The Intersection of AI and Cybersecurity: A Closer Look

By: Mark Sangster, VP, Chief of Strategy

Having successfully launched an unprecedented and remarkably influential technology, its visionary creator composed a significant letter that intensified the ethical and existential dilemmas associated with his groundbreaking innovation.

It’s reasonable to assume that I’m referring to the recent open letter published by the Center for AI Safety (CAIS) that was signed by known artificial intelligence (AI) experts, including Sam Altman, the CEO of OpenAI, and by the “Godfather of AI,” Geoffrey Hinton.

The letter’s dire warning made headlines with this:

“Mitigating the risk of extinction from AI should be a global priority alongside other societal-scale risks such as pandemics and nuclear war.” 

But you’d be wrong. I was actually referring to a letter written over 75 years earlier by J. Robert Oppenheimer to then-U.S. President Harry Truman on the existential risk of nuclear weapons.

When I prompted ChatGPT to compare the two letters, it returned the following:  

By 1946, after the bombing of Hiroshima and Nagasaki in Japan, nuclear weapons had demonstrated the consequences of atomic warfare.  Oppenheimer’s fears were grounded in fact.

The CAIS letter, however, is more like a predictive warning of where AI is headed, and what a dystopian future could look like.

Beyond the existential fears, there are consequences that are more likely to occur in the advent of AI and ChatGPT, such as job transformation for customer support, manufacturing, logistics,  and data analysis.

Like other forms of technology before it, AI expands the gap between the knowers and the users. It’s “Black box” in most cases, with a powerful handful of people who understand its mechanics, and this lack of transparency could lead to manipulation and political offenses.

What happens in a world of generative AI where this generated content becomes the data source for AI to develop new content? Is this an existential race condition leading to a runway skewing of reality?

The Evolution of AI

These proximal fears may be more likely to manifest than the existential fears of destruction. We are much closer to the dawn of AI than to its future sunset.

In terms of AI development over the last quarter century, the technology has advanced from reactive AI such as when IBM Deep Blue beat chess expert, Garry Kasparov in 1997, to limited memory or deep learning AI such as chatbots, self-driving vehicles, and generative AI such as ChatGPT. In terms of evolution, limited AI is a long way from self-aware, and super intelligence, but it’s good at learning and performing specific tasks.

Existential fears of AI stem more from future stages, like The Theory of Mind in which AI learns empathy and understands the entities it interacts with. Beyond empathy, self-aware AI possesses its own emotions, needs, and desires. This kind of general AI and even super intelligence could lead to self-preservation instincts and pose a threat to humanity.

When we can expect to see the emergence of self-aware superintelligence is anyone’s guess. Right now, it’s a bit more like watching the first hominid use a stick as a tool versus predicting the exact date of the first atomic detonation. I did ask Chat GPT, and this was the response:

For now, it’s “carpe diem” or seizing the day when it comes to AI.

AI in Cybersecurity

Recently, Deborah Snyder a senior fellow with the Center for Digital Government, invited me to a webinar to discuss artificial intelligence trends in cybersecurity. We couldn’t ignore the parallels between the two historical warnings. But our focus was more on today than tomorrow.

In terms of cybersecurity, criminals leverage AI to sabotage defenses, accelerate the development of their tactics and tools like phishing lures, and even lie dormant in the hands of an advanced persistent threat (APT) that’s playing a long game deploying an AI mole in the halls of government or in the defense industry.

But it’s not all dystopian on the cybersecurity front. AI automation solves big data problems and provides a scalable, cost-effective solution for security operations. According to my co-contributor, ChatGPT:

Given that most organizations face increasing cyber threats and compliance demands with diminishing budgets and exhausted resources, AI offers a complementary solution to human-based security operations.

Adlumin’s AI Advancements

From the start, Adlumin invested heavily in the use of artificial intelligence and machine learning (ML), as well as augmented user and entity behavior analytics (UEBA).

The precursors to business-disrupting incidents are buried in an avalanche of false-positive alerts and are camouflaged within legitimate activity logs and events. Adlumin’s machine learning algorithms streamline security operations, ingesting billions of data points to identify critical anomalous behaviors and present your security team with the timely information necessary to respond quickly. Adlumin leverages the latest graph-theory metrics and cluster analysis, including principal components analysis, K-Nearest-Neighbors (KNN), and cluster-based local outlier factor (CBLOF).

