All posts by Jeff Petters

What is a Domain Controller, When is it Needed + Set Up

domain controller hero image

A domain controller is a server that responds to authentication requests and verifies users on computer networks. Domains are a hierarchical way of organizing users and computers that work together on the same network. The domain controller keeps all of that data organized and secured.

The domain controller (DC) is the box that holds the keys to the kingdom- Active Directory (AD). While attackers have all sorts of tricks to gain elevated access on networks, including attacking the DC itself, you can not only protect your DCs from attackers but actually use DCs to detect cyberattacks in progress.

What is The Main Function of a Domain Controller?

domain controller use

The primary responsibility of the DC is to authenticate and validate user access on the network. When users log into their domain, the DC checks their username, password, and other credentials to either allow or deny access for that user.

Microsoft Active Directory or Microsoft AzureAD are the most common examples, while Samba is the Linux based equivalent DC.

Why is a Domain Controller Important?

Domain controllers contain the data that determines and validates access to your network, including any group policies and all computer names. Everything an attacker could possibly need to cause massive damage to your data and network is on the DC, which makes a DC a primary target during a cyberattack.

Domain Controller vs. Active Directory

ACTIVE DIRECTORY : DOMAIN CONTROLLER :: car : engine

Active Directory is a type of domain, and a domain controller is an important server on that domain. Kind of like how there are many types of cars, and every car needs an engine to operate. Every domain has a domain controller, but not every domain is Active Directory.

Do I Need a Domain Controller?

In general, yes. Any business – no matter the size – that saves customer data on their network needs a domain controller to improve security of their network. There could be exceptions: some businesses, for instance, only use cloud based CRM and payment solutions. In those cases, the cloud service secures and protects customer data.

The key question you need to ask is “where does my customer data live and who can access it?”

The answer determines if you need a domain – and DC – to secure your data.

domain controller benefits and limitations

Benefits of Domain Controller

  • Centralized user management
  • Enables resource sharing for files and printers
  • Federated configuration for redundancy (FSMO)
  • Can be distributed and replicated across large networks
  • Encryption of user data
  • Can be hardened and locked-down for improved security

Limitations of Domain Controller

  • Target for cyberattack
  • Potential to be hacked
  • Users and OS must be maintained to be stable,  secure and up-to-date
  • Network is dependent on DC uptime
  • Hardware/software requirements

How to Set Up a Domain Controller + Best Practices

best practices for setting up a domain controller

  • Configure a stand-alone server for your domain controller.
    • If you are using Azure AD as your domain controller you can ignore this step.
    • If not, your DC should act exclusively as a DC.
  • Limit both physical and remote access to your DC as much as possible.
    • Consider local disk encryption (BitLocker)
    • Use GPOs to provide access to the SysAdmins in charge of administering Active Directory, and allow no other users to log in, either on the console or via Terminal Services.
  • Standardize your DC configuration for reuse

Setting up a secure and stable DC doesn’t not mean you are secure forever. Attackers will still try to hack into your DC to escalate privileges or enable lateral movement throughout your network. Varonis monitors AD for out-of-policy GPO changes, Kerberos attacks, privilege escalations, and more.

Want to see how it works? Get a personalized 1:1 demo to how Varonis protects DCs and Active Directory from cyberattacks.

What is Data Classification? Guidelines and Process

data classification title

In order to protect your sensitive data, you have to know what it is and where it lives.

Data Classification Defined

Data classification is the process of analyzing structured or unstructured data and organizing it into categories based on the file type and contents.

Data classification is a process of searching files for specific strings of data, like if you wanted to find all references to “Szechuan Sauce” on your network. Or if you needed to know where all HIPAA protected data lives on your network. Or if you want to prepare for data privacy regulations and need to identify any personally identifiable information (PII) on your data stores.

definition of data classification

Data classification is usually based on a file parser combined with a string analysis system. A file parser allows the data classification engine to read the contents of several different types of files. A string analysis system then matches data in the files to defined search parameters.

RegEx –short for regular expression – is one of the more common string analysis systems that defines specifics about search patterns. For example, if I wanted to find all VISA credit card numbers in my data, the RegEx would look like:

\b(?<![:$._’-])(4\d{3}[ -]\d{4}[ -]\d{4}[ -]\d{4}\b|4\d{12}(?:\d{3})?)\b

That sequence tells the RegEx system that we are looking for a pattern with a 4 digit number starting with the number 4 followed by a dash and a second 4 digit number and… you get the idea. Only a string of characters that matches the RegEx directly generates a positive result.

Although there are some parallels between the two, data classification is not the same as data indexing. Classification looks for identifiers based on patterns and returns a list of files and how many matches it found for each pattern. It doesn’t necessarily index those files. Indexing enables search, and you’ll need to search those matches to fulfill data subject access requests and right-to-be-forgotten requests.

Reasons for Data Classification

reasons to implement data classification

The Center for Internet Security (CIS)- which devotes an entire section to data classification protections – says data classification is important because “in several high-profile breaches over the past two years, attackers were able to gain access to sensitive data stored on the same servers with the same level of access as far less important data.”

Beyond data security concerns, there are several other reasons to implement a data classification process:

  • Identify sensitive files, intellectual property, and trade secrets
  • Secure (and lock down) critical data
  • Track regulated data to comply with regulations like HIPAA, PCI, or GDPR
  • Optimize search capabilities with data indexing
  • Discover statistically significant patterns or trends inside data
  • Optimize storage by identifying duplicate or stale data

Data Classification Process: 4 Steps

Data classification processes differ slightly depending on the objectives for the project. Any data classification project requires automation to process the astonishing amount of data that companies create every day. In general, there are some ubiquitous criteria required to create any data classification process:

  1. Define the objectives of the data classification process. What are you looking for? Why?
  2. Create workflows based on the selected classification tools. How does the classification process work? Is there a process in place to scan new data? Is there a process to create new classification criteria?
  3. Define the categories and classification criteria. What kinds of data should you search for? What process will you follow to validate the classification results?
  4. Define outcomes and usage of classified data. How are the results organized – and how do you plan to make business decisions based on those results?

Data Classification Tips

  • Use automated tools to process large volumes of data quickly
  • Leverage RegExes and Luhn: create custom classification patterns or implement software that does the heavy lifting for you
  • Validate your classification results: nobody likes a false positive.
  • Figure out how to best use your results and apply classification to everything from data security to business intelligence.

Data Classification FAQ

How does Varonis do Data Classification differently?

