Traps: Expanding Ransomware Protection for Current and Future Threats
On September 19, Palo Alto Networks announced the next iteration of Traps advanced endpoint protection, Traps 4.1. With this release, Palo Alto Network continues to develop their innovative, multi-method prevention approach to endpoint security with a specific focus on preventing ransomware.
Many estimates put the total value of ransoms paid out in 2016 at more than $1 billion, but the ransom payout itself often pales in comparison to the frustration that follows…
- Engaging disaster recovery on a massive scale
- Bringing user machines back, and larger production and operation systems back online
- Dealing with low employee morale, loss of productivity and potential breach notifications
- Figuring out how to prevent an attack from happening again
- Determining whether the organization is still vulnerable
The majority of ransomware causes damage in less than a minute, far too quickly for endpoint detection and response or manual intervention to counter it. For that matter, neither will fix the underlying issue: ransomware has compromised user machines, and the organization is still vulnerable to additional and ongoing attacks. Compounding concerns, those relying on signature updates have large windows of vulnerability. While the speed of signature updates has improved, if an organization in a signature-based threat-sharing community is infected, it can take hours or days to create and distribute a signature from “patient zero” – much longer than the minutes ransomware needs to spread to other machines. Additionally, the ransomware market itself continues to evolve. “Ransomware as a service” has sprung up, giving even novice attackers access to advanced techniques. Furthermore, recent leaks, along with the re-emergence of exploits to circumvent the need for user action, have given rise to script-based and file-less attacks that pose issues for products or tools that rely heavily on analyzing file characteristics.
Key New Features in Traps 4.1
“It has been exciting to see the evolution of Traps. Red Sky is proud to be an early adopter of the technology and has been heavily integrated with the product development lifecycle. With the new game changing additions of anti-ransomware for Windows and static analysis on macOS, Traps has been lab tested and proven to be an industry leader in prevention based endpoint protection.”
Phil Wong | Security Practice Lead at Red Sky
New Exploits and Ransomware
While thousands of exploits exist, only a handful of exploit techniques are used. Traps focuses on these techniques to effectively shut down exploit-based attacks, rather than relying on signatures or attempting to chase each exploit. Recently, a new technique was seen in both WannaCry and NotPetya that directly exploits and utilizes the kernel. Despite Microsoft delivering a patch of the discovered Server Message Block vulnerability in Windows, many organizations were vulnerable to the first step of attack – exploiting the SMB – simply because they hadn’t patched their systems. The second step installs the now-infamous DoublePulsar, a powerful backdoor tool that runs in kernel mode and can load shellcode from the kernel into process memory, calling legitimate processes to run the shellcode and potentially leading to a file-less attack.
Enhanced kernel exploit protection: While Traps was already capable of blocking actions aimed at gaining kernel access through privilege escalation, this new kernel exploit prevention protects against exploit techniques used to execute malicious payloads, such as those seen in WannaCry and NotPetya. By blocking processes from accessing injected malicious code, Traps is now able to prevent the attacks early in the attack lifecycle without impacting legitimate processes.
Behavior-based ransomware protection: In this release, we’ve introduced a capability solely focused on ransomware, rather than malware in general. In addition to existing preventions, Traps will now monitor specifically for ransomware behavior and, upon detection, block the attack and encryption of customer data without interfering with legitimate encryption tools.
Full post here: https://researchcenter.paloaltonetworks.com/2017/09/traps-4-1/