacker seemingly needed less than 1% of the resources of the defender to achieve its objective. This type of uneven ratio, unfortunately, applies to cyber warfare, too.

Your network is like that aircraft carrier – protected from all sides. But the attacker just needs to exploit one loophole to render all defenses useless.

Multiple Layers of Defense

The days where you simply setup a firewall, installed an A/V solution and afterwards padded yourself on the back are – I’m sorry to say – long gone. No single tool can reliable detect all threats, making a layered approach essential.

EventSentry helps protect any monitored network through prevention, detection, and ongoing discovery:

1. Prevention

Detecting attacks is key – but preventing them in the first place is even better. EventSentry helps close loopholes so that many attacks won’t be successful in the first place.

2. Detection

But as important as prevention is – it cannot block every attack. Consequently, detecting and responding to attacks is the next-best tactic to minimize damage.

3. Discovery

Finally, continuous discovery and detailed insight into your network can help detect unusual behavior – even in that worst case scenario where malware has already established itself.

Anatomy of Malware Attacks

1. Delivery

Most malware attacks follow similar patterns, starting with the delivery of the malware. This usually happens through phishing emails, social engineering or Malvertising. User education is critical to minimize the risk at this stage since technical solutions alone cannot provide full protection.

2. Exploitation

The next critical stage of a malware attack is Exploitation, where the malware which was delivered earlier attempts to establish itself on the target host. EventSentry provides protection at this stage by helping both reduce the attack surface while also detecting any unusual activity – thus minimizing the risk.

For example, EventSentry can ensure that all Windows-based hosts are on the latest patch level while also providing access to a history of all installed Windows patches. EventSentry also provides a full inventory of all installed software and browser extensions, along with version checks for commonly installed software. To help reduce the attack surface further, EventSentry identifies all applications that are listening for incoming network connections on your endpoints.

Since USB drives are often exploited as well, EventSentry can alert on newly connected storage devices as well as monitor access to those devices. RDP access, also often exploited at this stage, can be secured by EventSentry in a variety of ways – including enhanced tracking and anomaly detection. For example, a never-before-seen IP address connecting to an RDP server is flagged for review.

3. Persistence

If the malware manages to evade detection & defense and is active on the victim’s host, then it will usually attempt to create persistence. This ensures that the malware will remain active even when the victim’s computer is rebooted. Since creating persistence does involve the modification of non-volatile data (e.g. creating a scheduled task), it naturally increases the risk of detection. Most malware accepts this risk (while also going out of its way to avoid detection) since the benefit of persistence outweighs the risk – and gives the threat actor long-term access.

Detecting malware at this stage is critical since failure to do so allows the malware to continue to run for an extended time period. Through its inventory monitoring capabilities alone, EventSentry can detect many methods with which malware creates persistence. These include scheduled tasks, services, drivers, and browser extensions. Even more advanced methods like DLL injection, DLL side-loading, and taking advantage of debug features in Windows can be detected by EventSentry with validation scripts and Sysmon.

By monitoring scheduled tasks, services, drivers, software, browser extensions, and registry keys, EventSentry makes it more difficult for malware to hide persistence. Most of these changes are detected in real-time so that IT staff can respond & investigate immediately. Malware authors are, of course, aware of the risk of detection and will do their best to blend in: Added services & scheduled tasks will have common names that make them look harmless.

Validation scripts deserve an explanation here since they are not usually part of an SIEM and/or log monitoring solution. The primary purpose of EventSentry’s validation scripts is to increase the security of all endpoints – workstations, servers, and domain controllers – so that attacks won’t succeed in the first place! They do this by running over 150 checks that “validate” the monitored endpoints against recommended settings and policies.

  • Is the target OS on the latest patch?
  • Are insecure TLS and/or NTLM versions allowed?
  • Is the Windows firewall active?
  • Is account lockout activated?