Varonis has over 400 pre-configured RegExes to discover all manners of PII, PHI, and GDPR data with a fully customizable classification engine you can configure for any business purposes. Varonis monitors over 60 file types out of the box (including documents, spreadsheets, and more), and identifies new data that needs to be re-scanned (without starting the whole thing over) to catch new and recently added sensitive files, including:

  • Personal information: credit card numbers, passport numbers, driver’s license numbers, social security numbers, IBAN, and more
  • Financial records
  • Security file types (.cer, crt, p7b, etc.)
  • Regulated data (GDPR, HIPAA, PII, PHI, PCI, Sarbanes Oxley, GLBA, etc.)

The Varonis Data Classification Engine can process ~100 GB of data in an hour (caveats about your own hardware and network capacity) and includes rigorous false positive checks that reduce the workload to analyze the classification results. Not every 16 character numeric string is a credit card number, for instance, and Varonis knows the difference.

What Comes After Data Classification?

Varonis brings context to that classification. Varonis not only identifies the data that you’re looking for, but shows you who can access to that data – and who is accessing that data. Once you identify and classify sensitive data, you can take action on it: apply labels, lock down permissions, monitor access, alert on suspicious activity, and meet compliance requirements like right-to-be-forgotten. The Varonis Data Classification Engine allows you to protect your most sensitive and important data from unwanted access, accidental data leaks, and security attacks.

See the Data Classification Engine in action with a 1:1 demo.

Windows PowerShell vs. CMD: What’s The Difference?

powershell vs cmd hero

Back in the day, booting the then-cutting-edge IBM 8086 from the floppy brought you to a green text screen with a cursor blinking at the familiar C:\> prompt. Hacking boot.ini and config.sys to get my games to run was my first introduction to programming.

Eventually that C:\> got replaced with a pretty GUI and boot from hard disk. That command prompt (CMD) still lived on for decades. Only recently did CMD get an upgrade, or replacement, with PowerShell, the shell application Microsoft introduced with Windows 7.

CMD served us well for a good long time, but PowerShell is like going straight from steam engines to autonomous battery powered cars.

Windows Command Prompt

Windows Command Prompt – also known as CMD – is the original shell for the Microsoft DOS operating system. CMD was the default shell until Windows 10 build 14791 when Microsoft made PowerShell the default option. CMD is one of the last remnants of the original MS-DOS operating system that Microsoft replaced

Windows PowerShell

powershell cmdlets positives

Windows PowerShell is the new Microsoft shell that combines the old CMD functionality with a new scripting/cmdlet instruction set with built-in system administration functionality. PowerShell cmdlets allow users and administrators to automate complicated tasks with reusable scripts. System administrators save significant time by automating administration tasks with PowerShell.

PowerShell vs. CMD

PowerShell vs. CMD is like comparing apples to kumquats. They are completely different, despite the illusion that the ‘dir’ command works the same way in both interfaces.

PowerShell uses cmdlets, which are self-contained programming objects that expose the underlying administration options inside of Windows. Before PowerShell, sysadmins navigated the GUI to find these options, and there was no way to reuse the workflow of clicking through the menus to change options on a large scale.

PowerShell uses pipes to chain together cmdlets and share input/output data the same way as other shells, like bash in linux. Pipes allow users to create complex scripts that pass parameters and data from one cmdlet to another. Users can create reusable scripts to automate or make mass changes with variable data – a list of servers, for example.

One of the (many) neat functions of PowerShell is the ability to create aliases for different cmdlets. Aliases allow a user to configure their own names for different cmdlets or scripts, which makes it more straightforward for a user to switch back and forth between different shells: ‘ls’ is a linux bash command that displays directory objects, like the ‘dir’ command. In PowerShell, both ‘ls’ and ‘dir’ are an alias for the cmdlet ‘Get-ChildItem.’

what powershell uses

When to Use PowerShell

For systems administrators and other IT functions, PowerShell is the way to go. There isn’t any command left in CMD that isn’t in PowerShell, and PowerShell includes cmdlets for any administration function you could need. Third-party software vendors are extending PowerShell with custom cmdlets, like the NetApp PowerShell Toolkit that manages Data ONTAP.

PowerShell knowledge can be a differentiator for employment or even a job requirement, so it’s a worthwhile skill to invest in.

To get started on your PowerShell journey, check out this tutorial for the basics – and learn how to automate Active Directory tasks with our free PowerShell course by Adam Bertram, a Microsoft PowerShell MVP (pro-tip: use the code ‘blog’).

Zero-Day Vulnerability Explained

Zero-Day Vulnerability Explained

A zero-day vulnerability is a software bug or exploit that hasn’t been patched. It’s like a hole in the bottom of your shoe that you haven’t noticed yet, but a curly-mustachioed villain has found it and is considering putting rusty nails on your gas pedal. Hackers can use these bugs and exploits to steal your data before you’re able to find and patch the weakness.

What are Vulnerabilities?

Vulnerabilities allow attackers to slip past your defenses and into your network, like the unpatched software that allowed the Equifax hack.

As security professionals, we regularly deal with all kinds of vulnerabilities like software bugs, hacks, and human vulnerabilities.

Software bugs – like the one that led to the Equifax data breach – are faults in the code that hackers can use to get through to your data. Software hacks use existing functionality as part of an attack: the Golden Ticket attack, for instance, is a privilege escalation hack that takes advantage of the way Microsoft Kerberos functions normally. Human vulnerabilities are exploited most frequently by social engineering attacks, which often abuse trust (or naiveté) to steal passwords or send money to African princes.

What Makes a Zero-Day Vulnerability?

attributes of zero day vulnerability attack

In short, urgency and immediacy make a zero-day vulnerability.

These are software bugs that developers have zero days to fix because by the time they’re identified, they are already massive security risks that could cause significant damage. Most of the time, zero-day bugs are not public knowledge and are patched before attackers can build an exploit kit to take advantage of the flaw.

As long as the zero-day vulnerability is not public, developers have time on their side. However, once the exploit becomes public knowledge, it becomes a race for developers to get a patch out before damage is done.

Many organizations offer bounties for discovering zero-day vulnerabilities in their software. Microsoft and Google offer cash rewards for reporting vulnerabilities to them directly, with some rewards north of $100k.

Zero-Day Exploit

A zero-day exploit is different from a zero-day vulnerability. Zero-day exploits do not have to be existing vulnerabilities: they could be a brand new malware of ransomware program. A zero-day exploit is a brand new kind of attack in progress that requires immediate remediation.

When a zero-day vulnerability isn’t discovered and patched before the attackers find the flaw, however, it becomes a zero-day exploit as well.

