Blog Post Archives

PowerDrop: A New Insidious PowerShell Script for Command and Control Attacks Targets U.S. Aerospace Defense Industry

June 6, 2023/in Blog Post/by Adlumin Staff

Key Takeaways

The Adlumin Threat Research discovered a new malicious PowerShell script called PowerDrop, targeting the U.S. aerospace industry.
This novel malware straddles the line between basic a “basic off-the-shelf threat” and tactics used by Advanced Persistent Threat Groups (APTs).
PowerDrop uses advanced techniques to evade detection such as deception, encoding, and encryption.
Adlumin has not yet identified the threat actor behind the malware, but suspects nation-state aggressors as the discovery comes at time of increased R&D into missile programs as the war in Ukraine continues.
Adlumin advises that those in the aerospace defense industry remain vigilant against this new malware. The company recommends running vulnerability scanning at the core of Windows systems and being on the lookout for unusual pinging activity from their networks to the outside.

Introduction

The Adlumin Threat Research Team recently discovered and analyzed a new type of malware targeting the U.S. aerospace defense industry. The discovery comes at a time when more research and investment are put into missile programs as the war in Ukraine continues, and partners around the world remain on high alert.

“PowerDrop” is the name Adlumin researchers have given the malware they found implanted in the network of a domestic aerospace defense contractor in May 2023. The name is derived from the tool, Windows PowerShell, used to concoct the script, and “Drop” from the DROP (DRP) string used in the code for padding.

The threat was detected by Adlumin’s machine learning-based algorithms which analyze PowerShell commands and arguments at run-time.

Upon reverse engineering, Adlumin’s team found that the malware was made up of a new PowerShell and Windows Management Instrumentation (WMI) persisted Remote Access Tool (RAT). The code sends Internet Control Message Protocol (ICMP) echo request messages as a trigger for the malware’s command-and-control (C2), along with similar ICMP ping usage for data exfiltration.

In essence, researchers concluded that the malware is being used to run remote commands against victim networks after gaining initial access, execution, and persistence into servers.

The usage of PowerShell for remote access is not new, nor is WMI-based persistence of PowerShell scripts or ICMP triggering and tunneling, but what is novel about this malware is that another code like it hasn’t surfaced before, and it straddles the line between a basic “off-the-shelf-threat” and the advanced tactics used by Advanced Persistent Threat (APTs) Groups.

Adlumin has not yet identified the threat actor behind the malware, but nation-state aggressors are suspected.

“This latest attack shows the evolution of ‘living off the land’ tactics by threat actors,” said Adlumin’s Vice President of Strategy, Mark Sangster.

“While the core DNA of the threat is not particularly sophisticated, its ability to obfuscate suspicious activity and evade detection by endpoint defenses smacks of more sophisticated threat actors. The fact it targeted an aerospace contractor only confirms the likelihood of nation-state aggressors,” Sangster added.

Kevin O’Connor, who heads Adlumin’s Threat Research Team said that the malware uses triggers and exfil patterns which are easily flagged by intrusion detection systems, but that the malware also appears to be a “custom” development, using advanced techniques to evade detection such as deception, encoding, and encryption.

“Adlumin’s Threat Research Team believes this malware presents a real threat as it has been able to evade detection by some commonly deployed EDR software, likely due to its practice of encoding the PowerShell command line arguments and the use of WMI for persistence,” O’Connor added.

Threat Analysis

Adlumin first identified the PowerDrop malware based on a machine learning detection which looks at the content of executed PowerShell scripts versus the command line arguments typically analyzed by other security software.

“This allowed our detection algorithms to see through the encoded layer enabling machine learning-based detection on the actual content of the script which is acting as a backdoor or RAT,” O’Connor said.

The malware is a PowerShell command that is executed by the WMI service. The “script,” passed as a single command line argument to the native Window’s binary and subsystem. PowerShell is encoded using Base64 and UTF-16 Little Endian and is not persisted on disk as a .ps1 script file.

Sample of Base64 UTF-16LE encoded PowerShell payload:

Execution and Persistence

Adlumin analyzed the PowerShell process execution context to identify that the malicious PowerShell script/implant was being executed by the WMI service using previously registered WMI event filters and consumers.

The WMI event filter and consumer registrations were created by the malware during the initial installation of the PowerDrop implant.

