April 13, 2017
Predictive analytics identifies ransomware attacks before damage is done
This past February marks the two-year anniversary when Livingston County, Michigan, was hit by ransomware. The wealthiest county in the state had three years’ worth of tax information possibly at the mercy of cybercriminals.
As a local government, county CIO Rich C. Malewicz said they have been a target of ransomware, but in this instance they had backups at the ready. He said the most memorable ransomware attack was a result of a watering hole campaign using malvertizing to infect users visiting a local news website.
“This attack was very clever in that all you had to do to get infected was visit the website, you didn't even have to click on the page. Once the user went to the local news website, they were immediately redirected to a site hosting exploit code and the infamous page appeared demanding a ransom with instructions,” he said.
The attackers embedded malicious code in the iframe that redirected the users to the exploit landing page. The ransomware spread to several PCs and servers before it was contained.
“We were fortunate enough to have a working backup of the data and we recovered shortly after. If we didn't have a working backup this could have been a disaster,” Malewicz said.
Aside from the loss of personally identifiable information of the 188,000 citizens of the county, the government would have been looking at the labor cost to replicate the documents on top of the damage to its reputation. The county’s network is also shared with public safety entities as well as educational institutions.
“It's pretty clear that local government is a primary target of ransomware attacks, mainly because they have lagged so far behind the private sector in terms of cyber protection, many don’t have working backup solutions - if any at all, and they tend to pay the ransom,” he said.
Recent headlines show public safety agencies and local governments will pay the ransom, so they are targeted even more - attackers will migrate to the industry that tends to pay the ransom and to those that have an inadequate cybersecurity posture. Case in point the Tewksbury, Mass., police paid the ransom four or five days after they could not break the encryption and needed the attackers to send them the private key in order to access the data.
“Protecting an organization from ransomware or any type of malware is similar to an arms race, as the threat evolves so must your defenses!” Malewicz said.
The county turned to predictive analytics in hopes of halting the ransomware attacks. Livingston County uses Unitrends backup solution to provide Malewicz's team peace of mind that in the event our cyber defense fails.
“Ransomware was largely unheard of years ago, but today it's a household name - everyone knows someone or some organization which has been infected. The future guarantees that more menacing ransomware variants will take center stage wreaking havoc in our homes and places of business. When ransomware exploits bypass perimeter cyber defenses you have only to rely on your predictive analytic cyber defenses to protect you, else I hope you have stable and secure backup to fall back on!” he said.
It is thought that with predictive analytics, it brings the technology more into a savior category then a staple. It elevates the ability of the technology to detect changes in data, which points to outbreak of ransomware and then allows the IT administrator to refer back to the last legitimate backup point.
Predictive analytics is a necessity because the malware of tomorrow is unknown and will surely evolve to our detriment. When traditional cyber defense technology is rendered ineffective or human error is at play, predictive analytic cyber defense technology becomes the last line of defense for an organization. The majority of cyber defenses in an organization is built around signature-based models of "known" malware, whereas predictive analytics is built around the "unknown", establishing a pattern of life within the organization and protecting them from malware and other abnormal activity as well.
Paul Brady, CEO of Unitrends, said, by infusing predictive analytics into Unitrends' backup and business continuity solutions, the company enables customers to detect ransomware as the last line of defense. "Through predictive analytics and machine learning against backup data patterns, organizations of any size can not only detect ransomware before it wreaks havoc on their data, but also revert back to the last legitimate backup point to decrease down time," he said.
Unitrends explained the process: As backups occur, the software processes data regularly. Even without knowing the detailed contents of your files, metrics are collected, analyzed and stored for future decision making. These metrics include ingest patterns, change rates, growth rates, and more. The backup system is able to use machine learning over time to recognize that certain data anomalies are indicative of a ransomware attack. When the right conditions occur, the administrator is alerted immediately.
Ransomware is at the top of the list
Robert Huber, chief security and strategy officer at Eastwind Networks, said ransomware is at the top of the list of priorities for many CISOs and CIOs. Given the cost of an infection via loss of data, or the cost to reclaim your data it makes sense.
“A great method to aid in detection, and more importantly prevention, is the use of predictive analytics, or machine learning. Unfortunately, the compute to perform machine learning at scale has historically been slow and expensive making it mostly reactive. This had been compounded by the difficulty in deploying and managing such as solution,” he said.
As the cost and ability to deploy machine learning (and in turn predictive analytics) have decreased, he said, expect to see many security companies add it to their solutions and apply it to the ransomware problem.
Often the “next-gen” moniker afforded to many new security products are just applying machine learning to existing problem sets, he said. The availability of platforms such as the Google Cloud Machine Learning Engine and Amazon Machine Learning have reduced the cost and complexity. In addition the community has improved the state of best practice for those who choose to build it on their own.
“Less complex, expensive and faster [machine learning] allow companies to apply it to cybersecurity in more of a near real-time mode to predict/prevent, versus react. Of course, this presumes that companies are able to build [machine learning] models that can identify this activity while it is still nascent. And this is where you need strong data scientists to extract the relevant features to build the models,” Huber said.
TIBCO’s Michael O’Connell pointed out some examples of when predictive analytics and machine learning come in handy.
Issue: Too many false positives arise because organizations tend to set independent thresholds for the rules and KPIs they believe need to be kept under surveillance. This is a nice starting point but inevitably leads to large inefficiencies, as the number of rules augments and their intra-correlations are not understood.
Solution: Using machine learning for optimally combining existing or new rules into rich fraud indicators, based on tried and tested math, ensure you are way more likely to get relevant alerts in a much smaller sample of investigation efforts. TIBCO’s machine learning models have both supervised and an unsupervised component. Supervised machine learning models focus on distinguishing within historic data known past fraud cases from the remainder. Financial crime detection also needs to be able to accommodate surprises through the use of unsupervised models. This type of model focuses on profiling typical past transactions and spotting odd ones. Not necessarily fraudulent, but odd, and therefore worthy of investigation.
Issue: Dangerous transactions will be investigated by humans, who must decide for each transaction whether it is criminal or not. This leads to long investigation times to come to accurate and precise conclusions.
Solution: Investigators’ decisions can be made maximally efficient with a TIBCO Spotfire investigative template that collects all information about the transaction’s history from any number of disparate sources. Investigators can complete their analyses on TIBCO Business Process Management (BPM), such that all decisions regarding each alert are auditable at any time. Furthermore, by placing Spotfire on top of BPM, we can identify bottlenecks in the investigation process and suggest how to address them. More importantly, as transactions get investigated and a conclusion is made regarding whether they were actually fraud or not, this information is used to monitor model health over time.