Machine learning also drives our risk management services including continuous vulnerability management (CVM), progressive penetration testing (attack simulation), a proactive security awareness program, and multi-layered total ransomware defense.

Determining How to Use AI in Your Organization

Here are the top five simple ways to include AI into your security operations center (SOC) and the benefits they bring:

  1. AI-powered Threat Intelligence: Integrate AI-driven threat intelligence tools into your SOC to enhance threat detection and response capabilities. These tools can analyze vast amounts of data from various sources and automatically identify patterns, indicators of compromise, and emerging threats. By leveraging AI-powered threat intelligence, you can stay ahead of cybercriminals, detect advanced threats faster, and proactively protect your organization’s assets.
  2. Automated Log Analysis: Utilize AI-based log analysis solutions to automate the detection of security events and anomalies in your network logs. AI algorithms can sift through mountains of log data, identifying suspicious activities and potential security incidents. By automating log analysis, you free up your SOC team’s time and improve their efficiency, allowing them to focus on critical tasks and respond swiftly to genuine threats.
  3. Security Orchestration and Automation: Implement AI-driven security orchestration and automation platforms to streamline and optimize incident response workflows. These platforms can integrate with various security tools, allowing for automated incident triage, response, and remediation. By automating routine tasks, you reduce manual errors, accelerate incident response times, and enable your team to handle a higher volume of incidents effectively.
  4. Behavior-based Anomaly Detection: Deploy AI-powered behavior-based anomaly detection systems to detect unusual activities and potential insider threats. These systems can analyze user behavior, network traffic, and endpoint activities to establish baselines of normal behavior. When deviations occur, the AI algorithms can raise alerts, helping you detect suspicious behavior and mitigate the risks associated with insider threats promptly.
  5. Machine Learning-based User Authentication: Utilize AI and machine learning algorithms for user authentication and access control. By implementing intelligent authentication systems, you can detect and prevent unauthorized access attempts based on user behavior patterns. This approach strengthens your security posture, reduces the risk of account compromise, and enhances user experience by minimizing friction during the authentication process.

By including AI in your SOC through these simple methods, you can enjoy several benefits. These include improved threat detection accuracy, faster incident response, reduced manual effort, enhanced anomaly detection capabilities, and increased overall efficiency. AI empowers your SOC team with advanced tools and automation, enabling them to focus on high-value tasks and better protect your organization against ever-evolving cyber threats.

[Clears throat nervously] I couldn’t have said it better myself, ChatGPT.

What’s Next for AI?

Science fiction provides a neutral forum in which we can explore the dark potential of technology. In one such TV show, Caprica, we see the pivotal moment of discovery in this sci-fi world.

Caprica is set nearly 60 years before the AI apocalypse of the re-imagined 2004 series, Battlestar Galactica, and covers the period in which artificial intelligence becomes self-aware. It’s the ground zero breakthrough that would ultimately lead to the destruction of mankind in this science fiction world.

This kind of self-inflicted extinction is predicted in what is called the Great Filter theory. The notion is lifeforms face moments of extinction through pandemics, natural disasters, or runaway technology. The real trick when it comes to AI’s existential threat is knowing which side of this particular filter we are on. Did we safely pass through this filter or is it still looming in our future as a harbinger of doom?

We have lived with nuclear annihilation for decades and haven’t yet fulfilled that apocalyptic prediction. Perhaps we can do the same with artificial intelligence. Regardless, AI today offers promise and direct operational benefits in terms of cybersecurity operations. At Adlumin, we intend to continue our AI investments to protect our customers from ever-evolving cyber threats.

Navigating the MOVEit Vulnerability: How to Protect Your Organization

MOVEit or lose it: The vulnerability has been taking the industry by storm over the last few weeks. The vulnerability was found in the software, MOVEit Transfer and MOVEit Cloud. The tool is used to securely transfer files and encrypt data as it travels from one organization to another. The exploitation of this flaw could lead to escalated privileges and potential unauthorized access to the environment and then to servers and networks.