The WMI event filter and consumer registrations are created using the WMI command line tool ‘wmic.exe’ and are executed using the ‘wmic.exe’ command line tool.

PowerDrop registers itself as a WMI event filter and consumer as observed in these Windows Event Logs:

The WMI event filter triggers the PowerShell command queries for updates made to the WMI class Win32_PerfFormattedData_PerfOS_System in the root\cimv2 namespace.

The Win32_PerfFormattedData_PerfOS_System class is the Windows Management Instrumentation (WMI) class that contains performance counters which monitor the performance of the Windows operating system.

The WMI event filter is triggered when the WMI class is updated, which then triggers the execution of the PowerShell script. Triggering by the filter is throttled to once every 120 seconds so long as the WMI class has been updated. In Windows, this WMI class is regularly updated with information such as processes, threads, queue length, and system calls per second, and therefore execution every 120 seconds is reliable and guaranteed on most systems.

WMI filter and consumer registrations for persistence and execution of PowerShell payloads have been seen in many other malware families as has the usage of the PerfOS_System WMI class as a reliable trigger for execution.

The EventFilter and CommandLineEventConsumer are both registered under the name, SystemPowerManager.

The WMI event consumer is a CommandLineEventConsumer which executes the PowerShell command line with the encoded PowerShell script as a command line argument.

We were unable to identify the source of the WMI event filter and consumer registrations, but we believe that the malware is likely using a previously known exploit to gain initial access to the victim’s computer such as a phishing email or drive-by download and execution through wscript.exe and that the command line filter and consumer registrations are created by the malware during the initial installation of the PowerDrop implant through a wmic.exe command line execution.

The Script/Implant

Once decoded the PowerShell script is a single line of PowerShell code made up of multiple statements, functions, and usually static variables.

Analysis of the decoded content shows that the script is a backdoor/RAT, which can execute remote PowerShell commands against the victim computer and exfiltrate the results of those commands.

Initially, PowerDrop attempts to reach out to a hard-coded IP address over an ICMP Echo Request message.

This request is originated by Windows PowerShell and has detectable attributes such as the ICMP Type and Code (8 and 0), the IPv4 Time to Live (TTL) being 128 as natively seen on Windows devices, the ICMP Identification number is set to ‘0x0001’ and the ICMP payload.

The ICMP trigger payload is a UTF16-LE encoded string that is not obfuscated, obscured, or encrypted. Observed examples used the simple string “!” as the trigger for the malware C2 beacon. We believe this simply signifies to the command-and-control infrastructure that this is a malware implant beacon and not a randomly received probe, which are common occurrences against Internet-facing devices.

Once the beacon has been sent, the victim machine waits 60 seconds for a response. This 60-second dwell time is varied from the typical default 10-second request timeout for ICMP Echo Request messages on Windows. This is likely to ensure that the malware can receive a response from the C2 server even if the network is experiencing high latency or packet loss especially given that there is no guaranteed delivery or acknowledgment for the ICMP Echo Request message.

In response to the PowerDrop beacon, the command-and-control server responds with an encrypted payload that is also padded with static data at the beginning and end of the message.

PowerDrop uses AES encryption with a 128-bit key and a 128-bit initialization vector (IV) to encrypt the payload. The AES key and IV are static symmetric keys that are hard coded into the PowerShell script and are not dynamically generated. The AES key and IV are also not obfuscated, obscured, or encrypted beyond the initial PowerShell script encoding.

PowerDrop is using the PowerShell provided interface, “CreatEncryptor” and “TransformFinalBlock” to encrypt and decrypt the payload.

PowerDrop will then receive a response from the C2 server in the form of an encrypted command. The implant will then decrypt the command, strip the prepending and postpending values, and execute the command using the Invoke-Expression cmdlet in PowerShell.

The implant will then take the results of the command and encrypt them using the same scheme used for decryption and send the results back to the C2 server.

Any oversized responses, those greater than 128 bytes, are split into multiple messages. The first message is sent with the first 128 bytes of the response and the subsequent messages are sent with the remaining bytes of the response in 128-bytes chunks. The C2 server is responsible for reassembling the response:

PowerDrop uses the strings “DRP” and “OCD” as prepending and postpending values bookmarking the response content to the C2 server. The prepending and postpending values are used to indicate the start and end of the response content.

