Advancements in technology and processing such as Artificial Intelligence has brought a new kind of protection to the surface. Rather than depending on the past to predict the future (signature-based algorithms), we can now study the behavior of a process or software and instantly respond. Such real-time analysis can detect new forms of malware and attacks which have not appeared before. Being ahead of the game is the only way to win. Our solution is to stop the process immediately and DISCONNECT/ISOLATE the infected machine from the network to prevent the propagation of the infection to other machines.
FIND-IT, FIX-IT AND SECURE-IT
We call it “FIND-IT, FIX-IT and SECURE-IT." Why wait for a hack to occur when we can stop it! How can you eliminate the possibility of an attack and be sure that you can recover fast with zero downtime? As you probably know, the weakest link in your organization is not the servers, but an employee’s desktop or laptop. The weakest links in an organization's infrastructure are 1) humans, and then 2) desktops.
AS AN EXAMPLE
Crypto-miners are becoming alarmingly widespread. In fact, a new form of sophisticated miner was recently discovered. The miner (named GhostMiner) uses advanced techniques copied from the malware world. For example, it uses the built-in Windows PowerShell framework to run in fileless mode. This technique is a popular practice used by malware, allowing them to run completely from memory, leaving no trace on the file system. As a result, GhostMiner is less susceptible to detection by conventional anti-malware solutions. Furthermore, GhostMiner looks to spread to the environment. It scans random IP addresses, looking to attack servers running MSSQL, Oracle WebLogic and phpMyAdmin. GhostMiner also leverages a hard-coded blacklist to hunt down and kill competing miners on the victim machine. Though this kind of behavior was observed in the past, and it’s not completely new, it gives us a closer look at the author’s nefarious intentions. The good news is that SentinelOne protects against GhostMiner. With its unique machine learning techniques, SentinelOne technology detects the miner behavioral patterns and prevents it from running. This agent, installed on a “victim” machine, was able to detect GhostMiner and protect the endpoint from it.