The flaw was first made public on June 2, but according to Microsoft, it was first observed on May 27, 2023. A second vulnerability was disclosed on June 15 and patched on June 16. The newest victims include several large financial institutions, educational institutions, SkillSoft and Norton LifeLock.

The Threat Actor Behind the Attacks

According to Microsoft, Lace Tempest is the cyber gang behind the exploitation of MOVEit software. The group is known for its use of Cl0p ransomware malware to attack banking, retail, education, transportation, manufacturing, engineering, automotive, energy, aerospace, telecommunications, professional and legal services, and other sectors.

The Cl0p ransomware gang has claimed responsibility for discovery and use of the associated vulnerabilities in zero-day exploit attacks against hundreds of companies using the publicly facing vulnerable MOVEit software and claims to have begun their operations May 27th, days before the first vulnerability was reported to NIST. 

Adlumin’s Threat Research finds this a rare example but increasingly common example of a severe zero-day vulnerability first being discovered and used by Ransomware-as-a-Service gangs along with gangs increasing migration to data extortion or double extortion as a tactic.

Below are the affected software versions:

  • MOVEit Transfer 2023.0.0 (15.0) 
  • MOVEit Transfer 2022.1.x (14.1) 
  • MOVEit Transfer 2022.0.x (14.0) 
  • MOVEit Transfer 2021.1.x (13.1) 
  • MOVEit Transfer 2021.0.x (13.0) 
  • MOVEit Transfer 2020.1.x (12.1) 
  • MOVEit Transfer 2020.0.x (12.0) or older. 
  • MOVEit Cloud

Block MOVEit through Patching

Progress Software has released patches for the three identified vulnerabilities so far, including for a vulnerability where exploitation has not yet been observed:

  • CVE-2023-35708 
  • CVE-2023-35036 
  • CVE-2023-34362

If you are using any of the above versions, Adlumin recommends that you patch immediately.

How to Protect Your IT Environment

Adlumin’s Threat Research team has looked for indicators of compromise across our customer data. One strong indicator is the existence of the file “human2.aspx” in the folder C:\MOVEitTransfer\wwwroot.

Below are the known IOCs to lookout for:

Web Shell

  • LEMURLOOT Web Shell

*We received these IOCs from a third-party source.

The Adlumin Approach

Adlumin has hunted for the indicators of compromise that have been reported publicly so far across all of our customers’ environments. We have also developed additional detections to monitor follow-on activity by the threat actor. Adlumin’s Threat Research Team will continue to monitor the threat, including the Cl0ps darknet leak site, and will notify customers accordingly.  

PowerDrop: A New Insidious PowerShell Script for Command and Control Attacks Targets U.S. Aerospace Defense Industry

Key Takeaways

  • The Adlumin Threat Research discovered a new malicious PowerShell script called PowerDrop, targeting the U.S. aerospace industry.
  • This novel malware straddles the line between basic a “basic off-the-shelf threat” and tactics used by Advanced Persistent Threat Groups (APTs).
  • PowerDrop uses advanced techniques to evade detection such as deception, encoding, and encryption.
  • Adlumin has not yet identified the threat actor behind the malware, but suspects nation-state aggressors as the discovery comes at time of increased R&D into missile programs as the war in Ukraine continues.
  • Adlumin advises that those in the aerospace defense industry remain vigilant against this new malware. The company recommends running vulnerability scanning at the core of Windows systems and being on the lookout for unusual pinging activity from their networks to the outside.

Introduction

The Adlumin Threat Research Team recently discovered and analyzed a new type of malware targeting the U.S. aerospace defense industry. The discovery comes at a time when more research and investment are put into missile programs as the war in Ukraine continues, and partners around the world remain on high alert.

“PowerDrop” is the name Adlumin researchers have given the malware they found implanted in the network of a domestic aerospace defense contractor in May 2023. The name is derived from the tool, Windows PowerShell, used to concoct the script, and “Drop” from the DROP (DRP) string used in the code for padding.

The threat was detected by Adlumin’s machine learning-based algorithms which analyze PowerShell commands and arguments at run-time.

Upon reverse engineering, Adlumin’s team found that the malware was made up of a new PowerShell and Windows Management Instrumentation (WMI) persisted Remote Access Tool (RAT). The code sends Internet Control Message Protocol (ICMP) echo request messages as a trigger for the malware’s command-and-control (C2), along with similar ICMP ping usage for data exfiltration.

