How Can You Go On The Offense Against A Ransomware Attack?
Why is the security industry always fighting from behind?
In my previous installment on Ransomeware, I laid out a plan for IT Managers after an attack. Today we answer the question: How can IT Managers prevent Ransomware threat? If you are new to this series, be sure to read my article on what ransomware is, and what you can do about it.
There is a built-in disadvantage in the way the IT security community battles cybercrime. And that disadvantage is being demonstrated clearly in the current ransomware rampage.
For decades the cybersecurity industry has played defense only. Its strategy is entirely reactive. It responds to cyberattacks by identifying and destroying known and suspected threats. In the meantime the bad guys are permanently on offense. They modify their code to bypass the industry’s latest defensive measures, and send their refurbished cyber probes back to work.
It’s a form of warfare the world knows only too well — a formal regimented army versus a nimble and highly motivated insurgency. It’s an expensive, plodding, predictable force with a lot to lose versus a highly dispersed criminal enterprise with a lot to plunder.
Going on Offense
But there is a handful of startups in the IT security community that believe the cat-and-mouse game is inefficient and ultimately unsustainable. They are marketing alternatives to the reactive paradigm. Their solutions are oriented towards prevention. With the advent of powerful tools such as virtualization, the cloud, big data, and predictive analytics, they say, it’s time for the industry to use everything in its arsenal and go on offense.
One company, CyActive, is betting on a predictive technique akin to immunization. The system does more than just detect malware, the company says, it captures malware specimens and use them to generate variants of the malware. The system predicts, in advance, the next viable malware adaptations and use that knowledge to block renewed attacks before they have a chance to do damage.
The technique, the company says, allows corporations and governments to shift their IT security systems from defense to prevention.
One wonders what will happen if and when the cybercriminals reverse-engineer CyActive’s technology and arm their malware weapons with some version of the company’s predictive capabilities.
Another company, Bromium, takes isolation and detection to another level. The company employs virtual machines at the core of its anti-malware strategy. Its technique is to trust nothing and isolate everything. The system uses virtual machines to encapsulate all incoming communications in virtual machines.
Anything that could be contaminated like emails or web pages etc. is isolated from the corporate network and from each other. They are then examined for infection. In a virtual environment viruses have nothing to steal and nowhere to go, the company says, so businesses can be very thorough in their malware investigation.
Like CyActive, the company says it employs analytics to learn everything it can about malware.
A potential issue with this technology is the fact it could affect the overall network performance. Isolating all forms of incoming communication in virtual machines and inspecting them in real time has to add significant network overhead.
Perhaps a slightly slower network is a small price to pay for anti-malware peace-of-mind.
Prevention is a tough challenge. In part 4 of this series, we tackle an even tougher goal: malware eradication.
All posts in this series: