File Integrity Monitoring NON STOP FILE INTEGRITY MONITORING

Ransomware attacks are on the increase as reported previously*, but it seems that the threat of a DDOS attack may not be the only extortion muscle being employed.

High-Tech Bridge have published details of two breach investigations they conducted recently which have exposed an intricate cyber-extortion racket they have dubbed RansomWeb.

The anatomy of the breach is that a client’s website application is hacked with the result that over a prolonged period of several months, transactions are encrypted using the Hackers key.

Everything continues to work normally until the Hacker suddenly removes access to the encryption key. At this point, data stored using the hacker key is no longer accessible (it has been encrypted!) and because this has been going on for several months, resorting to a backup that pre-dates the hack is operationally unviable – too much data would be lost.

Stop the breach or Spot the Breach?

In terms of defending against such an attack, the likely attack vector used were stolen/hijacked FTP credentials. A password policy that aligns to security best practices is critical for these most sensitive access credentials – regular ageing with stringent re-use restrictions, coupled with complexity and length parameters is the minimum requirement. Consider also greater restrictions to access – only allow internal access to the website filesystem, confined to only a minimal range of devices/IP addresses. Use of a Jump Server adds an additional layer to secure access, private keys can also be employed to further ‘fingerprint’ access to only authorized devices.

The second factor that HTBridge recommend is the use of file integrity monitoring. Their summary regarding FIM and RansomWeb is

“Can be easily detected by a file integrity monitor (however, very few companies do file integrity monitoring for web applications that may change every day”

This is where NNT innovations in file integrity monitoring for web applications offers a significant advantage over basic file integrity monitoring tools. By providing highly flexible and precise rules for both inclusions and exclusions, NNT FIM will only alert when critical system and configuration files change. Even then, because Change Tracker’s Closed-Loop Intelligent Change Control technology will automatically distinguish between Planned and Unplanned changes.

This makes NNT Change Tracker a perfect breach detection system for web applications, even where the application is being regularly changed.

To read more about NNT Change Tracker

To read more about RansomWare – High-Tech Bridge forensic investigation

To read more about RansomWare – The Register

To read more about Will 2015 be the year of DDOS Extortion? New trojan out to attack Linux platforms

Products
USA Offices
New Net Technologies Ltd
Naples
9128 Strada Place
Naples, Florida, 34108
Atlanta
201 17th Street, Suite 300
Atlanta, Georgia, 30363.

Tel: 1-888-898-0674
email USinfo@nntws.com
NNT Logo
UK Office
New Net Technologies Ltd
Spectrum House, Dunstable Road
Redbourn,
St Albans

Herts
AL3 7PR

Tel: 08456 585 005
Fax: 08456 122 031
email info@newnettechnologies.com
Connect with NNT
Google+ Linkedin Twitter - Change Tracker Facebook rss feed YouTube
Sign up to NNT's IT security and compliance monthly newsletter. Get breaking security news, how-to tips, trends and commentary direct to your inbox.

Sign up to the NNT newsletter