Leveraging Threat Intelligence to Defend Against Ransomware

Step-by-step guide

Our last post reviewed the basics of threat intelligence and discussed the ways in which it has evolved to meet new challenges.

But you may still be wondering: how is threat intelligence actually used to disrupt threats or attacks? Well, you've come to the right place. What follows is a step-by-step breakdown of how one client used Quantum Armor to not only defend against incoming attacks but boost their overall security moving forward.

It all comes down to one simple principle: thinking like your attacker keeps you one step ahead.

How Quantum Armor Interrupted an Actual Ransomware Attack

Step 1: Launch a threat intelligence exercise by simply typing the company's URL into Quantum Armor. Quantum Armor will then automatically crawl a curated list of dark web forums, data breach dumps, and OSINT sources to discover all the leaked credentials for the given target domain along with DNS lookalike names.

Tip: Most company credentials are compromised via third-party data breaches. Therefore, Quantum Armor detects compromised credentials belonging to your company, regardless of where they've originated.

Step 2: Once the credentials and DNS lookalike names are collected and validated, Quantum Armor will then map the target asset's attack surface in order to enumerate all of the servers that belong to the target.

Step 3: The attack surface is then analyzed to find open ports.

Tip: Each port below 1024 is known as a standard port and matches a specific service (e.g., port 22 is SSH, port 3389 is RDP, port 21 is FTP, port 23 is Telnet, and so on).

Step 4: Using the passwords discovered in Step 1, a password spraying attack is launched against these services in an attempt to break in.

Tip: Since most users reuse similar passwords across accounts, Quantum Armor generates a much larger, more comprehensive list of potential credential pairs based on password variations commonly observed in user behavior studies.

Step 5: At the same time, DNS lookalike sites are inspected to make sure that none are reproducing the same look and feel as the target website. Possible matches are flagged, indicating that a social engineering attack (aka phishing) is being prepared.

Mitigation Steps

Step 1: Reset all user passwords that appeared in the credential leak.

Step 2: Blacklist all DNS lookalike names on the corporate firewall, effectively rendering them useless. Attempts to launch new lookalikes will automatically be flagged by Quantum Armor and similarly blacklisted.

Step 3: Close all non-mission critical ports that allow credentials to be used.

Step 4: Enforce 2FA across all relevant assets.

Step 5: Rescan the target assets to ensure that mitigation tactics have been successful. Repeat these steps for other attack vectors and continue your journey toward cybersecurity excellence.

In summary, the developing threat is not only neutralized, but a robust system of layered defense is deployed to make it virtually impossible for the same attack vector to be leveled in the future.

More ways threat intelligence can protect against ransomware

Identify and understand the threat: Threat intelligence can provide information on the tactics, techniques, and procedures (TTPs) currently being used by ransomware attackers, which can help you identify and understand the threat.

Proactively disrupt attacks: The first step in most ransomware attacks will be to search for company credentials that may have leaked onto the dark web due to a third-party breach. Alternatively, they may choose to launch a phishing attack (social hacking is used in 80% of successful breaches) by crawling the web for a list of company email addresses. By using a threat intelligence solution like Quantum Armor, you'll be able to proactively identify these security gaps, closing down most ransomware attack vectors before they get off the ground.

Detect and respond to attacks: Threat intelligence can also provide information on indicators of compromise (IoCs) associated with ransomware attacks, which can be used to detect and respond to attacks. For example, Quantum Armor will instantly alert you to any past or ongoing attacks against your company by flagging any IoCs in your cloud logs, look-alike domains, as well as any sensitive data that's been leaked to the deep or dark webs.

Develop a defense strategy: By understanding your threat landscape, you can choose a proactive defense strategy to better protect your networks and data. Quantum Armor automatically groups your threats according to attack vector (e.g., social, infrastructure, or application), helping you visualize your posture and organize your efforts.

Build an incident response plan: Having an incident response plan in place that outlines the steps to be taken in case of a ransomware attack can help a company quickly and effectively respond to an attack and minimize damage. By understand the attacker's strategy, you'll be able to choose effective counter-measures to choke or rebound from their attack.

To learn more about how Threat Intelligence can help keep your company safe, visit us at https://silentbreach.com/qam-intelligence.php

Schedule a Quantum Armor demo and receive a free threat intelligence report (includes a Dark Web scan, key vulnerabilities, and leaked credentials).

Similar Reads:
Top 10 Challenges Facing CISOs in 2023
What is Threat Intelligence?
How the Dark Web Can Protect Your Company

About Silent Breach: Silent Breach is an award-winning provider of cyber security services. Our global team provides cutting-edge insights and expertise across the Data Center, Enterprise, SME, Retail, Government, Finance, Education, Automotive, Hospitality, Healthcare and IoT industries.