Malware Protection: Defending Data with Varonis Security Analytics

Malware Protection: Defending Data with Varonis Security Analytics

Malware has become the catch-all term for any bit of code that attempts to hide and then subvert the intentions of the computer’s owner. Viruses, rootkits, lock-screens, and Trojan horses are as common today as a web browser and used by everyone from criminals, governments, and security researchers.

Malware detection on endpoints is commonplace, but as WannaCry and NotPetya taught us, malware can end up in your servers as well, creating vulnerabilities and backdoors to exfiltrate the lion’s share of your sensitive information. That’s where Varonis comes in.

We’ve developed over 100 threat models to detect and arrest malware, data leaks, and potential security risks to your data. Let’s identify some of the more common types of malware, and dive in to Varonis can help you detect and defend against those attacks.

Virus

Viruses are one of the oldest kinds of malware out there. They exist to cause mayhem and to make your life miserable.

There are certain viruses, for instance, that target NAS devices. Those are particularly dangerous due to the sheer volume of data they attack. The most notable recently was the SambaCry vulnerability that hackers used for ransomware attacks, DDoS, or backdoors.

This kind of attack will not only spread to other computers but will start to attack any attached data stores, like the NAS with all the really important data on it (company financial statement, HR records) or the email server. In a blink of an eye, your entire data storage could be encrypted or deleted.

How to Stop a Virus with Varonis

Varonis doesn’t just monitor file events, but also builds a behavioral baseline of normal activity for each user. This analysis lets us separate activity consistent with a particular user’s historical pattern of access (human activity) from a virus (machine activity) and very quickly pull the plug on this user, stopping the virus from inflicting further damage.

Below are some of the threat models that would help detect this type of malware attack:

Threat Model: Encryption of multiple files

How it works: DatAlert triggers this when there are multiple file modify events by the same user in a short amount of time, AND when those modifications include suspected malware encryption file extensions. The known extensions are configurable via dictionary.

What it means: This usually indicates a malware attack with the intent to deny access to data.

Where it works: Windows, Unix, Unix SMB, SharePoint, NetApp, EMC, Hitachi NAS, HP NAS, SharePoint Online, OneDrive, Dell FluidFS, Nasuni

Threat Model: Abnormal Behavior: Unusual number of files deleted

How it works: DatAlert triggers this when there are multiple file delete events by the same user in a short amount of time.

What it means: This means that a single user has deleted many files on a monitored storage device in a short amount of time. This could be a user doing clean-up work, but it also could be malware.

Where it works: Windows, Unix, Unix SMB, SharePoint, NetApp, EMC, Hitachi NAS, HP NAS, SharePoint Online, OneDrive, Dell FluidFS, Nasuni

Threat Model: Abnormal Behavior: Unusual number of sensitive files deleted

How it works: DatAlert triggers this when there are multiple file delete events by the same user in a short amount of time, and those files have been marked as sensitive by the Varonis Data Classification Engine.

What it means: Like the previous threat model, this means that a single user has deleted many files on a monitored storage device in a short amount of time. This could be a user doing clean-up work, but it also could be malware.

Where it works: Windows, Unix, Unix SMB, SharePoint, NetApp, EMC, Hitachi NAS, HP NAS, SharePoint Online, OneDrive, Dell FluidFS, Nasuni

Varonis will detect the virus, lock out the user, and then the SOC can take action to limit or restore the damage done and get the virus under control.

Time is a virus’ best friend. The longer it has to gallivant around uninterrupted, the more times it can copy itself and destroy data. Varonis triggers an immediate, automated response, stopping the virus before it has time to do significant damage.

Trojan Horse

Trojan Horse attacks get their name from that famous story from antiquity. These attacks are similar to viruses in that they hide with other downloads, but their payloads tend to be different.

Trojans try to install backdoors or rootkits into your computer, which provides hackers with access to that computer and whatever that computer is also able to access.

How to Stop a Trojan with Varonis

Varonis defends against some Trojans by monitoring the startup folders where these bugs want to install their payload.

Threat Model: Suspicious access activity: non-admin access to startup files and scripts

How it works: DatAlert identifies any file activity by a non-admin user on folders identified as startup folders as suspicious.

What it means: Activity by non-admin users on startup folders is suspicious: users should not be accessing these folders. The attack could be a Trojan, but it also could be an attempt to install files to this folder manually from an already hijacked computer.

Where it works: Windows, Unix, Unix SMB, HP NAS

One thing Trojans want to do is persist through shutdown, so they’ll try to embed themselves into these folders and hide amongst the other running processes to avoid detection.