If the response is split into multiple messages, then all messages with have the prepending “DRP” value, and only the final message with have both the “DRP” prefix and “ORD” suffix. The prepending and postpending values are not encrypted and are static values in the PowerShell script. Example of the prepending and postpending values:

“PowerDrop’s robust detection evasion characteristics is what makes this interesting,” said Sangster.

“This discovery by the Adlumin Threat Researchers shows that a master chef can make a Michelin-star meal with even the most basic ingredients. Infiltrating a critical aerospace defense contractor only makes this malware all the more appetizing,” he added.

Detections

Adlumin has produced the following detections to help identify potential instances of this malware both on the endpoint and through captured or monitored network traffic.

Snort Detection

This detection can be applied to outbound network traffic and detects instances of PowerDrop malware data exfiltration.

SIGMA

This SIGMA detection identifies PowerShell executions via the PowerShell script block for unencoded and required components of the PowerDrop malware:

Conclusion

Adlumin advises that those in the aerospace defense industry remain vigilant against this new malware that’s making the rounds. The company recommends running vulnerability scanning at the core of Windows systems and being on the lookout for unusual pinging activity from their networks to the outside.

“PowerDrop clearly shows that mixing old tactics with new techniques proves a powerful combination in today’s age,” said Will Ledesma, Director of Adlumin’s Cyber Security Operation Center.

“It highlights the importance of having dedicated 24/7 cybersecurity teams within any operational landscape,” Ledesma added.

Trending Ransomware Attacks and How to Stop Infection Before Payment

June 1, 2023/in Blog Post/by Brittany Demendi

By: Brittany Demendi, Corporate Communications Manager

With the rise of ransomware attacks, it is more important than ever to be proactive when it comes to protecting your organization’s devices and networks. Knowing about the various types of ransomware, such as LockBit, BlackCat, and Medusa, is important. Additionally, it is essential to understand how ransomware affects a system and device, and the steps you should take to detect and stop ransomware before it is too late.

In this blog, we will discuss some of the most dangerous and widespread ransomware attacks, how they affect a system, and the steps you should take to prevent them from wreaking havoc on your organization.

Trending Ransomware Attacks

The following section references trending ransomware attacks/gangs from Adlumin’s Threat Research Team.

LockBit:

LockBit is malicious software that blocks users’ access to their computer systems in exchange for a ransom payment. LockBit will automatically spread the infection, vet for other valuable targets, and encrypt systems on the network. Attackers have targeted organizations globally and have made their mark by threatening data theft, extortion, and operational disruption.

It is a self-spreading type of malicious software that does not require manual direction from the attacker. In addition, it uses tools like Server Message Block (SMB) and Windows Powershell to target an organization’s user rather than spread like spam malware.

LockBit attacks in three stages:

Exploit
Infiltrate
Attack

BlackCat:

BlackCat, also known as ALPHV, has been deemed one of the most threatening and sophisticated types of malware in recent years. BlackCat is considered ransomware-as-a-service (RaaS). Although there has been a decline, BlackCat is still dangerous as they target organizations globally using triple-extortion tactics. Cybercriminals use a malware-infected email or website link to lure in victims, quickly spreading across an entire system.

After BlackCat attackers gain initial access to a network, they begin lateral movement phases identifying sensitive data to later encrypt. It is difficult to remove and will attempt to disable anti-virus software and other security measures. Cybercriminals will also modify system files and settings to make a recovery more complex.

One of the main differences between BlackCat and other types of ransomware is that it is written in Rust programming language. There has been an increase in this type of language because it is stable, fast, and secure to evade existing capabilities while allowing for better memory management. BlackCat can also run on non-Windows operating systems like Linux.

Medusa:

Medusa has been picking up media coverage this past year with increased activity and the launch of their ‘Medusa Blog,’ where they leak data for victims who do not pay a ransom. They target globally and demand millions in ransom.

Medusa is known to shut down over 280 Windows processes and servers, including database servers, backup servers, and security software, and will prevent files from being encrypted. They claim to exfiltrate data from organizations and perform a double-extortion attack where the threat actor encrypts compromised systems and releases or sells the data publicly on their blog. Since they are relatively new, additional capabilities are still being discovered.