Zero-day exploits are difficult to detect and defend against: they are unknown until it’s too late, and their nature is under-researched. Signature-based security solutions can’t detect a zero-day exploit, and there are no software vulnerability patches immediately available. You need to react to zero-day exploits quickly to prevent widespread damage to the network or data theft.

How to Defend Against Zero-Day Attacks

You can create a secure network that is resilient against zero-day attacks. By monitoring data and comparing current activity to an established baseline, you can detect abnormalities caused by zero-day attacks. Every cyberattack – zero-day or otherwise – leaves digital footprints in both the data and on the network.

For example, a zero-day exploit that grants an attacker access to a user account will likely cause that user account act abnormally. The attacker might try to search the network for credit card numbers or password lists, or try to elevate the account to a Domain Admin. With Varonis, either of those activities will trigger one of several behavior-based threat models and flag it as suspicious activity. So what can you do to protect yourself against zero-day vulnerabilities?

how to defend against zero day attacks

  • Monitor your core data – including files, folders, emails, Active Directory, VPN, DNS, and Web Proxies – for behaviors that could indicate a zero-day cyberattack
  • Enforce a least-privilege model to prevent lateral movement and data exfiltration from a zero-day attack
  • Update software and security (including IPS and Endpoint) packages as soon as they are available to defend against known zero-day vulnerabilities
  • Back up critical systems and establish recovery and incident response plans
  • Enforce strict software and internet use policies and train users to identify phishing attacks and other security risks

That last point is key. Empower the team to report behaviors on their systems that are out of place – employees are often the last line of defense against a zero-day attack.

Zero-Day Attack Examples

Each year there are at least a dozen or so different zero-day vulnerabilities identified and patched by software vendors. One of the most infamous is the Strutshock vulnerability used in the Equifax data breach. Developers patched that vulnerability in March of 2017, but Equifax didn’t apply the update – making it a zero-day attack.

Other notable zero-day attacks:

Tips to Prevent Zero-Day Vulnerabilities

Protecting your network from zero-day attacks requires behavior-based data monitoring that helps protect against both known and unknown threats. Varonis establishes behavioral baselines to detect unusual behavior in unusual activity in your network, and alerts on suspicious activity so you can respond and stop the threat before it becomes a data breach. Signature-based systems won’t detect a zero-day exploit, but a data-centric solution can detect the digital footprints of a zero-day exploit attack in progress.

See how Varonis detects attacks with a free 1:1 demo – and discover the best practices to defend against zero-day attacks.

IDS vs. IPS: What is the Difference?

ids vs ips

Intrusion Detection Systems (IDS) analyze network traffic for signatures that match known cyberattacks. Intrusion Prevention Systems (IPS) also analyzes packets, but can also stop the packet from being delivered based on what kind of attacks it detects — helping stop the attack.

How Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) Work

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are both parts of the network infrastructure. IDS/IPS compare network packets to a cyberthreat database containing known signatures of cyberattacks — and flag any matching packets.

The main difference between them is that IDS is a monitoring system, while IPS is a control system.

IDS doesn’t alter the network packets in any way, whereas IPS prevents the packet from delivery based on the contents of the packet, much like how a firewall prevents traffic by IP address.

  • Intrusion Detection Systems (IDS): analyze and monitor network traffic for signs that indicate attackers are using a known cyberthreat to infiltrate or steal data from your network. IDS systems compare the current network activity to a known threat database to detect several kinds of behaviors like security policy violations, malware, and port scanners.
  • Intrusion Prevention Systems (IPS): live in the same area of the network as a firewall, between the outside world and the internal network. IPS proactively deny network traffic based on a security profile if that packet represents a known security threat.

Many IDS/IPS vendors have integrated newer IPS systems with firewalls to create a Unified Threat Management (UTM) technology that combines the functionality of those two similar systems into a single unit. Some systems provide both IDS and IPS functionality in one unit.

The Differences Between IDS and IPS

venn diagram on ids vs ips

Both IDS/IPS read network packets and compare the contents to a database of known threats. The primary difference between them is what happens next. IDS are detection and monitoring tools that don’t take action on their own. IPS is a control system that accepts or rejects a packet based on the ruleset.

IDS requires a human or another system to look at the results and determine what actions to take next, which could be a full time job depending on the amount of network traffic generated each day. IDS makes a better post-mortem forensics tool for the CSIRT to use as part of their security incident investigations.

The purpose of the IPS, on the other hand, is to catch dangerous packets and drop them before they reach their target. It’s more passive than an IDS, simply requiring that the database gets regularly updated with new threat data.

*Point of emphasis: IDS/IPS are only as effective as their cyberattack databases. Keep them updated and be prepared to make manual adjustments when a new attack breaks out in the wild and/or the attack signature isn’t in the database.

Why IDS and IPS are Critical for Cybersecurity

what ids and ips cover

Security teams face an ever-growing threat of data breaches and compliance fines while continuing to struggle with budget limitations and corporate politics. IDS/IPS technology covers specific and important jobs of a cybersecurity strategy:

  • Automation: IDS/IPS systems are largely hands-off, which makes them ideal candidates for use in the current security stack. IPS provides the peace of mind that the network is protected from known threats with limited resource requirements.
  • Compliance: Part of compliance often requires proving that you have invested in technologies and systems to protect data. Implementing an IDS/IPS solution checks off a box on the compliance sheet and addresses a number of the CIS Security controls. More importantly, the auditing data is a valuable part of compliance investigations.
  • Policy enforcement: IDS/IPS are configurable to help enforce internal security policies at the network level. For example, if you only support one VPN, you can use the IPS to block other VPN traffic.

Varonis DatAlert complements IDS/IPS: while network security is critical for protection from data breaches — and IDS/IPS solutions fill that role perfectly — Varonis monitors real-time activity on data, which is a critical layer to any cybersecurity strategy.

When a new ransomware attack breaks out the IDS/IPS might not have the signatures ready to prevent the attack at the network level. Varonis, however, not only includes signature-based ransomware detection, but also recognizes the characteristics and behavior of a ransomware attack — multiple files modified in a short time for example — and automatically triggers an alert to stop the attack before it spreads.

Want to see how it works? Get a 1:1 demo to see how Varonis complements your IDS/IPS for a strong cybersecurity strategy.

What is a Brute Force Attack?

Brute Force Attack

A brute force attack (also known as brute force cracking) is the cyberattack equivalent of trying every key on your key ring, and eventually finding the right one. 5% of confirmed data breach incidents in 2017 stemmed from brute force attacks.