In essence, researchers concluded that the malware is being used to run remote commands against victim networks after gaining initial access, execution, and persistence into servers.

The usage of PowerShell for remote access is not new, nor is WMI-based persistence of PowerShell scripts or ICMP triggering and tunneling, but what is novel about this malware is that another code like it hasn’t surfaced before, and it straddles the line between a basic “off-the-shelf-threat” and the advanced tactics used by Advanced Persistent Threat (APTs) Groups.

Adlumin has not yet identified the threat actor behind the malware, but nation-state aggressors are suspected.

“This latest attack shows the evolution of ‘living off the land’ tactics by threat actors,” said Adlumin’s Vice President of Strategy, Mark Sangster.

“While the core DNA of the threat is not particularly sophisticated, its ability to obfuscate suspicious activity and evade detection by endpoint defenses smacks of more sophisticated threat actors. The fact it targeted an aerospace contractor only confirms the likelihood of nation-state aggressors,” Sangster added.

Kevin O’Connor, who heads Adlumin’s Threat Research Team said that the malware uses triggers and exfil patterns which are easily flagged by intrusion detection systems, but that the malware also appears to be a “custom” development, using advanced techniques to evade detection such as deception, encoding, and encryption.

“Adlumin’s Threat Research Team believes this malware presents a real threat as it has been able to evade detection by some commonly deployed EDR software, likely due to its practice of encoding the PowerShell command line arguments and the use of WMI for persistence,” O’Connor added.

Threat Analysis

Adlumin first identified the PowerDrop malware based on a machine learning detection which looks at the content of executed PowerShell scripts versus the command line arguments typically analyzed by other security software.

“This allowed our detection algorithms to see through the encoded layer enabling machine learning-based detection on the actual content of the script which is acting as a backdoor or RAT,” O’Connor said.

The malware is a PowerShell command that is executed by the WMI service. The “script,” passed as a single command line argument to the native Window’s binary and subsystem. PowerShell is encoded using Base64 and UTF-16 Little Endian and is not persisted on disk as a .ps1 script file.

Sample of Base64 UTF-16LE encoded PowerShell payload:

Execution and Persistence

Adlumin analyzed the PowerShell process execution context to identify that the malicious PowerShell script/implant was being executed by the WMI service using previously registered WMI event filters and consumers.

The WMI event filter and consumer registrations were created by the malware during the initial installation of the PowerDrop implant.

The WMI event filter and consumer registrations are created using the WMI command line tool ‘wmic.exe’ and are executed using the ‘wmic.exe’ command line tool.

PowerDrop registers itself as a WMI event filter and consumer as observed in these Windows Event Logs:

The WMI event filter triggers the PowerShell command queries for updates made to the WMI class Win32_PerfFormattedData_PerfOS_System in the root\cimv2 namespace.

The Win32_PerfFormattedData_PerfOS_System class is the Windows Management Instrumentation (WMI) class that contains performance counters which monitor the performance of the Windows operating system.

The WMI event filter is triggered when the WMI class is updated, which then triggers the execution of the PowerShell script. Triggering by the filter is throttled to once every 120 seconds so long as the WMI class has been updated. In Windows, this WMI class is regularly updated with information such as processes, threads, queue length, and system calls per second, and therefore execution every 120 seconds is reliable and guaranteed on most systems.

WMI filter and consumer registrations for persistence and execution of PowerShell payloads have been seen in many other malware families as has the usage of the PerfOS_System WMI class as a reliable trigger for execution.

The EventFilter and CommandLineEventConsumer are both registered under the name, SystemPowerManager.

The WMI event consumer is a CommandLineEventConsumer which executes the PowerShell command line with the encoded PowerShell script as a command line argument.

We were unable to identify the source of the WMI event filter and consumer registrations, but we believe that the malware is likely using a previously known exploit to gain initial access to the victim’s computer such as a phishing email or drive-by download and execution through wscript.exe and that the command line filter and consumer registrations are created by the malware during the initial installation of the PowerDrop implant through a wmic.exe command line execution.

The Script/Implant

Once decoded the PowerShell script is a single line of PowerShell code made up of multiple statements, functions, and usually static variables.

