Hot Trend 2018: Cryptojacking - Three Steps to Determine if your Business is Already Compromised
Cryptojacking means, that attackers take over your computers, servers and other infrastructure without your knowledge. Afterwards they misuse the computing power for their goals. This procedure is exploited for mining digital currency (such as bitcoin) to generate income.
Such an attack is malicious, because on the one hand the victims notice it only indirectly, if at all, e.g. by slower devices. On the other hand, consequences of these attacks are manifold and often indirect: high electricity bills, disruptions in operational processes, delayed procedures - all this causes high costs.
This type of attack is currently becoming significantly popular, with more than 3 million attacks counted between January and May 2018 (Source).
These three techniques are used to disguise the attacks as much as possible:
- The use of encrypted traffic
- The use of random intervals between communications
- Hiding within large amounts of data
Cryptojacking is particularly successful for attackers, as the processes are very difficult to detect. The next article will explain why this type of attack has become much more popular than ransomware a year ago.
How can companies detect and ultimately prevent the use of cryptojacking?
We show three steps to help:
- Know what happens in the network
- Identify conspicuous behavior in network traffic
- Make rules to prevent abuse
#1 How can you determine today what actually flows through your data lines?
There are many different ways to get an overview of what is actually going on in the corporate network. It is possible to evaluate log data and events via SIEM systems. In this article, we have described in detail why this is only of limited use in order to uncover processes that are running extremely hidden.
In a nutshell: It is not enough to rely on log data and metadata. The use of distributed network sensors and the automated acquisition and evaluation of each data packet is fundamental for a cyber defence strategy.
#2 You have the full picture, how do you see what's conspicuous?
In the case of cryptojacking, it is particularly important to perform an intelligent behavior analysis of network traffic. This works through the use of network probes, which evaluate the data traffic permanently and down to the smallest detail - and this in a resource-saving manner.
"Identifying connections to conspicuous domains as well as abnormal patterns and behavior - especially in encrypted traffic - is the most effective way for us today to find out about secret crypto miners," says Dominique Petersen, head of Advanced Threat Detection at finally safe. An example ofsuspicious behaviour are client systems that have a persistent high CPU load at night and suddenly establish many unusual network connections.
#3 You have identified the overview and the anomalies, how can you prevent them in the future?
If suspicious systems are identified, it is important to examine them carefully. Crypto-Miner can be deeply nested on the respective system and must be fully removed. Then it must be checked how the infection was carried out. Often security gaps were exploited by old browsers or vulnerable software, which should be urgently updated and corrected.
With today's tools and techniques, you can encounter not only crypto-miners, but also multiple attacks of both current and future appearance. In addition to organisational measures and guidelines, such as ISO 27001, the use of state-of-the-art technical solutions is an essential component of an IT security strategy.
Do you have any questions about the above examples? Please contact us with our request form!