Brute force attacks are simple and reliable. Attackers let a computer do the work – trying different combinations of usernames and passwords, for example – until they find one that works. Catching and neutralizing a brute force attack in progress is the best counter: once attackers have access to the network, they’re much harder to catch.

Types of Brute Force Attacks

The most basic brute force attack is a dictionary attack, where the attacker works through a dictionary of possible passwords and tries them all. Dictionary attacks start with some assumptions about common passwords to try to guess from the list in the dictionary. These attacks tend to be somewhat outdated, given newer and more effective techniques.

Recent computers manufactured within the last 10ish years can brute force crack an 8 character alphanumeric password – capitals and lowercase letters, numbers, and special characters – in about two hours. Computers are so fast that they can brute force decrypt a weak encryption hash in mere months. These kinds of brute force attacks are known as an exhaustive key search, where the computer tries every possible combination of every possible character to find the right combination.

Credential recycling is another type of brute force attack that reuses usernames and passwords from other data breaches to try to break into other systems.

The reverse brute-force attack uses a common password like “password,” and subsequently tries to brute force a username to go with that password. Since password is one of the most common password in 2017, this technique is more successful than you might think.

Motives Behind Brute Force Attacks

Cyber Kill Chain

Brute force attacks occur in the early stages of the cyber kill chain, typically during the reconnaissance and infiltration stages. Attackers need access or points of entry into their targets, and brute force techniques are a “set it and forget it” method of gaining that access. Once they have entry into the network, attackers can use brute force techniques to escalate their privileges or to run encryption downgrade attacks.

Attackers also use brute force attacks to look for hidden web pages. Hidden web pages are websites that live on the internet, but are not linked to other pages. A brute force attack tests different addresses to see if they return a valid webpage, and will seek out a page they can exploit. Things like a software vulnerability in the code they could use for infiltration – like the vulnerability used to infiltrate Equifax, or a webpage that contains a list of username and passwords exposed to the world.

There is little finesse involved in a brute force attack, so attackers can automate several attacks to run in parallel to expand their options of finding a positive – for them – result.

How to Defend Against Brute Force Attacks

How to Defend Against Brute Force Attacks

Brute force attacks need time to run. Some attacks can take weeks or even months to provide anything usable. Most of the defenses against brute force attacks involve increasing the time required for success beyond what is technically possible, but that is not the only defense.

  • Increase password length: More characters equal more time to brute force crack
  • Increase password complexity: More options for each character also increase the time to brute force crack
  • Limit login attempts: Brute force attacks increment a counter of failed login attempts on most directory services – a good defense against brute force attacks is to lock out users after a few failed attempts, thus nullifying a brute force attack in progress
  • Implement Captcha: Captcha is a common system to verify a human is a human on websites and can stop brute force attacks in progress
  • Use multi-factor authentication: Multi-factor authentication adds a second layer of security to each login attempt that requires human intervention which can stop a brute force attack from success

The proactive way to stop brute force attacks starts with monitoring. Varonis monitors Active Directory activity and VPN traffic to detect brute force attacks in progress. We’ve got threat models that monitor lockout behaviors (often a sign that there’s a brute force attack under way), threat models that detect potential credential stuffing, and more – all designed to detect and prevent brute force attacks before the attack escalates.

It’s better to detect an attack in progress and actively stop the attack than it is to hope your passwords are un-crackable. Once you detect and stop the attack, you can even blacklist IP addresses and prevent further attacks from the same computer.

Ready to get ahead of brute force attacks? Get a 1:1 demo to learn how Varonis detects attacks so you can stop attackers proactively.

What is ITAR Compliance? Definition and Regulations

ITAR Compliance

The International Traffic in Arms Regulations (ITAR) is the United States regulation that controls the manufacture, sale, and distribution of defense and space-related articles and services as defined in the United States Munitions List (USML).

Besides rocket launchers, torpedoes, and other military hardware, the list also restricts the plans, diagrams, photos, and other documentation used to build ITAR-controlled military gear. This is referred to by ITAR as “technical data”.

ITAR mandates that access to physical materials or technical data related to defense and military technologies is restricted to US citizens only. How can a company ensure that only US citizens have and then access that data on a network and are ITAR compliant? Limiting access to the physical materials is straightforward; limiting access to digital data is more complicated.

Who Needs To Follow ITAR Compliance?

who needs to be ITAR complaint?

Any company that handles, manufactures, designs, sells, or distributes items on the USML must be ITAR compliant. The State Department’s Directorate of Defense Trade Controls (DDTC) manages the list of companies who can deal in USML goods and services, and it is up to each company to establish policies to comply with ITAR regulations.

  • Wholesalers
  • Distributors
  • Computer Software/ Hardware vendors
  • Third-party suppliers
  • Contractors

Every company in the supply chain needs to be ITAR compliant. If company A sells a part to company B and then company B sells the same part to a foreign power, company A is also in violation of ITAR.

ITAR Regulations

ITAR regulations are simple: only U.S. citizens can access items on the USML list.

ITAR’s rules can present a challenge for many US companies. A US-based company with overseas operations is prohibited from sharing ITAR technical data with employees locally hired, unless they gain State Dept. authorization. The same principle applies when US companies work with non-US subcontractors.

The State Department can issue exemptions to that one rule, and there are existing exemptions established for specific purposes. There are certain countries that currently have standing agreements with the U.S. that apply to ITAR – Australia, Canada, and the U.K., for example.

The US government requires having in place and implementing a documented ITAR compliance program, which should include tracking, monitoring and auditing of technical data. With technical data, it’s also a good idea to tag each page with an ITAR notice or marker so employees don’t accidentally share controlled information with unauthorized users.

ITAR exists to track military and defense sensitive material and to keep that material out of the hands of U.S. enemies. Noncompliance can result in heavy fines along with significant brand and reputation damage — not to mention the potential loss of business to a compliant competitor.

Penalties for ITAR Compliance Violations

Penalties for ITAR Compliance Violations
The penalties for ITAR infractions are stiff:

  • Civil fines up to $500,000 per violation
  • Criminal fines of up to $1 million and/or 10 years imprisonment per violation

In April of 2018, the State Department fined FLIR Systems, Inc $30 million in civil penalties for transferring USML data to dual national employees. Part of the penalty requires that FLIR implement better compliance measures and hire an outside official to oversee their agreement with the State Department.

In 2007 ITT took at $100 million fine to the face for exporting night-vision technology illegally. ITT thought they could workaround the restrictions, the Government didn’t agree with their interpretation of the rules.

Types of Defense Articles

There are 21 categories of Defense Articles in the USML. A defense article is anything on this long and oddly specific list.