How Ransomware Affects a System of Device

Ransomware is used in several different methods to infect an organization’s device or network. Some of the most common ransomware infection vectors include:

Social Engineering Attacks and Phishing Emails: Phishing emails entice employees and victims to download and run malicious attachments, which contain ransomware disguised as a link, PDF, Word document…etc. An attacker can access their system once that link or attachment is opened or downloaded. IBM recently reported that 45% of all ransomware attacks successfully infiltrate through a phishing email or a social engineering tactic.
Account Compromise: Cybercriminals buy authorized users’ credentials off the dark web or steal or obtain them via brute force. They then use the credentials to log into a computer or network to deploy ransomware directly. A widespread credential theft technique that cybercriminals use is the remote desktop protocol to access a victim’s computer remotely.
Software Vulnerabilities: It is common for cybercriminals to exploit software vulnerabilities by injecting malicious code into the network or device. Attackers know how common it is for organizations to not have everything patched, making known vulnerabilities the easiest point of entry or technique to plan their attack.

Detection Before Ransomware Execution

One of the most important steps for all organizations to protect themselves from ransomware is taking a proactive approach to cybersecurity by investing in the right solutions and technologies. In conjunction with a Security Operations Platform and Managed Detection and Response Services, implementing a solution specific to ransomware adds multiple layers of protection to an organization to proactively block ransomware from executing. If signs of a ransomware attack are detected, the attack can be stopped before the files are encrypted.

Typically, when a ransomware attack occurs, removing ransomware alone does not give you access to your files again. It will still require a solution and tool to prevent you from having to pay the ransom, with an encryption key to unlock it. Specifically, a multilayer ransomware defense solution will stop the ransomware before this stage is even needed. These solutions are not a replacement for threat management solutions but an added necessity to enhance your cybersecurity protection.

Adlumin’s threat experts work as an extension to your security team and can detect ransomware before havoc is reached and reduce an event’s impact. They can empower your team to illuminate threats, eliminate cyber risk, and command authority. Contact us today, schedule a demo, or sign-up for a free trial.

How Automation Makes Cybersecurity Faster and Smarter: The Pros and Cons

May 25, 2023/in Blog Post/by Ellen Loughlin

By: Will Ledesma, MDR Cybersecurity Director

The world of automation is fully upon us. We as humans want things faster, quicker, and cleaner, with trust in actions taken by computers. All too often, we see in the movies lighting speed actions happening in real-time. Is this real? In essence, we can see automation everywhere, from ordering food at a kiosk to robots making food and beverages. So how has automation taken a foothold in cybersecurity?

The concept of automation often bleeds into the artificial intelligence (AI) world. Where AI makes decisions based on a number of technologies and learned variables. In principle, automation also makes these same types of decisions, but it’s based on rules and patterns. Nonetheless, in cybersecurity, automation is only as smart as we make it. The cyber-world is colossal, and different teams and operations can all use automation in different ways.

This blog concentrates on automation in a Security Operation Center (SOC) and the pros and cons of automation used in cybersecurity.

How is Automation Being Used in Cybersecurity?

In cybersecurity, specifically Adlumin, automation monitors, audits, detects, responds, and/or prevents malicious activities against multiple technologies. One of the main challenges in the cybersecurity world is burnout. By using automation, a Security Operations Center (SOC) team can quickly scale up their operations. For example, automation helps reduce analyst fatigue. Plus provides the tools to quickly identify, contain, and respond to malicious activity. It streamlines mundane, labor-intensive tasks that would’ve otherwise required manual effort. Automation reduces the time for threat detection and provides response capabilities across an organization’s technology set. In addition, automation helps reduce costs associated with manual processes and investigations; by detecting and containing threats such as malware, phishing emails, and malicious code.

Now that we’ve covered its use let’s look at the pros and cons.

The Pros of Cybersecurity Automation

Simply put, as mentioned above, automation reduces the time for threat detection and containment. Furthermore, automation can pinpoint threats that the human eye may miss. Within Adlumin’s Security Operations Center’s (SOC) team, automation is used by taking the mindset of a Tier 3 (expert SOC analyst) and scaling that into playbooks to where automation is then inserted to make machine time-to-machine time decisions. This way, an attack can be stopped in machine time, thus denying a threat of further spreading.