Analysis of the decoded content shows that the script is a backdoor/RAT, which can execute remote PowerShell commands against the victim computer and exfiltrate the results of those commands.

Initially, PowerDrop attempts to reach out to a hard-coded IP address over an ICMP Echo Request message.

This request is originated by Windows PowerShell and has detectable attributes such as the ICMP Type and Code (8 and 0), the IPv4 Time to Live (TTL) being 128 as natively seen on Windows devices, the ICMP Identification number is set to ‘0x0001’ and the ICMP payload.

The ICMP trigger payload is a UTF16-LE encoded string that is not obfuscated, obscured, or encrypted. Observed examples used the simple string “!” as the trigger for the malware C2 beacon. We believe this simply signifies to the command-and-control infrastructure that this is a malware implant beacon and not a randomly received probe, which are common occurrences against Internet-facing devices.

Once the beacon has been sent, the victim machine waits 60 seconds for a response. This 60-second dwell time is varied from the typical default 10-second request timeout for ICMP Echo Request messages on Windows. This is likely to ensure that the malware can receive a response from the C2 server even if the network is experiencing high latency or packet loss especially given that there is no guaranteed delivery or acknowledgment for the ICMP Echo Request message.

In response to the PowerDrop beacon, the command-and-control server responds with an encrypted payload that is also padded with static data at the beginning and end of the message.

PowerDrop uses AES encryption with a 128-bit key and a 128-bit initialization vector (IV) to encrypt the payload. The AES key and IV are static symmetric keys that are hard coded into the PowerShell script and are not dynamically generated. The AES key and IV are also not obfuscated, obscured, or encrypted beyond the initial PowerShell script encoding.

PowerDrop is using the PowerShell provided interface, “CreatEncryptor” and “TransformFinalBlock” to encrypt and decrypt the payload.

PowerDrop will then receive a response from the C2 server in the form of an encrypted command. The implant will then decrypt the command, strip the prepending and postpending values, and execute the command using the Invoke-Expression cmdlet in PowerShell.

The implant will then take the results of the command and encrypt them using the same scheme used for decryption and send the results back to the C2 server.

Any oversized responses, those greater than 128 bytes, are split into multiple messages. The first message is sent with the first 128 bytes of the response and the subsequent messages are sent with the remaining bytes of the response in 128-bytes chunks. The C2 server is responsible for reassembling the response:

PowerDrop uses the strings “DRP” and “OCD” as prepending and postpending values bookmarking the response content to the C2 server. The prepending and postpending values are used to indicate the start and end of the response content.

If the response is split into multiple messages, then all messages with have the prepending “DRP” value, and only the final message with have both the “DRP” prefix and “ORD” suffix. The prepending and postpending values are not encrypted and are static values in the PowerShell script. Example of the prepending and postpending values:

“PowerDrop’s robust detection evasion characteristics is what makes this interesting,” said Sangster.

“This discovery by the Adlumin Threat Researchers shows that a master chef can make a Michelin-star meal with even the most basic ingredients. Infiltrating a critical aerospace defense contractor only makes this malware all the more appetizing,” he added.

Detections

Adlumin has produced the following detections to help identify potential instances of this malware both on the endpoint and through captured or monitored network traffic.

Snort Detection

This detection can be applied to outbound network traffic and detects instances of PowerDrop malware data exfiltration.

SIGMA

This SIGMA detection identifies PowerShell executions via the PowerShell script block for unencoded and required components of the PowerDrop malware:

Conclusion

Adlumin advises that those in the aerospace defense industry remain vigilant against this new malware that’s making the rounds. The company recommends running vulnerability scanning at the core of Windows systems and being on the lookout for unusual pinging activity from their networks to the outside.

“PowerDrop clearly shows that mixing old tactics with new techniques proves a powerful combination in today’s age,” said Will Ledesma, Director of Adlumin’s Cyber Security Operation Center.

“It highlights the importance of having dedicated 24/7 cybersecurity teams within any operational landscape,” Ledesma added.

