How to Prevent a Malware Attack

Malicious software, more commonly known as malware, is something no business is immune to and it’s not uncommon to hear about organisations, either big or small, being struck by various types of malware.

Cyberattacks are becoming an increasingly great concern for many of our customers as cybercriminals continue to develop more and more devious ways to deposit malware into their target’s environment.

Due to the detrimental effects that a cyberattack can have on a business, whether it be operational downtime, data loss or reputational damage, it is important to ensure that appropriate protective measures are in place when it comes to an organisation’s data and Varonis is able to support in many ways when it comes to malware prevention and detection.

User Behaviour Analytics

Varonis employs user behaviour analytics to build a profile on every user to gain an understanding of what is normal behaviour for each account by watching the account activity for an extended period of time. This allows Varonis to issue alerts when any abnormal and suspicious behaviour is detected. Cybercriminals often have ways to gain access to company infrastructure which go undetected by antivirus or anti-malware solutions and even with Security Information and Event Management Systems usually monitoring events from systems, rather than events from users, it can often go unnoticed that an intruder has gained access and is acting maliciously across the network. For example, if an intruder was to use the technique of password spraying and successfully gain entry, they may appear as a normal user to the IT department monitoring system activities. This is exactly a scenario where user behaviour analytics can really succeed and notify you of account access needing to be investigated.

Threat Models

Varonis provides many pre-defined threat models with the DatAlert Suite. Alongside this, it’s possible to customise and fine-tune alerts to help prevent any false positives and minimise any alert noise, allowing security and IT professionals to focus on investigating the alerts which really matter. Ransomware, Trojans, Viruses and Rootkits are just some of the types of malware out there which our computers are all susceptible to. Here we have just some of the suspicious activity that Varonis can alert upon in order to prevent and minimise the impact of a malware attack.

Encryption of Multiple Files

As Varonis is constantly monitoring event activity on your data stores, it is able to detect if multiple files are either modified, renamed or created by the same user in a short space of time, detect whether the file extension is a known encryption extension using the Varonis dictionaries and then trigger an alert if these are conditions are found to be true. This behaviour is common with ransomware attacks, as an attacker is looking to encrypt lots of data and stop the business being able to access this data. Varonis can stop this user account by instantly disabling this account.

Exploitation Software Accessed

Varonis includes a dictionary containing names of tools that hackers have been known to use in order to gain access to a company’s systems. Varonis can then raise an alert when one of these systems is being used, to help IT security to stop an attacker in their tracks.

Access from new Geolocation or Unreasonable Geo-hopping

Varonis monitors the geo-location that an activity originates from and can alert when an atypical geo-location is detected or when impractical geo-hopping occurs. For example, if an employee were to access their account from Washington as usual, and then less than an hour later Varonis detects their account has been accessed from Albania, this would trigger the unreasonable geo-hopping alert as it would be impossible for that employee to be physically in Albania within this time frame and it could be there is a Remote Access Trojan located within the network and an attacker has been able to compromise this employee’s account.

Data Exfiltration via DNS Tunnelling

Varonis monitors DNS servers to watch inbound and outbound DNS traffic, looking out for traffic to known malicious sites and can alert on detected DNS tunnelling, where an attacker could be creating a communication channel to pass information through or create a method of controlling malware.

Ransomware

Ransomware is one of the most dangerous types of cyber attacks organisations can face nowadays and the effects can be very damaging and costly to a business. Ransomware is a form of malware, which encrypts your files with its own keys, so you can no longer access these, potentially bringing a business and its operations to a halt. Cybercriminals will demand a ransom sum to be paid in exchange for gaining access to your data back and, in the case where they had exfiltrated some sensitive data before planting the ransomware, then they will often threaten to leak or expose your data if the sum is not paid. These amounts can be huge, in fact, one of the largest ransom payments requested last year was 42 million dollars. 

As well as Varonis UBA and Threat Models helping to spot malicious behaviour, Varonis is able to assist with classifying the content of your data, enabling you to know where your sensitive data resides and who has access to this. It can help organisations to gain an understanding of where areas of weakness lie, perhaps where sensitive data is accessible to any user in the organisation and help to prioritise which areas require access permission remediation, all of which can help to reduce the potential blast radius and hence mitigate the impact of a ransomware attack.

For a more information on how Varonis can help protect from ransomware specifically, please take a look at our How to Prevent a Ransomware Attack with Varonis blog.