Ransomware is the Tip of the Iceberg—Can Open XDR / XDR avoid you becoming the Titanic?

Ransomware attacks are occurring at an increasingly staggering pace. The tactics for deploying it are evolving at an equally rapid pace. Ransomware-as-a-service providers on the dark web are using ML to create zero-day strains, and traditional security technologies are struggling to keep up. What if the ransomware attack was only a diversion from the attacker’s real goal?

Brian Stoner,
Author: Brian Stoner, VP of service providers, Stellar Cyber

Most attackers establish a foothold within an environment and do a significant amount of reconnaissance before making their move. They can be pervasive in your environment for weeks or months before they deploy a ransomware attack. This has been corroborated by annual threat reports from just about everyone for the last several years. What if the goal was not the ransom but instead your intellectual property?

One of our partners was working with a new customer on an IR engagement. They had not purchased any managed services from the MSSP partner at that point. What was discovered during the IR is that while they were dealing with the ransomware attack, their customer’s SQL database was dumped to a file and exfiltrated through a DNS tunnel. The attackers also established several accounts in their systems to remain persistent.

This was a classic example of a multi-stage ransomware attack. It is imperative that MSP and MSSP partners can connect the weak signals they are getting from every cybersecurity technology they support in order to be able to see the early warning signs and understand when other events are connected to the ransomware. This can be extremely difficult for a SOC team that is consumed with thousands of alerts per day. There are tools for Incident Management, but it requires your analyst to find every artifact and add it to the incident manually.

Open XDR can help partners protect their customers proactively by detecting the attackers in the reconnaissance stage of the XDR kill chain. Stellar Cyber is the first SOC security company to deploy a specialized type of AI called Graph ML to automatically correlate all these signals and alerts into incidents. Then, the incidents are scored and ranked by their severity. This significantly reduces the MTTD and the administrative overhead for the SOC.

As you are evaluating SOC technologies, you need to ask how the detections were developed and how can we as the MSP/MSSP interact with those models. Stellar Cyber has spent the last five years developing specialized detections based on seven different types of ML. Each ML detection can replace 10-20 detection rules in a traditional SIEM with significantly higher efficacy. Stellar Cyber also provides the ability to assist in the training of the models to give you and your customers more confidence.

To learn more about how you can stop ransomware attacks in the reconnaissance phase of the kill chain, please reach out. Contact me at [email protected]

Brian Stoner is VP of service providers at Stellar Cyber. Read more Stellar Cyber guest blogs here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.