Use Case: Automation Block Ingested into Next-Generation Firewall Systems

For this use case, we will examine an automation playbook that is being utilized to create IP blocklists for next-generation firewall systems (NGFW). In the past, SOCs had to have subject matter experts (SME) that knew a slew of technologies. Using automation, we have removed the need for a dedicated SME that knows how to create network objects, apply that to a network policy, ensure that it has been set to memory, and, most importantly, we have reduced the risk surface area. No longer must a company open additional vectors into its network for SOC SMEs. In addition, a customer drops the risk of worrying about the account management headache that comes with having to give credentials to outside-the-organization users or even depending on a third-party company that requires change request nightmares. Adlumin’s automation can implement a blocklist inseconds versus minutes, hours, or even days.

In addition to automation serving as an additional defender alongside cyber defense warriors, it also helps reduce mean time to remediation (MTTR), thus reducing service level agreements (SLA). Automation will also grab key intel artifacts and inject those in machine time into Adlumin for an analyst to utilize on a single pane of glass. Thus, reducing time to clicks instead of needing to go to additional outside sources.

The Cons of Cybersecurity Automation

The cons of cybersecurity automation are that threat actors are now also using automation within their attack playbooks. The playing field has been reduced in terms of expertise from attackers. Now a team can have one lead that creates and distributes a malicious weapon set to where other attackers can point and click on what they want to attack. Even here at Adlumin, our red teams are using automation in their attacks to brute force their way into systems.

Due to attacks now moving at lightning speeds, defenses must be able to keep up, and automation clearly is the key. For those possibly thinking otherwise, consider this, a leader approaches you and states, “Why am I going to invest in an employee if they’re just going to leave,” where a great response would be, “But what if we don’t invest in them and they never leave?” The same is true for automation in the world of cybersecurity.

Illuminate Threats and Eliminate Risks

Learn more about how Adlumin’s Managed Detection and Response Services and Security Operations Platform can empower your team to illuminate threats, eliminate cyber risk, and command authority. Contact us today, schedule a demo, or sign-up for a free trial.

Podcasts

May 17, 2023/in Blog Post/by Ellen Loughlin

CNB Bank & Trust Seek New Cybersecurity Solution

May 16, 2023/in Blog Post/by Ellen Loughlin

CNB Bank & Trust sought a new cybersecurity solution and found Adlumin. Adlumin is a CBSC Preferred Service Provider that provides enterprise-grade security tailored to any budget. With Adlumin, community banks have everything they need to maintain a top-tier security posture and eliminate risk.

Download Now

How AI is Used to Detect Lateral Movement

May 11, 2023/in Blog Post Brittany Demendi/by Ellen Loughlin

By: Zach Swartz, Senior Data Scientist

Adlumin recently flagged lateral movement incidents on a customer’s network. The detection was achieved via an AI algorithm designed to aggregate suspicious incidents until they collectively project a high-fidelity threat signal. This prevented further compromise of valuable resources, and Adlumin detection response teams advised the client on remedial action.

Lateral Movement

When a cybercriminal first gains access to a network, they often move laterally to different machines until they find what they’re looking for. This movement can usually be traced using Windows access-event logs. However, detecting this behavior automatically amongst the enormous corpus of access events can be extremely difficult, especially when it involves privileged users with network-wide access. This is where Adlumin AI comes into play.

Adlumin AI

A machine-learned algorithm assigns an anomaly score to each successful logon event that occurs on an Adlumin customer’s machine. Anomalous logon events are then aggregated to form access graphs, which are subsequently assessed for attack signatures. For example, many anomalous logon events from a single user on a single machine may indicate that an attacker is attempting to gain access to network share drives or performing scanning-like behavior to gain a foothold elsewhere on the network. Below is an example of a penetration test detected on a customer network where the user attempted to access 15 separate machines.

This “one-to-many” behavior is a common aggressive tactic that Adlumin AI targets explicitly and has been essential in discovering and mitigating network breaches.

Recent Incident

An Adlumin customer recently received multiple rule-based alerts concerning SSH and FTP connections to a foreign country, along with three lateral movement detections associated with an admin account exhibiting the above mentioned ” one-to-many ” behavior. The attacker accessed roughly 30 hosts across the network and copied several documents. It appears that data exfiltration was attempted but unsuccessful, and due to the quick response from the Adlumin MDR team and the customer, the situation was contained, and damage was minimized. The combination of rule-based and AI-powered detections allowed Adlumin and the customer to promptly characterize and address the issue to the fullest extent possible.