Trending Ransomware Attacks and How to Stop Infection Before Payment

By: Brittany Demendi, Corporate Communications Manager

With the rise of ransomware attacks, it is more important than ever to be proactive when it comes to protecting your organization’s devices and networks. Knowing about the various types of ransomware, such as LockBit, BlackCat, and Medusa, is important. Additionally, it is essential to understand how ransomware affects a system and device, and the steps you should take to detect and stop ransomware before it is too late.

In this blog, we will discuss some of the most dangerous and widespread ransomware attacks, how they affect a system, and the steps you should take to prevent them from wreaking havoc on your organization.

Trending Ransomware Attacks

The following section references trending ransomware attacks/gangs from Adlumin’s Threat Research Team.

LockBit:

LockBit is malicious software that blocks users’ access to their computer systems in exchange for a ransom payment. LockBit will automatically spread the infection, vet for other valuable targets, and encrypt systems on the network. Attackers have targeted organizations globally and have made their mark by threatening data theft, extortion, and operational disruption.

It is a self-spreading type of malicious software that does not require manual direction from the attacker. In addition, it uses tools like Server Message Block (SMB) and Windows Powershell to target an organization’s user rather than spread like spam malware.

LockBit attacks in three stages:

  1. Exploit
  2. Infiltrate
  3. Attack

BlackCat:

BlackCat, also known as ALPHV, has been deemed one of the most threatening and sophisticated types of malware in recent years. BlackCat is considered ransomware-as-a-service (RaaS). Although there has been a decline, BlackCat is still dangerous as they target organizations globally using triple-extortion tactics. Cybercriminals use a malware-infected email or website link to lure in victims, quickly spreading across an entire system.

After BlackCat attackers gain initial access to a network, they begin lateral movement phases identifying sensitive data to later encrypt. It is difficult to remove and will attempt to disable anti-virus software and other security measures. Cybercriminals will also modify system files and settings to make a recovery more complex.

One of the main differences between BlackCat and other types of ransomware is that it is written in Rust programming language. There has been an increase in this type of language because it is stable, fast, and secure to evade existing capabilities while allowing for better memory management. BlackCat can also run on non-Windows operating systems like Linux.

Medusa:

Medusa has been picking up media coverage this past year with increased activity and the launch of their ‘Medusa Blog,’ where they leak data for victims who do not pay a ransom. They target globally and demand millions in ransom.

Medusa is known to shut down over 280 Windows processes and servers, including database servers, backup servers, and security software, and will prevent files from being encrypted. They claim to exfiltrate data from organizations and perform a double-extortion attack where the threat actor encrypts compromised systems and releases or sells the data publicly on their blog. Since they are relatively new, additional capabilities are still being discovered.

How Ransomware Affects a System of Device

Ransomware is used in several different methods to infect an organization’s device or network. Some of the most common ransomware infection vectors include:

  • Social Engineering Attacks and Phishing Emails: Phishing emails entice employees and victims to download and run malicious attachments, which contain ransomware disguised as a link, PDF, Word document…etc. An attacker can access their system once that link or attachment is opened or downloaded. IBM recently reported that 45% of all ransomware attacks successfully infiltrate through a phishing email or a social engineering tactic.
  • Account Compromise: Cybercriminals buy authorized users’ credentials off the dark web or steal or obtain them via brute force. They then use the credentials to log into a computer or network to deploy ransomware directly. A widespread credential theft technique that cybercriminals use is the remote desktop protocol to access a victim’s computer remotely.
  • Software Vulnerabilities: It is common for cybercriminals to exploit software vulnerabilities by injecting malicious code into the network or device. Attackers know how common it is for organizations to not have everything patched, making known vulnerabilities the easiest point of entry or technique to plan their attack.

Detection Before Ransomware Execution

One of the most important steps for all organizations to protect themselves from ransomware is taking a proactive approach to cybersecurity by investing in the right solutions and technologies. In conjunction with a Security Operations Platform and Managed Detection and Response Services, implementing a solution specific to ransomware adds multiple layers of protection to an organization to proactively block ransomware from executing. If signs of a ransomware attack are detected, the attack can be stopped before the files are encrypted.

Typically, when a ransomware attack occurs, removing ransomware alone does not give you access to your files again. It will still require a solution and tool to prevent you from having to pay the ransom, with an encryption key to unlock it. Specifically, a multilayer ransomware defense solution will stop the ransomware before this stage is even needed. These solutions are not a replacement for threat management solutions but an added necessity to enhance your cybersecurity protection.

