This article will provide information on detecting ransomware, phishing, and malware attacks.
For this type of attack, we can examine terminal logs with the following two queries:
Process.CommandLine.raw: ((*-m* AND (*LOCAL* OR *NET* OR *ALL* OR *BACKUPS*) OR *-nomutex*)
Process.CommandLine: (*wmic.exe* *shadowcopy* *delete*)
Below are some ways to detect spear phishing attacks:
1- Check the sender's email address and name: When we receive an email, we usually only see the sender's name. Attackers can easily spoof the name of someone who regularly sends you emails. If you receive an email asking you to share sensitive information that should not be shared via email, don't just trust the sender's name; also verify the email address. In some cases, the attacker may successfully spoof the email address, but they may not know the syntax of the name used in the emails you usually receive from the sender. In this case, verify the sender's name as well.
2- Check the email format: In an advanced spear phishing email attack, attackers can spoof both the name and email address of someone known or trusted by you. In such cases, the format of the email can give you a clue about the legitimacy of the content shared in the email. If you notice that the email's format is different from any of the emails you have received from that sender before, take additional steps to verify the legitimacy of the email. Such an email is an attempt at spear phishing to trick you into sharing your sensitive information.
3- Make a phone call: A spear phishing email attack can be so deadly that it does not give any clues to the recipients. The attacker may spoof the name, email address, and even the format of the emails you usually receive. In this case, if the request in the email is sensitive and can cause bigger problems in case of a data leak, don't hesitate to call the sender to verify their legitimacy and the requested information.
4- Verify the links: Sometimes attackers can trick you into clicking on a link embedded in an email. Even if you are sure about the sender's email address and name, make sure the link embedded in the hyperlink does not lead to a fake website or contain malicious code. One simple way to determine the legitimacy of the link is to hover over the link. It gives you the full address you will be directed to when you click on it. If the web address or the link looks suspicious, never click on it. One click can take over your web browser, install malware on your systems, and even provide full access to all stored information. Sometimes the address bar may look very familiar. In this case, make sure the page you are redirected to does not ask for sensitive information such as your bank account password or PIN. Attackers can even mimic the full web pages of financial institutions with phishing. In such cases, call your bank or finance department to verify the legitimacy of the email and the instructions provided in the email.
5- Verify attachments: Never download attachments from an email you do not trust. Even if you trust the sender and you are sure that the email is legitimate, make sure that you scan the attachments with an antivirus program before downloading them. If you download and open a malicious attachment, it can infect your system with malware, delete or encrypt your files, and even cause irreversible damage to your system.
Let's examine malware detection methods in 10 steps.
An effective security application uses a combination of expertise and technology to detect and prevent malware. Tried and true techniques include:
1- Signature-based detection: Used to identify suspicious behavior by using known digital indicators of malware. Lists of Indicators of Compromise (IOCs) stored in a database can be used to identify a breach. While IOCs are effective in identifying malicious activity, they are inherently reactive. As a result, CrowdStrike uses Indicators of Attack (IOAs) to proactively identify in-process cyber attacks.
2- Static file analysis: Detects signs of malicious intent by examining the code of a file before it is run. Strings such as file names, hash values, IP addresses, and file header data can be evaluated to determine whether a file is malicious. Static file analysis is a good starting point, but skilled security teams use additional techniques to detect advanced malware that may not be identified during static analysis.
3- Dynamic malware analysis: Dynamic malware analysis runs suspicious malicious code in a sandboxed environment. This closed system allows security professionals to monitor and inspect malware without risking infection or compromise to their systems or corporate network.
4- Dynamic monitoring of bulk file operations: Used to identify signs of manipulation or corruption by monitoring bulk file operations such as file name changes or deletions. Dynamic monitoring often uses a file integrity monitoring tool and tracks and analyzes the integrity of file systems through both reactive forensic audits and proactive rule-based monitoring.
5- File extension blocking/listing: File extensions are the letters after the dot in a file name that specify the file format. Criminals may use this classification to deliver malware. As a result, a "block list" that includes known malicious file extensions is a common security practice to prevent unknown file extensions.
6- Application whitelist: The opposite of a block list, an organization allows applications that are on an approval list to be used on a system. An approval list can be highly effective in preventing malicious applications through strict parameters. However, it can also slow down an organization's operations and be difficult to manage.
7- Malware honeypot/honeypot files: A malware honeypot is used to expose malware attacks in a controlled, non-threatening environment by mimicking a software application or an application programming interface (API) that can be controlled. Similarly, a honeypot file is a trap file that attracts and identifies attackers. Security teams can analyze attack techniques and develop anti-malware solutions for specific vulnerabilities, threats, or actors.
8- Checksum/Cyclic Redundancy Check (CRC): A calculation performed on a data set, such as a file, to verify its integrity. One of the most commonly used checksums is CRC, which involves analyzing both the value and position of a data set. Checksums can be effective in detecting data corruption, but are not always reliable in detecting manipulation.
9- File entropy/measuring changes in file data: As threat intelligence and cybersecurity evolve, attackers are increasingly creating dynamic malicious executable files to avoid detection. This results in modified files with high levels of entropy. As a result, measuring data changes in a file through entropy can be used to detect potential malware.
10- Machine learning behavioral analysis: Machine learning (ML) is a subset of artificial intelligence (AI) and involves using algorithms that learn patterns from existing data to predict responses on new data. This technology can analyze file behavior, identify patterns, and use this information to improve the detection of new and unidentified malware.