    1. Firearms, Close Assault Weapons and Combat Shotguns
    2. Guns and Armament
    3. Ammunition/Ordnance
    4. Launch Vehicles, Guided Missiles, Ballistic Missiles, Rockets, Torpedoes, Bombs and Mines
    5. Explosives and Energetic Materials, Propellants, Incendiary Agents and Their Constituents
    6. Surface Vessels of War and Special Naval Equipment
    7. Ground Vehicles
    8. Aircraft and Related Articles
    9. Military Training Equipment and Training
    10. Personal Protective Equipment
    11. Military Electronics
    12. Fire Control, Laser, Imaging and Guidance Equipment
    13. Materials and Miscellaneous Articles
    14. Toxicological Agents, Including Chemical Agents, Biological Agents and Associated Equipment
    15. Spacecraft and Related Articles
    16. Nuclear Weapons Related Articles
    17. Classified Articles, Technical Data and Defense Services Not Otherwise Enumerated
    18. Directed Energy Weapons
    19. Gas Turbine Engines and Associated Equipment
    20. Submersible Vessels and Related Articles
    21. Articles, Technical Data and Defense Services Not Otherwise Enumerated

How to Secure Your ITAR Data

Given the penalties associated with ITAR, it makes sense to protect the digital data with as many layers of security as possible. Because ITAR is a U.S. Federal regulation, their own guidance for data security is a great place to start. NIST SP 800-53 defines the standards and guidelines federal agencies must follow, and any company that manages ITAR regulated materials should use NIST SP 800-53 as a baseline for their own security standards.. Follow these basic principles to secure your ITAR data:

  • Discover and Classify Sensitive Data
    Locate and secure all sensitive data
    Classify data based on business policy
  • Map Data and Permissions
    Identify users, groups, folder and file permissions
    Determine who has access to what data
  • Manage Access Control
    Identify and deactivate stale users
    Manage user and group memberships
    Remove Global Access Groups
    Implement a least privilege model
  • Monitor Data, File Activity, and User Behavior
    Audit and report on file and event activity
    Monitor for insider threats, malware, misconfigurations and security breaches
    Detect security vulnerabilities and remediate

ITAR Compliance FAQs

  1. How can Varonis help me find all of my ITAR data?
    The Data Classification Engine identifies and classifies ITAR regulated data on your core data stores – both on-premise and in the cloud. With a pre-built library of more than 400 patterns for common laws and standards, you can identify ITAR data and even apply custom tags, flags, and notes to regulated data.
  2. Who can access this ITAR data?
    Varonis DatAdvantage crawls your file systems to analyze permissions to all of your data, including the ITAR data. Understanding who can access this data is step one to protecting the data from illegal access. With DatAdvantage, you can see this information graphically in a clean, user-friendly UI, or as an exportable report.
  3. How will I know if my ITAR data is accessed?
    Varonis DatAlert monitors and trigger alerts when data is accessed, including a folder of your ITAR data. You can detect, flag, and investigate any suspicious behavior or unusual activity on your ITAR data, and maintain a complete audit trail to help meet ITAR regulations.
  4. How can I manage access to ITAR data?
    The Automation Engine automatically repairs and maintains file system permissions – keeping ITAR data locked down, and helping achieve a least privilege model. Varonis DataPrivilege helps streamline access governance, automatically enforce security policies, and demonstrate compliance to government auditors.

Want to learn more about how to manage your ITAR data to meet compliance? Get a 1:1 demo with a security engineer to see how Varonis can help.

Threat Modeling: 6 Mistakes You’re Probably Making

Threat Modeling

Threat modeling is the new normal for modern cybersecurity teams. Predicting threats and testing all possible permutations of those threats and vulnerabilities is a difficult job. Companies spend hundreds of work hours to develop a comprehensive security strategy and the appropriate threat modeling to test, verify, and enhance the strategy over time. We will discuss mistakes security teams make while creating their threat models, along with strategies on how to use threat modeling as a proactive measure for cybersecurity.

What is Threat Modeling?

Threat modeling is the proactive process of identifying potential risks and threats, then creating tests and countermeasures to respond to potential threats. Threat modeling for cybersecurity is a rapidly evolving discipline: you can create threat models for almost any scenario you can imagine.

Successful threat modeling requires identifying potential threats, analyzing the possible effects of those threats, and determining if the threat is significant and requires a neutralization strategy. Cybersecurity teams encounter new threats constantly, and adapting to the latest malware or ransomware could protect the company from a large data breach penalty.

Note: Threat modeling is the process to create threat models. Threat models are the parameters that define a threat. Not all threat models apply to every system, and not all threat modeling will develop a new threat model.

How Threat Modeling Works

Threat modeling is asking and answering questions about the thing you are working to protect. It requires that you step out of the day-to-day whirlwind of data security and imagine the future. It’s important to not only create threat models as part of an implementation plan for new systems but also to set aside time to create or update threat models for older systems as well.

In addition to security team members, a threat modeling team should be made up of representatives from application owners, architects, administrators, and even customers. Pull all of those people into a room to ask questions, flag concerns, discuss potential resolutions, and troubleshoot issues. Here are some threat modeling example questions to get you thinking about that process:

Threat Modeling Questions to Ask

What are we building?

In order to understand the system you are threat modeling, you need to break down the system into smaller parts. For example, what kind of application is it? Does it have several components? Who does the application serve? By working through the system all the way down to the smallest components, you’ll have a decent framework to continue building the threat model.

What can go wrong?

Now review all of the “What if?” scenarios the team can imagine. What if a hacker steals someone’s account? What if someone breaks into the database? What if we get hit with a ransomware attack? Be creative and do your research. NIST and SANS have guidance to create comprehensive cybersecurity plans. Use that research to formulate your own questions. Be realistic and thorough with the “What Ifs?” – and let those questions drive threat modeling forward.

What are we going to do about that?

With the “What if?” questions prepared, the team needs to then spec out the impact of that scenario, how to manage the scenario, and the protections needed to defend against that scenario. There might be several mitigation options for each question, while some mitigation options might apply to several questions. Some “What ifs” might not require a response at all.

Did we do a good enough job?

Threat modeling isn’t a one and done meeting: schedule a recurring meeting to review the threat model’s performance and update the threat model. The threat model might need to be updated based on new cybersecurity threats that attackers employ, new variants, or new types of attacks. Whatever the case, take the time to bring the threat modeling team back together and do some further brainstorming and answer a few more “What ifs.”