Adlumin’s threat experts work as an extension to your security team and can detect ransomware before havoc is reached and reduce an event’s impact. They can empower your team to illuminate threats, eliminate cyber risk, and command authority. Contact us today, schedule a demo, or sign-up for a free trial.

How Automation Makes Cybersecurity Faster and Smarter: The Pros and Cons

By: Will Ledesma, MDR Cybersecurity Director 

The world of automation is fully upon us. We as humans want things faster, quicker, and cleaner, with trust in actions taken by computers. All too often, we see in the movies lighting speed actions happening in real-time. Is this real? In essence, we can see automation everywhere, from ordering food at a kiosk to robots making food and beverages. So how has automation taken a foothold in cybersecurity?

The concept of automation often bleeds into the artificial intelligence (AI) world. Where AI makes decisions based on a number of technologies and learned variables. In principle, automation also makes these same types of decisions, but it’s based on rules and patterns. Nonetheless, in cybersecurity, automation is only as smart as we make it. The cyber-world is colossal, and different teams and operations can all use automation in different ways.

This blog concentrates on automation in a Security Operation Center (SOC) and the pros and cons of automation used in cybersecurity.

How is Automation Being Used in Cybersecurity?

In cybersecurity, specifically Adlumin, automation monitors, audits, detects, responds, and/or prevents malicious activities against multiple technologies. One of the main challenges in the cybersecurity world is burnout. By using automation, a Security Operations Center (SOC) team can quickly scale up their operations. For example, automation helps reduce analyst fatigue. Plus provides the tools to quickly identify, contain, and respond to malicious activity. It streamlines mundane, labor-intensive tasks that would’ve otherwise required manual effort. Automation reduces the time for threat detection and provides response capabilities across an organization’s technology set. In addition, automation helps reduce costs associated with manual processes and investigations; by detecting and containing threats such as malware, phishing emails, and malicious code.

Now that we’ve covered its use let’s look at the pros and cons.

The Pros of Cybersecurity Automation

Simply put, as mentioned above, automation reduces the time for threat detection and containment. Furthermore, automation can pinpoint threats that the human eye may miss. Within Adlumin’s Security Operations Center’s (SOC) team, automation is used by taking the mindset of a Tier 3 (expert SOC analyst) and scaling that into playbooks to where automation is then inserted to make machine time-to-machine time decisions. This way, an attack can be stopped in machine time, thus denying a threat of further spreading.

Use Case: Automation Block Ingested into Next-Generation Firewall Systems

For this use case, we will examine an automation playbook that is being utilized to create IP blocklists for next-generation firewall systems (NGFW). In the past, SOCs had to have subject matter experts (SME) that knew a slew of technologies. Using automation, we have removed the need for a dedicated SME that knows how to create network objects, apply that to a network policy, ensure that it has been set to memory, and, most importantly, we have reduced the risk surface area. No longer must a company open additional vectors into its network for SOC SMEs. In addition, a customer drops the risk of worrying about the account management headache that comes with having to give credentials to outside-the-organization users or even depending on a third-party company that requires change request nightmares. Adlumin’s automation can implement a blocklist inseconds versus minutes, hours, or even days.

In addition to automation serving as an additional defender alongside cyber defense warriors, it also helps reduce mean time to remediation (MTTR), thus reducing service level agreements (SLA). Automation will also grab key intel artifacts and inject those in machine time into Adlumin for an analyst to utilize on a single pane of glass. Thus, reducing time to clicks instead of needing to go to additional outside sources.

The Cons of Cybersecurity Automation

The cons of cybersecurity automation are that threat actors are now also using automation within their attack playbooks. The playing field has been reduced in terms of expertise from attackers. Now a team can have one lead that creates and distributes a malicious weapon set to where other attackers can point and click on what they want to attack. Even here at Adlumin, our red teams are using automation in their attacks to brute force their way into systems.

Due to attacks now moving at lightning speeds, defenses must be able to keep up, and automation clearly is the key. For those possibly thinking otherwise, consider this, a leader approaches you and states, “Why am I going to invest in an employee if they’re just going to leave,” where a great response would be, “But what if we don’t invest in them and they never leave?” The same is true for automation in the world of cybersecurity.