Adlumin Data Science continuously develops more robust and holistic solutions for automated defense against network intrusion and data exfiltration. The incident captured here highlights our core principle of combining AI, domain knowledge, and detection response expertise.

Illuminate Threats and Eliminate Risks

RSA Conference 2023: Review from Adlumin's VP, Chief of Strategy Mark Sangster

May 4, 2023/in Blog Post Mark Sangster/by Shannon Flaherty

Opinion Article by Mark Sangster, VP, Chief of Strategy

RSA Conference 2023 returned to its pre-pandemic pandemonium. Attendance seemed to have returned to around 50-60,000 attendees, streets were packed, and restaurants were all but sold out or booked for corporate functions. Walking the exhibit hall floor, the show seemed business as usual. Here are a few general observations from my time at the event.

Post-Pandemic Return

Things that seemed unaffected by the pandemic hiatus. First, many vendors and attendees returned. Second, the market, which I am happy to report, seemed more inquisitive, informed, and ready to engage with vendors on a deeper level. In general, we appear to be moving from first-generation to next-gen buyers with the wisdom to better qualify potential vendors against their requirements.

Cautious Optimism

I also had the chance to meet with numerous investors across venture and equity capital. With concerns about a commercial real estate collapse, the banks left holding most of downtown San Francisco buildings, and there was optimism. Like the Gen-2 attendees, the investors have evolved from a hedge in hyped companies to realistic investments based on proven growth, responsible spending, and experienced leadership. The money is there, as is the appetite. It’s about responsible investment rather than gambling. That’s not bad for an industrial full of fast (and not so fast) followers who desperately need consolidation across various security categories.

Community Spirit

It was again my pleasure to work with Bob Darling, Lt.Col. Marine Corps (retired), during our packed learning lab, leveraging his experiences in the White House during the attacks on 9/11 and our collective work helping business executives lead through a crisis. As a two-hour scrum, our participants did most of the work. We covered crisis information gathering, providing the what and not the how, and lessons learned from cyber incidents. For two hours, groups focused on specific functions (leaders, legal advisors, technical experts, crisis communicators, etc.) through the various stages of a cyber incident.

What came out was an enthusiasm to share and to collaborate. Participants shared their experiences, frustrations, and solutions to face nation-state attacks and ransomware outages. Everyone was enthusiastic and committed to finding solutions rather than faults. While the lessons were there to guide, the reality is that the participants were able leaders.

It is always an honor to bring together experts to mix ideas and find new ways of approaching common problems. Bob and I hope to be back next year. Our post-event debrief (over a few cold beers) led to new ideas and ways to improve this session.

Adlumin Debut

The RSA conference is a gateway through which all growing cybersecurity companies will pass. How long it takes to get there, how long they stay, and how far they grow varies. But a booth at RSA is a coming of age event. Adlumin joined these alumni in a glowing booth, playing on the theme of illumination in the dark. The marketing team knocked it out of the park for year one, jumping to a main floor location with robust foot traffic. It was a pleasure to meet new people, host investors and patterns alike, and feel proud about the company at which we all work. I look forward to RSA2024 and the next steps in the evolution of Adlumin.

RSA Resource Recap

Cyber Tide Podcast: RSA Edition

Cyber Tide Episode 4:

LIVE from RSAC 2023: Mark Sangster & Robert Darling Recap their Experiences in the Field

The Cyber Tide series dives beneath the surface of infamous cybersecurity attacks, exploring the means and motives of cyber adversaries. In episode 4, Mark Sangster and Robert Darling discuss how their experiences in the field have helped shape their abilities to deal with cyber crises, the scope of the problem of cybercrime, and more. Listen now.

Cyber Tide Episode 5:

LIVE from RSAC 2023: Mark Sangster & Alex Jinivizian Recap their Experiences from the Event

In this episode of Cyber Tide, Mark Sangster and Alex Jinivizian recap their experiences from RSAC 2023, sharing insight into changes in the security landscape, buyers’ experiences, and more. Tune in to hear their expert analysis of the state of the security industry. Listen now.