6 Threat Modeling Mistakes

Threat Modeling Mistakes

 

  1. Think like an attacker. While this might seem like good advice at first, you probably aren’t, in fact, an attacker. At best, you’ll be guessing what an attacker is thinking about – or how they’re planning to behave. It’s not the worst thing you can do as part of your threat modeling, but make sure you cover the cybersecurity basics from the NIST or SANS guidelines before you get into the more esoteric.
  2. Don’t get esoteric. No, extra-terrestrials are not going to corrupt your data with their advanced system interface technology. And if they could, what are you actually going to do about it? Focus on the risks that are real and manageable.
  3. My threat model is complete. This is a two-edged sword. Never assume that the threat modeling team can imagine every potential threat that ever will exist, and don’t hold off deployment of a new system because there is a miniscule amount of risk either. So when the boss asks if the threat model is complete? Give them a realistic risk assessment and tell them that when the risk profile changes, there’s a plan to update the threat models.
  4. No CISSP, no dice. Gather a diverse team and include the stakeholders as well as customer voices, if possible – no certifications required. If necessary, have someone stand in for the customer – support techs are good at that role. Bring cybersecurity expertise to the team, but don’t exclude anyone based on that criteria alone.
  5. Don’t worry about that old system, we don’t need to develop a threat model for that. This is a huge mistake – just look at some of the recent data breaches making headlines. Go back through the service catalog and build threat models for any systems that don’t have one. It could be a colossal task, but the cost of not protecting your data and systems is only getting higher.
  6. Fail to use Varonis Threat Models to protect data. We’ve already put in the time, research, and analysis to get you started – with hundreds of out-of-the-box threat models. Varonis threat models reduce the time required to complete your threat modeling by providing pre-configured and thoroughly researched threat models out of the box. Our threat models analyze behavior and activity across multiple platforms, and alert on suspicious activity and other behavior that indicates a potential data breach.

How Does Varonis Make Threat Modeling Easier?

Varonis has developed hundreds of threat models to detect potential malware, cyberattacks, security vulnerabilities, and unusual behavior. Our dedicated research lab of security experts and data scientists continually develop new threat models to help detect everything from evolving strains of ransomware to the stealthiest of zero-day malware to types of known cyberattacks based on behavioral profiles.

Check out a free 1:1 demo to see how Varonis threat models can help protect your data.

 

5 Ways to Protect Active Directory with Varonis

5 Ways to Protect Active Directory with Varonis

The fastest way to break into someone’s network is through Active Directory (AD) – it’s the key to the entire kingdom. If you need access to any server, you need to ask AD for permission.

Varonis monitors Active Directory to protect you from a myriad of cybersecurity threats. By combining knowledge of AD, file server activity, and perimeter telemetry, Varonis can detect threats in AD before they become full-blown data breaches.

Technical note: Active Directory and Directory Services are often used interchangeably: Active Directory is Microsoft’s implementation of Directory Services, or LDAP.

How Does Varonis Monitor Active Directory?

Varonis gathers and stores the security event logs from your Domain Controllers (DC). We analyze the AD log data in context with file activity, VPN activity, DNS requests, and Proxy requests to paint a clear picture of normal and abnormal behavior. Varonis analyzes user behavior patterns over time and compares known behavior patterns to current activity – if there’s AD activity that looks suspicious, or deviates from the norm for a particular user (or type of user), it triggers an alert. Security teams use these alerts to detect active threats, while leveraging the Varonis UI to investigate how the incident occurred in the first place.

How Varonis Detects Credential Theft

Credential theft, the unlawful use of someone else’s login credentials, is one of the more common methods used to infiltrate networks. It’s always easier to steal a password than it is to brute force attack or hack through Kerberos. No matter how much you train users in cybersecurity principles and build out cybersecurity protections, your users remain the chink in your armor. On any given day, any given user can accidentally click a phishing link. Which means on top of all that training, it’s important to monitor for possible credential theft. Here are a few threat models that catch evidence of credential theft.

Threat Model: Abnormal access behavior: possible credential stuffing attack from a single source

How it works: Varonis detected multiple failed attempts to login with invalid user names or passwords from a single device.

What it means: Either an attacker is trying to find a valid username to use in a brute force password attack, or they have a list of usernames from a prior data breach that they’re using to guess a valid username/password combination – which makes it a credential stuffing attack. The good news is that at this point, they do not have access to your network, and you can proactively shut them down.

Where it works: Directory Services

Threat Model: Abnormal behavior: unusual amount of devices accessed

How it works: Varonis continuously scans Directory Services for logins, comparing historical behavior patterns to the current data. In this case, the attacker has a user’s credentials, and they are probing the network to figure out what devices they can access with that account.

What it means: An attacker might be leveraging a user account in order to exploit their assets – on multiple devices. At a minimum, you need to change a password and figure out how this account got hacked. You might need to do some digging to figure out where else the attacker accessed to make sure there are no data breaches.

Where it works: Directory Services

How Varonis Detects Privilege Escalations

Once attackers have access to your network, they will try to expand their access to Administrative or Domain Admin privileges. That type of activity – attempts at elevating access – is known as privilege escalation. Attackers use the privileges they already have to steal higher privileged access. There are several methods to gather more access and enable lateral movement through the network. Here are a few threat models that will detect attempts at privilege escalations.

Threat Model: Membership changes: admin groups

How it works: Varonis categorizes users and groups into four buckets: privileged, service, executive, and user. Privileged groups have admin level permissions to at least a few, if not most of the resources in your network. This threat model is looking for any members that were added or deleted to admin (privileged) groups.

What it means: Someone either added or removed a user from an admin group. An attacker might add an admin to a group in order to get more access – or they might delete an admin to deny access, potentially preventing a response to the attack. If they made this change outside of change control, it could be evidence of a privilege escalation in a cyberattack.

Where it works: Directory Services

Threat Model: Failed privilege escalation detected via vulnerability in Kerberos

How it works: Varonis monitors domain user logins for evidence of a Silver Ticket attack. Each login contains details that Varonis analyzes for possible attempts to circumvent Kerberos authentication.

What it means: An attacker tried to exploit a Microsoft vulnerability in their Kerberos implementation that lets attackers elevate their permissions using a forged TGS. Check out Microsoft CVE-2014-6324 for all the details. Patch your DCs for this CVE and lock the attacker out of your network STAT!