Illuminate Threats and Eliminate Risks

Learn more about how Adlumin’s Managed Detection and Response Services and Security Operations Platform can empower your team to illuminate threats, eliminate cyber risk, and command authority. Contact us today, schedule a demo, or sign-up for a free trial.

Early Detection of Ransomware Attacks for Financial Institutions

By: Brittany Holmes, Corporate Communications Manager 

Ransomware attacks continue to pose a serious and persistent threat, causing widespread disruption to organizations of all sizes. This underscores the critical need for proactive cybersecurity measures to stay ahead of cybercriminals.  

A recent high-profile incident involving approximately 60 Credit Unions highlighted the ongoing impact of these attacks. Many of the credit unions affected lacked adequate backup coverage and dedicated security, which serves as an example of the importance of early detection and a multi-layered defense strategy to protect valuable data from ransomware threats.  

This blog explores top methods for detecting ransomware, response strategies, and the importance of a multi-layer protection approach.   

Detecting Ransomware and The Need for Early Detection 

Ransomware protection strategies commonly focus on various stages of attack detection, as outlined by MITRE. From blocking known variants to detecting signs of compromise before execution and identifying malicious activities during the execution phase, each step plays a crucial role in preventing file encryption and data loss. Here are some top ways ransomware is detected:  

  • Blocking Ransomware Variants: Blocking known ransomware variants is common in cybersecurity defense. Organizations can proactively block known ransomware strains from executing on their systems by leveraging threat intelligence feeds and signature-based detection tools. 
  • Detecting Signs of Compromise: Detecting signs of compromise before ransomware execution is another crucial strategy in ransomware detection. Organizations can identify a ransomware attack in its early stages by monitoring for indicators of compromise (IoCs), such as unusual network traffic patterns, unauthorized access attempts, or anomalous file modifications. 
  • Detecting Ransomware at Execution Stage: Detecting ransomware at the execution stage is a critical step in mitigating the impact of an attack. Behavior-based detection techniques can monitor system activities in real-time to detect and respond to malicious behavior, including ransomware encryption processes. Organizations can identify and contain ransomware before it causes extensive damage by analyzing the behavior of processes and file system activities. 

Additionally, leveraging frameworks such as MITRE ATT&CK can provide organizations with a standardized approach to understanding ransomware tactics, techniques, and procedures (TTPs). By mapping ransomware behaviors to the MITRE ATT&CK framework from left to right, organizations can identify gaps in their detection and response capabilities and implement targeted security measures to enhance their ransomware defense strategy.  

However, cybercriminals continually evolve their tactics, and ransomware strains emerge, hindering some security approaches. To address the shortcomings of each detection method, organizations can adopt a strategy that combines multiple layers of defense. Ransomware detection capabilities can be enhanced by integrating threat intelligence feeds with advanced behavioral analytics and proactive threat hunting, improving their overall cybersecurity posture.

Adlumin’s Innovative Ransomware Protection Feature   

Adlumin’s Managed Detection and Response (MDR) now includes a ransomware prevention feature focused on file system preservation to combat the evolving ransomware landscape. This new capability safeguards and preserves most files by killing the process at the earliest detection sign. 

One crucial aspect of ransomware protection is proactive testing and preparedness. It is important to understand how secure your organization’s security tools are against ransomware by prioritizing testing defenses and response protocols to ensure readiness in the face of potential threats. 

Embracing a Multi-Layered Defense Approach 

Ransomware protection is a complex and challenging threat that demands a multi-layered defense approach. Early detection, proactive response strategies, secure backups, and innovative technologies like Adlumin MDR Ransomware Prevention are essential to a comprehensive defense posture against attacks. By understanding the importance of early detection and implementing a multi-layered defense strategy, organizations can significantly enhance their resilience to evolving cyber threats.   

The threat of ransomware is large, but by staying informed and leveraging advanced security solutions, the risks can be mitigated, and data assets can be safeguarded. Remember, there is no single answer to ransomware protection – it requires a holistic and dynamic approach to stay ahead of cyber adversaries. With 24×7 coverage and innovative technologies, you can protect your organization against the threat of ransomware and ensure organization continuity in the face of evolving cyber risks.