Now if for some reason the Trojan is trying to be smart and doesn’t try to access the Startup folder, and instead drops its payload elsewhere – a different threat model will still catch Trojan activity.

Threat Model: Exploitation software accessed

How it works: DatAlert detects file events that contain filenames known as part of the hacker toolkit, which is an ever-evolving list.

What it means: It could mean that a user downloaded a hacker tool for a valid reason, but most likely it’s an attempt to infiltrate the network and needs to be stopped.

Where it works: Windows, Unix, Unix SMB, SharePoint, NetApp, EMC, Hitachi NAS, HP NAS, SharePoint Online, OneDrive, Dell FluidFS

Rootkits and Backdoors

Rootkits and backdoors are payloads that allow hackers to access a computer and its attached network, run commands to move laterally, and steal data. Rootkits are usually prepackaged executables, while backdoors are routes hackers can take to bypass standard authentication on the network.

Once a hacker has a rootkit or backdoor installed and access to the network established, they will start to poke around and look for the profitable stuff to steal – which these days run from anything from a social security number to credit card numbers to emails.

How to Stop Rootkits and Backdoors with Varonis

Hackers often use service accounts to move around the network: a service account often has more privileged access, and therefore access to more valuable data.

Threat Model: Abnormal service behavior: access to atypical files

How it works: Service accounts typically behave in a consistent manner – performing the same actions over and over again. When a service account starts performing actions on file types that is outside of its usual behavior – something suspicious is likely going on. Because Varonis classifies all AD accounts as Admin, Executive, Service, or User – we can recognize when an account that is classified as service starts to access files outside of its usual behavior.

What it means: Someone is using this service account to look at other files, most likely in an attempt to exploit the service account privileges to navigate through the file structure. There’s never a valid reason for a service account to access files outside of normal operation, and the account should be locked out and the credentials changed.

Where it works: Windows, Unix, Unix SMB, SharePoint, NetApp, EMC, Hitachi NAS, HP NAS, SharePoint Online, OneDrive, Dell FluidFS

Another tactic linked with these types of attacks is brute force – which Varonis can help thwart with threat models that focus on lockout events.

Threat Model: Abnormal admin behavior: accumulative increase in lockouts for individual admin accounts

How it works: DatAlert detects statistically significant increases in loc-out events over time – and can identify an unusual amount of lock-out events on an admin account compared to their typical behavior.

What it means: It means that the account is trying to login and failing repeatedly. This could be a misconfigured password for a valid user, or it could be an attempt to brute force or guess the password by an outsider. This account is probably the target of a gradual brute-force attack aimed at stealing admin credentials or denying access.

Where it works: Directory Services

A third tactic associated with these types of attacks is privilege escalation: hackers may try to elevate the privileges of a user that they already have access to – in order to extend their access to more sensitive data.

Threat Model: Membership changes: admin group

How it works: Varonis monitors membership changes, and can flag when members are added to or removed from an admin group.

What it means: If the change was made outside of change control then it’s likely an attempt to steal data by using a privileged account.

Where it works: Directory Services

Remote Access Trojans (RATs)

Remote Access Trojans (RATs) are a different type of malware that open a back door to give hackers access. A now-relic from the 90s, they’re still in use today.

How to Stop Remote Access Trojans (RATs) with Varonis

Varonis Edge analyzes perimeter devices including VPNs, Web Proxies, and DNS (like what’s leveraged in DNSMessenger), and you can leverage threat models specifically designed for suspicious DNS activity or remote access behavior.

Threat Model: Abnormal behavior: activity from new geolocation to the organization

How it works: Any activity that originates outside of known geolocations will trigger this threat model.

What it means: Someone attempted to reach into the network through the VPN from a new geolocation.

Where it works: VPN

Another tactic associated with this type of malware is DNS Tunneling, which encodes data or protocols in DNS queries and responses.

Threat Model: Data Exfiltration via DNS Tunneling

How it works: Varonis monitors DNS and will detect commands that are sent through the DNS channel that aren’t DNS requests. DNS tunnels depend on using the DNS protocol to pass and execute commands on the target. As soon as Varonis sees a non-standard DNS request this threat model will be triggered.

What it means: Someone is trying to use DNS to execute commands that aren’t DNS requests. This is most likely a hacking attempt.

Where it works: DNS

What Did I Miss?

That’s just a handful of examples on how our threat models detect suspicious activity and help protect against three types of common malware. Have you had to investigate a malware incident? If you feel like sharing leave a comment below – we’d love to hear it.

You can also check out DatAlert for yourself and see these threat models in action, or get a free 30-day Data Security Risk Assessment.

Get the latest security news in your inbox.