Where it works: Directory Services

How Varonis Detects Lateral Movement

Assuming the attacker made it this far undetected – they may start looking around for sensitive data they can steal. We refer to this phase of the cyber kill chain as lateral movement, as the attackers are moving laterally across your network using the stolen access. Varonis identifies and monitors your sensitive data stores and AD to catch such shenanigans. Varonis identifies where sensitive data lives and categorizes each AD account as a service, executive, privileged, or user. Based on knowledge of what kind of data each account is accessing Varonis can make informed decisions and analysis about current user activity.

Threat Model: Abnormal behavior: unusual amount of logons to personal devices

How it works: Each time the attacker accesses a new server on the network, they generate a new login event. Varonis watches those login events for abnormal behavior, and a user hitting multiple servers in a short amount of time – especially ones that they have never accessed before – will raise a red flag.

What it means: Someone is behaving out of the ordinary, and it’s possible an attacker has compromised this user account. It might mean that they’ve accessed the network – and are now looking for data to steal.

Where it works: Directory Services

How Varonis Protects You From Encryption Downgrades

Strong encryption is vital to keeping username and passwords safe on our network, but unfortunately it’s not a foolproof solution. The latest versions of AD use AES encryption to protect Kerberos tickets, but attackers have figured out how to make AD use the much easier to crack RC4 encryption instead. This is an encryption downgrade attack – or a Skeleton Key attack – and Varonis has a threat model that detects this kind of threat.

Threat Model: Encryption downgrade attack

How it works: Varonis monitors AD logins, and each AD login contains some information about what encryption level used to login. Any increase in the number of logins at lower encryption levels triggers an alert.

What it means: The attackers are likely trying to reduce the encryption level in order to bypass Active Directory. They might have been able to deploy a skeleton key, which – you guessed it: allows them to authenticate as any user.

Where it works: Directory Services

How Varonis Detects Threats Against Kerberos

If you are using AD, you are using Kerberos; if you are using Kerberos there are a few vulnerabilities you need to be aware of. Varonis is watching for activity related to those vulnerabilities.

Threat Model: Potential pass-the-ticket attack

How it works: Varonis analyzes Active Directory logs for evidence of access to a resource that bypassed the standard Kerberos process and proper authorization.

What it means: Someone is trying to break into your network – unless your new interns are on the Red Team. An attacker is likely using a stolen ticket to get access to resources. One possible attack is the Golden Ticket attack, which means you have a lot of clean-up work ahead of you to contain that threat.

Where it works: Directory Services

With hundreds of built-in threat models, DatAlert detects everything from golden ticket attacks to abnormal lockout behavior to DNS poisoning. You can take automatic action to disable a compromised account, kill active sessions, and even send alerts to your SIEM for further analysis and correlation.

Understanding Active Directory is vital to protecting companies from data breaches, and active monitoring of Active Directory can be the difference between an attempt and data theft.

Get a 1:1 demo of Varonis and discover how we do data security differently.

CryptoLocker: Everything You Need to Know

CryptoLocker

What is CryptoLocker?

CryptoLocker is by now a well known piece of malware that can be especially damaging for any data-driven organization. Once the code has been executed, it encrypts files on desktops and network shares and “holds them for ransom”, prompting any user that tries to open the file to pay a fee to decrypt them. For this reason, CryptoLocker and its variants have come to be known as “ransomware.”

Malware like CryptoLocker can enter a protected network through many vectors, including email, file sharing sites, and downloads. New variants have successfully eluded anti-virus and firewall technologies, and it’s reasonable to expect that more will continue to emerge that are able to bypass preventative measures. In addition to limiting the scope of what an infected host can corrupt through buttressing access controls, detective and corrective controls are recommended as a next line of defense.

Cryptolocker can enter through

FYI, this article is CryptoLocker specific. If you’re interested in reading about ransomware in general, we’ve written A Complete Guide To Ransomware that is very in-depth.

Update September 2018: Ransomware attacks have decreased significantly since their peak in 2017. CryptoLocker and it’s variants are no longer in wide distribution, and new ransomware has taken over. Ransomware has evolved as more of a targeted attack instead of the previous wide distribution model, and is still a threat to businesses and government entities.

What Does CryptoLocker Do?

On execution, CryptoLocker begins to scan mapped network drives that the host is connected to for folders and documents (see affected file-types), and renames and encrypts those that it has permission to modify, as determined by the credentials of the user who executes the code.

CryptoLocker uses an RSA 2048-bit key to encrypt the files, and renames the files by appending an extension, such as, .encrypted or .cryptolocker or .[7 random characters], depending on the variant. Finally, the malware creates a file in each affected directory linking to a web page with decryption instructions that require the user to make a payment (e.g. via bitcoin). Instruction file names are typically DECRYPT_INSTRUCTION.txt or DECRYPT_INSTRUCTIONS.html.

As new variants are uncovered, information will be added to the Varonis Connect discussion on Ransomware.  For example, a variant known as “CTB-Locker” creates a single file in the directory where it first begins to encrypt files, named, !Decrypt-All-Files-[RANDOM 7 chars].TXT or !Decrypt-All-Files-[RANDOM 7 chars].BMP.

How to Prevent CryptoLocker

The more files a user account has access to, the more damage malware can inflict. Restricting access is therefore a prudent course of action, as it will limit the scope of what can be encrypted. In addition to offering a line of defense for malware, it will mitigate potential exposure to other attacks from both internal and external actors.

While getting to a least privilege model is not a quick fix, it’s possible to reduce exposure quickly by removing unnecessary global access groups from access control lists. Groups like “Everyone,” “Authenticated Users,” and “Domain Users,” when used on data containers (like folders and SharePoint sites) can expose entire hierarchies to all users in a company. In addition to being easy targets for theft or misuse, these exposed data sets are very likely to be damaged in a malware attack. On file servers, these folders are known as “open shares,” if both file system and sharing permissions are accessible via a global access group.

Although it’s easiest to use technologies designed to find and eliminate global access groups, it is possible to spot open shares by creating a user with no group memberships, and using that account’s credentials to “scan” the file sharing environment. For example, even basic net commands from a windows cmd shell can be used to enumerate and test shares for accessibility:

    • net view (enumerates nearby hosts)
    • net view \\host (enumerates shares)
    • net use X: \\host\share (maps a drive to the share)
    • dir /s (enumerates all the files readable by the user under the share)

These commands can be easily combined in a batch script to identify widely accessible folders and files. Remediating these without automation, unfortunately, can be a time-consuming and risky endeavor, as it’s easy to affect normal business activity if you’re not careful. If you uncover a large amount of accessible folders, consider an automated solution. Automated solutions can also help you go farther than eliminating global access, making it possible to achieve a true least-privilege model and eliminate manual, ineffective access-control management at the same time.

