Ransomware Defense Using Forescout CounterACT – Part 3: Threat Detection


February 11, 2020

In 2019, ransomware attacks reached a crisis level in the United States and around the world. The scale and effect of ransomware is unprecedented in the history of the information age. It goes beyond just a cybersecurity attack but is a new type of crime that has never been seen before. Organizations of every type have been victimized – large and small, governments and corporations, schools and hospitals, non-profits and universities. Over 1000 U.S. public schools were impacted in 2019 by ransomware.

Within mere moments ransomware can change organizations and peoples’ lives for the worse. Disaster can strike as fast and simply as the opening of an email attachment. The Heritage Company, a telemarketing company with 300 employees, laid off most of its staff days before Christmas after their business was crippled by ransomware. They were unable to resume normal business operations even after paying the ransom.

All Internet connected organizations should be urgently working to improve their defenses. This should be of the highest priority for all organizations. No one is immune or invulnerable to ransomware. Everyone is target. Organizations need to defend themselves. There is almost no chance that the bad guys will get caught or face any repercussions for their actions. They will only stop when the attacks become difficult to be successful or become unprofitable. Currently, ransomware is low investment and low risk with a high reward and no negative consequences for the bad guys.

This article is the third in a series detailing Forescout CounterACT as a tool to protect and defend against ransomware. The first article can be found here. At its core, CounterACT is a network access control (NAC) solution that, due to its agentless capabilities, can see, control and respond to all managed and unmanaged devices on the network. It provides an accurate device inventory, continuous compliance enforcement, policy-based access control and rapid response to security incidents. Using CounterACT can be a preventative as well as a reactive solution for ransomware.

CounterACT See, Control and Respond
  • Agentless
  • See all network connected devices
  • Provide real-time and continuous visibility
  • Integrates with EDR solutions to detect and respond to IOCs
  • Detect ransomware with custom IOCs and policy templates
  • Contain infected devices quickly and automatically

I discussed leveraging CounterACT to ensure anti-virus compliance in Part 2 of this series but Forescout can detect threats even when an endpoint solution is not installed.. Forescout integrates with the leading cybersecurity solutions and can share and search for indicators of compromise (IOCs). CounterACT through its endpoint visibility can also detect infected devices and those that can potentially be infected with specific attacks. Forescout releases pre-made CounterACT policy templates periodically to identify compromised devices or those with the potential to be compromised.

If a device has an IOC detected by one of the leading EDR solutions, that IOC can be shared instantly with Forescout CounterACT. The NAC solution can then quickly search devices that are missing the EDR agent for the same IOC. CounterACT’s sharing is even bi-directional. It can share a detected IOC from one from endpoint solution with another. If a PC has been compromised, CounterACT can quarantine the device, initiate remediation workflows or automate the remediation by killing the processes associated with the threat. We will detail all the possible CounterACT response actions in future parts of this series on ransomware defense.

Forescout can also control what devices join the network through pre-access and post-access checks. CounterACT determines if new devices and even BYOD devices are infected with known IOCs or threats. Corporate devices can be infected while they are away from the office – in a coffee shop, hotel or employee’s home. The NAC can determine if returning devices are compromised with a scan when they attempt to join the network.

The same endpoint scanner that integrates with EDR solutions such as CrowdStrike and FireEye to automate detection and response can also be used to detect custom IOCs. The scan can search for specific registry settings, DNS queries or Mutex IOCs. In a later part of this series, we will examine detecting the presence of malicious software using Forescout CounterACT.

Security Policy Templates use existing Forescout functionality to detect, evaluate and respond to vulnerabilities and threats – speeding and simplifying network response. Using these templates, CounterACT can find devices that are vulnerable to ransomware threats such as those based upon the EternalBlue exploit. Once detected the vulnerable devices can be contained and remediated automatically.

Threat detection is just one aspect of Forescout’s powerful ransomware defense. In the next article, we will examine how CounterACT can quarantine vulnerable devices and contain infections.

Is your organization prepared for a ransomware attack? If not, contact me at ghedge@castleventures.com.