In The News

Adlumin Wins Global InfoSec Award at RSA Conference 2023

For the eleventh year, Cyber Defense Magazine honors infosec innovators from around the globe and Adlumin has been listed as a 2023 winner for Managed Detection and Response. Winners are based on three major features: understanding tomorrow’s threats, today, providing a cost-effective solution and innovating in unexpecting ways. Read the full press release here.

Adlumin Debuts its Security Operations Platform on Upcoming Episode of Inside the Blueprint

Adlumin appeared on the award-winning television series Inside the Blueprint as independently produced branded content. Adlumin’s leadership team discussed how their services give unparalleled visibility into an organization’s security posture with access to real-time alerts, threat intelligence, and compliance reporting. Watch Adlumin’s segment here.

Adlumin Enhances its Managed Detection and Response Platform Delivering Enterprise-Grade Security to Mid-Market Organizations and the Service Providers Protecting Them

Adlumin powered up its platform with new enhancements. New capabilities, including honeypots, lateral movement alert upgrades, malicious scheduled task detection, and malicious script block add to a platform that is feature-rich enough for organizations to operate on their own, yet built specifically to amplify the skills and capabilities of managed service providers. Read the full press release here.

Learn More

Learn more about how Adlumin’s Managed Detection and Response Services and Security Operations Platform can empower your team to illuminate threats, eliminate cyber risk, and command authority. Contact us today, schedule a demo, or sign-up for a free trial.

Early Detection of Ransomware Attacks for Financial Institutions

May 3, 2023/by Adlumin Staff

By: Brittany Holmes, Corporate Communications Manager

Ransomware attacks continue to pose a serious and persistent threat, causing widespread disruption to organizations of all sizes. This underscores the critical need for proactive cybersecurity measures to stay ahead of cybercriminals.

A recent high-profile incident involving approximately 60 Credit Unions highlighted the ongoing impact of these attacks. Many of the credit unions affected lacked adequate backup coverage and dedicated security, which serves as an example of the importance of early detection and a multi-layered defense strategy to protect valuable data from ransomware threats.

This blog explores top methods for detecting ransomware, response strategies, and the importance of a multi-layer protection approach.

Detecting Ransomware and The Need for Early Detection

Ransomware protection strategies commonly focus on various stages of attack detection, as outlined by MITRE. From blocking known variants to detecting signs of compromise before execution and identifying malicious activities during the execution phase, each step plays a crucial role in preventing file encryption and data loss. Here are some top ways ransomware is detected:

Blocking Ransomware Variants: Blocking known ransomware variants is common in cybersecurity defense. Organizations can proactively block known ransomware strains from executing on their systems by leveraging threat intelligence feeds and signature-based detection tools.
Detecting Signs of Compromise: Detecting signs of compromise before ransomware execution is another crucial strategy in ransomware detection. Organizations can identify a ransomware attack in its early stages by monitoring for indicators of compromise (IoCs), such as unusual network traffic patterns, unauthorized access attempts, or anomalous file modifications.
Detecting Ransomware at Execution Stage: Detecting ransomware at the execution stage is a critical step in mitigating the impact of an attack. Behavior-based detection techniques can monitor system activities in real-time to detect and respond to malicious behavior, including ransomware encryption processes. Organizations can identify and contain ransomware before it causes extensive damage by analyzing the behavior of processes and file system activities.

Additionally, leveraging frameworks such as MITRE ATT&CK can provide organizations with a standardized approach to understanding ransomware tactics, techniques, and procedures (TTPs). By mapping ransomware behaviors to the MITRE ATT&CK framework from left to right, organizations can identify gaps in their detection and response capabilities and implement targeted security measures to enhance their ransomware defense strategy.

However, cybercriminals continually evolve their tactics, and ransomware strains emerge, hindering some security approaches. To address the shortcomings of each detection method, organizations can adopt a strategy that combines multiple layers of defense. Ransomware detection capabilities can be enhanced by integrating threat intelligence feeds with advanced behavioral analytics and proactive threat hunting, improving their overall cybersecurity posture.

Adlumin’s Innovative Ransomware Protection Feature

Adlumin’s Managed Detection and Response (MDR) now includes a ransomware prevention feature focused on file system preservation to combat the evolving ransomware landscape. This new capability safeguards and preserves most files by killing the process at the earliest detection sign.