How to Detect CryptoLocker

CryptoLocker example

If file access activity is being monitored on affected files servers, these behaviors generate very large numbers of open, modify, and create events at a very rapid pace, and are fairly easy to spot with automation, providing a valuable detective control. For example, if a single user account modifies 100 files within a minute, it’s a good bet something automated is going on. Configure your monitoring solution to trigger an alert when this behavior is observed. Varonis DatAlert monitors and tracks file system behavior for ransomware attacks out-of-the-box. There is no need for extra configuration if Varonis is monitoring your data.

If you don’t have an automated solution to monitor file access activity, you may be forced to enable native auditing. Native auditing, unfortunately, taxes monitored systems and the output is difficult to decipher. Instead of attempting to enable and collect native audit logs on each system, prioritize particularly sensitive areas and consider setting up a file share honeypot.

A file share honeypot is an accessible file share that contains files that look normal or valuable, but in reality are fake. As no legitimate user activity should be associated with a honeypot file share, any activity observed should be scrutinized carefully. If you’re stuck with manual methods, you’ll need to enable native auditing to record access activity, and create a script to alert you when events are written to the security event log (e.g. using dumpel.exe).

If you’re PowerShell inclined, we’ve written a bit on how to combat CryptoLocker with PowerShell.

If your detective control mechanism can trigger an automated response, such as disabling the user account, the attack is effectively stopped before inflicting further damage. For example, a response to a user that generates more than 100 modify events within a minute might include:

  • Notifying IT and security administrators (include the affected username and machine)
  • Checking the machine’s registry for known keys/values that CryptoLocker creates:
    • Get-Item HKCU:\Software\CryptoLocker\Files).GetValueNames()
  • if value exists, disable user automatically.

If recorded access activity is preserved and adequately searchable, it becomes invaluable in recovery efforts, as it provides a complete record of all affected files, user accounts, and (potentially) hosts. Varonis customers can use the output from report 1a (as described here) to restore files from a backup or shadow copy.

Depending on the variant of CryptoLocker, encryption may be reversible with a real-time disassembler.

Ransomware Safety Tips

Ransomware safety tips

  • Update your antivirus and endpoint protection software – these solutions can help detect certain types of ransomware and prevent it from encrypting your files.
  • Avoid phishing scams – phishing emails are the most prevalent delivery mechanism for ransomware.
  • Keep backups of your documents – it’s much faster and easier to recover your documents from a backup than it is to decrypt them, if they’ve been compromised in a ransomware attack.
  • Commit to a zero-trust/least privilege model – ransomware can only affect the folders a user can write to. A least privilege model limits that access to only what’s absolutely necessary.
  • Monitor file activity and user behavior to detect, alert and respond to potential ransomware activity.

New ransomware variants are popping up all the time – luckily our dedicated security forensics team does the legwork for you and diligently updates the ransomware signatures that Varonis detects. See how it works with a free 1:1 demo and learn more about how our ransomware defense architecture is designed to protect enterprise data from zero-day attacks beyond the endpoint – catching ransomware that traditional perimeter security doesn’t see.

Cerber Ransomware: What You Need to Know

cerber ransomware

What is Cerber?

Cerber ransomware is ransomware-as-a-service (RaaS), which means that the attacker licenses Cerber ransomware over the internet and splits the ransom with the developer. For a 40% cut of the ransom, you can sign-up as a Cerber affiliate and deliver all the Cerber ransomware you want. Most ransomware doesn’t use this service paradigm. Typically, an attacker would adapt and deliver the ransomware and keep all of the money. By setting up Cerber as RaaS the developer and partner are able to send more attacks with less work.

Cerber is an example of evolved ransomware technology. The author of the ransomware offloads the work of finding targets and infecting systems to a partner in exchange for a cut of the profit. The partner gets a highly functional piece of software they are free to distribute, and bitcoin keeps the exchanges all anonymous and difficult to track.

How Do You Recognize Cerber Ransomware?

If the screenshot looks like your desktop wallpaper, you’ve been infected with the Cerber ransomware.

Of course, if you do see that screen, it might be too late to save your files. You can try to pay the ransom and hope they send you the decryption key, but many people don’t. Cerber and ransomware are things that fall under the “ounce of protection equals a pound of cure” paradigm. Your best bet is to avoid infection in the first place.

How Do You Remove Cerber Ransomware?

The best and most complete option to remove Cerber ransomware is to rebuild your operating system from a backup. If you have a recent backup, you’ll also be able to recover your encrypted files. As Ripley said, “Nuke it from orbit, it’s the only way to be sure.”

Current Anti-Virus programs can detect most ransomware including Cerber, and prevent it from running. Once Ransomware has started to encrypt your files, take the affected computer offline to prevent it from spreading to other computers or network drives.

One of Cerber’s particulalry nasty tricks is that it’s easy to wrap inside other delivery mechanisms. For example, you could download a rootkit that can disable your Anti-Virus before it downloads and activates Cerber. After an infection, you can remove the Cerber ransomware, but that doesn’t necessarily mean you removed the malware that delivered the ransomware to your computer.

No matter what you do with the ransomware itself, you aren’t going to be able to get the files decrypted. Cerber uses RSA encryption, and it’s not feasible to crack that encryption in a timely manner – even for the most sophisticated computer. Hopefully, you have a good recent backup of your important documents.

How Do You Prevent Cerber Ransomware?

Cyberthieves distribute ransomware by phishing email or infected websites. The best way to prevent Cerber (or any ransomware) attacks is by practicing good cybersecurity. Here are a few tips:

  • Don’t get phished.
  • Keep your Anti-Virus software updated.
  • Backup your documents regularly.

Varonis DatAlert provides immediate response to limit ransomware attacks in progress that threaten your most important data.

Six Cerber Ransomware Statistics

cerber ransomware statistics

  • At its peak in early 2017, Cerber accounted for 26% of all ransomware infections.
  • In July 2016, about 150,000 windows users were infected by Cerber through 161 identified campaigns.
  • Cerber generated $2.3 million (estimated for attackers in 2016).
  • Cerber developers released updates almost weekly, which kept the ransomware out in the world for longer than usual.
  • In the first half of 2018, ransomware infections have dropped by 42% and 50% for businesses and consumers, respectively.
  • There have been 0 reported Cerber ransomware attacks in 2018 as attackers move to newer ransomware like GandCrab, SamSam, and Spartacus.

Get a 1:1 demo to learn how to set up alerts to trigger on known ransomware variants like Cerber, recognize ransomware activity, and stop cyberattacks before it’s too late.