Peter Swarowski is the Director of Operations at ITS. In this article, he will discuss the benefits of Huntress – a security product that has an effective system of hacker early-detection system.
I’m Peter Swarowski. I’m the Director of Operations at ITS.
I want to take some time to talk about a new security product that we offer to our clients.
It’s called Huntress.
It’s focused on preventing, or looking for, persistence within clients’ networks.
This is a security product.
It is not a replacement for antivirus
It’s a supplement to your antivirus, to help look for any software that got past the antivirus and ran on your computer.
I just wanted to take a moment to talk about two options: what would happen if you didn’t have Huntress to your business; as well as how that attack would look if you did have Huntress.
Let us start with a common attack vector that unfortunately is prevalent in our industry right now. And talk through the steps of what that looks like and what we've seen first-hand.
The first step usually starts off with an email – a lot of attacks start with email.
Let’s say your receptionist or someone within your organization gets an email -- it looks legitimate.
“I have a new fax for you. Click here to download it.”
The end user says to themselves, “I was expecting a fax.”
Maybe they were, maybe they weren’t, but that's how the attack starts.
They download the file for their fax.
Now maybe let us say it's a Word document and says, “In order to view this content you need to enable some additional content.”
They click “enable content.”
That kicks off, enables all of the bad things happening.
Then it downloads an extra piece of software on that computer. All of this is transparent to the end-user, all they see is that the document didn’t seem to do anything.
The first step typically for this malware is to establish persistence.
What is persistence?
Persistence is the door back into your systems in case something were to change.
If they were to establish a connection right there in that moment, and then someone reboots their computer for the day, they've lost access -- that software is not running anymore. It's gone.
They want to establish persistence so they can get back into the computer in the future.
There are different hooks within the Windows system that can say, “When you start up, the first thing you do is you run this program.”
There are lots of legitimate reasons for that, and why these hooks exist.
But they are going to go ahead and use those legitimate features available to them, to set up their malicious software so they can regain access in the future.
Now they have access.
They have established their persistence.
The software is also going to contact the bad guys and let them know, “Hey I’m in a new network. I need a human to come in start getting up to no good.”
So now a human comes in, this may be later that day or several weeks later.
The bad guys look around and learn your network.
They take their time and figure out your environment and how they can cause the most damage.
What kind of damage do they end up doing?
Usually what they're going to want to do is take your data, send it to themselves -- so they can try to blackmail you to release that data after the fact -- then they are going to want to delete your backups, to make it harder for you to restore their data.
Then they take all your data and they encrypt it, so it’s worthless to you.
And when it is encrypted that way, you can’t access it, none of your systems are going to work, it causes a big disruption to your business.
At that point they make themselves known: “Hey we’re here. We’ve done this to you, and you need to pay us to get things back the way they were.”
A lot of companies have enhanced their backup and recovery from this.
And now they have got this extra layer of, “Well we're going to sell your data on the dark web unless you pay. So you might be able to restore your data without paying us, but do you still want to run the risk maybe there's some sensitive data we stole that you don't want published for everyone to see?”
Now they can try to request payment to with the promise that they will delete your data.
You're dealing with criminals, and you’re taking them at their word that they will make good on their promise after you pay. This is their business, so they are aligned to make your business whole after you pay.
To summarize what has happened.
It started with an email.
The end-user opened the document.
Clicked the button they should not have -- really should not have opened the email to begin with, but it happens all day every day, unfortunately.
Establish their persistence.
Have a human come in, connect in -- very skilled, very talented bad guys, unfortunately, it's what we're up against -- and then they were able to slowly and methodically attack your business.
Usually, when they do all this it is very well planned out very well thought through.
They wait to attack until a Friday evening, a holiday, when they know there are going to be fewer people around to see that they're starting their process.
And then try to extort money out.
Let's rewind back to that attack: and see what would have happened had you had an extra piece of software in your security stack like a Huntress.
Same sort of email comes in.
This human element still in play.
They open it.
They launch the document.
They click the button they shouldn't have.
It bypassed all your existing security measures and they’re now in the system.
Huntress is going to see that change to that system – that something new was added – and now somebody has established persistence. They've got their software to look for known attacks and notify us immediately.
They also have a team of threat analysts that are looking for those changes and then notify us as well.
Depending on how urgent it is or what the specific attack is -- sometimes they even pick up the phone and they call us --but their system notifies us very quickly. We have lots of processes on our end to identify these alerts as soon as possible.
The hackers bypassed everything.
They got on, but we knew about it very quickly
And as a result, we can take action and we can kick them off the network before that human got in to really spread and look around and make it a lot harder to kick them out.
So that's the big difference of all of this: they got past the antivirus -- we didn't prevent it because no security solution is 100% perfect -- but we were able to detect that they were there, and then kick them off the network and keep you safe.
Thereby stopping the further things of them stopping your business -- encrypting your data, stealing your data -- all those terrible things that unfortunately can happen in that case.
If you’d like to know more about Huntress, figure out what it takes to get started, for us to get you signed up, please contact your account manager.
We can talk about what it looks like, to add that to your agreement.
Thank you very much for your time.