One crucial aspect of ransomware protection is proactive testing and preparedness. It is important to understand how secure your organization’s security tools are against ransomware by prioritizing testing defenses and response protocols to ensure readiness in the face of potential threats.

Embracing a Multi-Layered Defense Approach

Ransomware protection is a complex and challenging threat that demands a multi-layered defense approach. Early detection, proactive response strategies, secure backups, and innovative technologies like Adlumin MDR Ransomware Prevention are essential to a comprehensive defense posture against attacks. By understanding the importance of early detection and implementing a multi-layered defense strategy, organizations can significantly enhance their resilience to evolving cyber threats.

The threat of ransomware is large, but by staying informed and leveraging advanced security solutions, the risks can be mitigated, and data assets can be safeguarded. Remember, there is no single answer to ransomware protection – it requires a holistic and dynamic approach to stay ahead of cyber adversaries. With 24×7 coverage and innovative technologies, you can protect your organization against the threat of ransomware and ensure organization continuity in the face of evolving cyber risks.

Download the Tool

3 Benefits of a Mobile-Friendly Security Operations Platform

April 20, 2023/in Blog Post Brittany Demendi/by Ellen Loughlin

By: Brittany Demendi, Corporate Communications Manager

In today’s increasingly mobile world, organizations must be able to access their security operations platform anywhere, anytime. Having 24/7 visibility into your environment on the go is a game changer. Specifically, Adlumin’s Security Operations Platform allows users to see the exact same view from any device as they would on their computer. This is essential to ensure everyone has complete visibility and is on the same page, keeping organizations secure and up to date with the latest threats regardless of where they’re located.

Having access to a security operations platform from a mobile device can provide several benefits:

24×7 Visibility to Your Environment:
- First, when cybersecurity professionals are on the go, they can easily access their organization’s security operations platform from their mobile device to view their environment, giving them visibility to potential security incidents while they are still happening. It can provide real-time updates on the latest security threats, allowing organizations to identify potential issues proactively.
- The Adlumin mobile-friendly Security Operations Platform tracks cybercriminal behavior. It can quickly identify when there is an attacker within an organization’s environment—ultimately learning what goes on within every phase of an attack.
Take on a Proactive Security Strategy and Reduce Dwell Time:
- Second, accessing a security operations platform from a mobile device can help organizations stay ahead of the curve. This can drastically reduce the time it takes to mitigate potential threats, minimize the risk of compromised data, and take steps to prevent threats from becoming issues.
- Adlumin’s Security Orchestration, Automation, and Response (SOAR) capability analyzes gathered data and deploys automated responses for each specific threat brought to light. When cybersecurity professionals can access their security operations platform on the go, they can see any alert produced from the SOAR capability come through.
Provide Flexibility and Agility:
- Finally, accessing a security operations platform from a mobile device can provide organizations with the flexibility and agility to respond quickly to any changes in the security environment. It can also provide organizations access to the latest security and compliance tools and technologies, allowing them to stay on top of the latest developments in the security space.
- Adlumin’s Security Operations Platform provides one-touch compliance reporting and monitoring from your mobile or tablet device for instant access. Security teams are being asked to use data-driven processes to improve their cybersecurity posture, so Adlumin’s reporting module produces reports based on live, accurate, and contextualized data.

One Platform, Multiple Views

Adlumin is launching a new user interface (UI) that enables users to view the same platform as its security analysts from any device, anytime. The streamlined design has improved navigation allowing users to quickly access the information they need to make informed decisions and act promptly against potential threats. What’s new?

Mobile-Friendly Design: The new UI is fully responsive so that you can access your cybersecurity data anywhere, on any device.
Improved Search Functionality: Search capabilities are updated, so you can quickly get answers to large and complex searches.
Enhanced Reporting Capabilities: Reports include a new look and provide more insights and details.
Simplified Navigation: The platform is reorganized to make it easier to find features.

With the rise of mobile devices, organizations need to have the ability to access their security operations platform from their mobile device while on the go. Doing so can provide organizations with the tools and information they need to identify, investigate, and respond to security threats quickly and effectively while staying up to date with the latest developments in the security space.

In the Blueprint: Security Operations at a Whole New Level

April 17, 2023/in Blog Post/by Ellen Loughlin