But do we already have a vulnerability scanner? Vulnerability scanners are an important and valuable tool for identifying potential vulnerabilities. However, vulnerability scanners have limited insight into Windows systems since they scan the system from the outside – whereas validation scripts protect endpoints from the inside out.

You don’t have to install EventSentry to test validation scripts – just head over to system32.eventsentry.com site and download the free Compliance Validator. You can also validate your audit settings online with our Audit Policy Compliance Validator.

However, in addition to these proactive checks, validation scripts can also detect potentially suspicious settings that may indicate a malware infection as part of their ongoing discovery process. You can see a list of all checks here.

Validation scripts aren’t a one-time check, of course – EventSentry continuously performs these checks to ensure that your environment remains secure. The results of these checks can be accessed in a variety of ways – including dashboards, reports or manual queries. Passing all applicable validation scripts will significantly improve the baseline security of any network – thwarting many common attacks.

4. Propagation

After infection & persistence, the next logical step in malware’s journey on your network is propagation. It does this for a variety of purposes:

  • Better persistence (the more hosts that are infected, the more difficult it is to remove)
  • Additional asset discovery (think data exfiltration, Ransomware)
  • Utilizing more helpers for a botnet, mining, etc.

Propagation increases the risk of detection, but the benefits outweigh the risk – just like with persistence. If malware managed to remain undetected this far along, then propagation attempts are actually a great opportunity to finally detect the malicious software. Just like the old saying goes – better late than never!

As is the case with every step of a malware infection, there are many different types of propagation techniques that malware can utilize – with varying chances of detection. Accessing remote systems ultimately requires getting access to credentials for the remote systems – if the current session doesn’t already have them.

Basic techniques like brute force attacks and the utilization of admin tools can be easier to detect. More advanced techniques, however, e.g. pass the hash/ticket, require more effort on the side of the defender. But regardless of how propagation is initiated, anomaly / pattern detection can often detect unusual network access.

EventSentry includes a number of features that can detect malware propagation:

  • Software inventory helps verify that critical software is up to date
  • Anomaly detection can flag unusual access, e.g. logins from previously unknown IP addresses
  • Service Monitoring can detect malicious services & drivers
  • Syslog & SNMP monitoring can detect failed login attempts to network devices
  • Validation Scripts & Patch inventory minimizes vulnerabilities
  • Sysmon integration can detect advanced pass-the-hash/ticket attacks

5. Execution

If the malware is still not detected and curtailed at this point, then it will move to the final stage – execution. This is when the rubber meets the road – where the gloves come off. What actually happens during the execution phase depends on the malware, of course, but it’s usually one of the following:

  1. Encryption & Extradition (for ransom)
  2. Data / IP Theft
  3. Setting up bots
  4. Remaining dormant

The first option is usually the only one where malware does not try to remain undetected. Once the job is done you will know and the battle is often lost. Otherwise, the malware will continue to remain undetected, giving defenders one last opportunity to detect the intrusion.

Admittingly, detection at this stage is difficult, but even here EventSentry offers features that can discover these unwanted visitors. Performance monitoring can detect unusual CPU activity, e.g. if crypto miners were to be installed on the victim’s network. EventSentry can also detect processes that are listening to incoming network connections, while NetFlow can unveil unusual network traffic.

Conclusion

Protecting complex network infrastructures – especially Windows – from advanced threats requires a sophisticated defense that goes beyond collecting logs, Antivirus and casual adherence to compliance frameworks.

EventSentry provides Visibility into networks from multiple vantage points that can help detect a variety of threats during different stages of an attack. An extensive set of validation checks strengthen the baseline security, compliance reports with dashboards simplify various compliance requirements – all with an excellent ROI that is attainable for small and large businesses alike.

Download a free 30-day evaluation of EventSentry today or take a look at https://system32.eventsentry.com and get access to free resources for IT security professionals. You can also schedule a web demo to see EventSentry in action before downloading an evaluation.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.