Intrusion detection and prevention systems (IDS and IPS, respectively) have been around in cybersecurity for years. These technologies are essential parts of a layered defense strategy. The way they typically work is by monitoring network traffic patterns and alerting on or blocking traffic that conforms to signature-based patterns. Ransomware, much like other forms of malware can be tackled through a layered defense strategy that includes IDS and IPS technologies.
What’s Old is New Again
Malware techniques to move across an environment are also in place with most, if not all ransomware strains as ransomware operates as a subset of malware. Additionally, with the emergence of ransomware as an attack pattern, traditional malware does not and likely will not go away. It will continue to evolve in its own way, with those advancements impacting and advancing ransomware.
One key consideration in the ransomware context is how IDS/IPS technologies are deployed around backup or recovery solutions. Recovery from a ransomware attack is made much easier when data can be recovered without the key used to encrypt the data in the first place. Having added layers of protection around backup solutions that block as well as alert for potentially malicious attempts at access are incredibly important.
Deception Integration
Deception-based technologies have come a long way since the introduction of basic network-based honeypots or host emulation. Platforms exist today to deploy decoys of different types and correlate the interaction with them back into centralized security tooling. Decoy types vary widely, such as: credentials or tokens, files on disk, configuration settings, entire systems, web pages or URLs within a web application, and more.
In that context, deploying decoys that are specifically aimed at devices and networks can be particularly effective. On a device, this might look like decoy files or configuration settings that when tripped, set off an alarm. On a network, this might look more like a traditional honeypot device with intentionally exposed network services, insecure credentials, etc.
Deception platforms also enable security teams to deploy a whole suite of decoys. They can be layered together in an environment at different degrees of sophistication. This approach, when combined with IDS/IPS technologies is a powerful tool to detect active threats within an environment. The alert triggers associated with this approach have a higher confidence level, helping the responders properly prioritize and react.
Integration with Other Security Technologies
None of these solutions, whether SOAR, deception, or IDS/IPS tools will be effective if they work alone. Seeking out and deploying solutions that can be integrated with one another is essential to success today. Some organizations have also built specific integrations to support the fight against ransomware, for example, Acalvio and Crowdstrike can work together to deploy decoys to devices and if triggered, can quickly operationalize indicators of compromise (IOCs) to protect an environment.
An effective but commonly discussed area of collaboration is around threat intelligence teams and IDS/IPS deployments. This approach takes IOCs from outside the organization and feeds them into security systems to aid detection within the organization. Something not discussed frequently is the approaches and tactics used by penetration testing teams to enrich IDS/IPS deployments. Taking a purple team style approach where the techniques and patterns used by testers are fed back into IDS/IPS deployments adds a level of context that typical threat intelligence does not.
Concluding Thoughts
Integrations are essential in this rapidly evolving world of technology and cybersecurity. Traditional solutions like IDS and IPS have the potential to evolve alongside and support emerging solutions, as well as be enriched by them. One of the challenges we have in this field is that the old never really go away when the new comes. Our spectrum of responsibility simply grows to demand focus on both, the new eventually becomes old and so the cycle repeats.
Want more cybersecurity insights? Visit the Cybersecurity channel: