Evolve Your Ransomware Defense: Why EDR Needs NDR

Ransomware is once again making headlines, and once again, it’s wreaking havoc on the healthcare industry with the February 2024 BlackCat/ALPHV ransomware attack on Change Healthcare. The Change Healthcare Platform is one of the largest health information exchange (HIE) platforms in the US, managing 15 billion claims a year, totaling over $1.5 trillion. The impact of this ransomware attack has been widespread chaos: physicians and hospitals were unable to manage and issue prescriptions and healthcare procedures, pharmacies were unable to get information and properly fill prescriptions, individuals couldn’t access their patient portals to contact their doctors or pick up their medication. Ultimately, security researchers found out that a payment of 350 bitcoins, worth $22 million was made to BlackCat/ALPHV, and Change Healthcare estimates that their operations will be fully restored by mid-March.

This exploit highlights that organizations, particularly in high-impact industries like healthcare, face a constant battle to protect their assets from malicious actors. As cybersecurity attacks continue to evolve in complexity and new risks like cryptojacking and AI-enhanced attacks are seen more and more; ransomware has been plaguing businesses for 30 years and remains a significant threat, with attackers being strategic about selecting targets - such as data-rich healthcare organizations.

Modern ransomware varies in the type of encryption threat actors use, the scale of data they encrypt, and the capacity for the ransomware to spread between computers. While the tactic of ransomware has existed for decades, it’s become increasingly sophisticated, with more advanced encryption, new vectors for infection, and the ability to leverage network exploits to infect additional hosts. This means newer ransomware attacks can go beyond encryption and data theft to fully being able to breach your network infrastructure and wreak widespread havoc.

The Relentlessness of Ransomware

Ransomware (defined as the breaching of business-critical systems and assets with the goal of encrypting them and holding them for ransom) is big business for cybercriminals - and a huge risk for public- and private-sector organizations. According to the report, “The State of Ransomware 2023” from Sophos, 66% of organizations were affected by ransomware last year, and the average cost of a ransomware attack hit $5.13 million, according to the 2023 “Cost of a Data Breach Report” from IBM Security (though ExtraHop research suggests that the true, long-term cost of a ransomware attack is likely much higher).

Two critical tools in this fight against ransomware are endpoint detection and response (EDR) and network detection and response (NDR). While both serve distinct purposes, when integrated, they form a formidable defense against threats like ransomware.

The Role of EDR and NDR in Ransomware Defense

At the heart of EDR lies the protection of individual devices within a network. EDR solutions are deployed on endpoints such as desktops, laptops, servers, and mobile devices. They continuously monitor these endpoints for suspicious activities, unauthorized access attempts, or any behavior indicative of a potential threat.

Key capabilities of EDR include:

• Real-time monitoring: EDR tools actively monitor endpoint activities in real-time, allowing for immediate detection of anomalous behavior.
• Threat hunting: They enable security teams to proactively search for indicators of compromise (IOCs) and potential threats across endpoints.
• Incident response: EDR solutions facilitate rapid response to ransomware by providing detailed insights into the nature and scope of an attack.

NDR, on the other hand, focuses on monitoring and analyzing network traffic to identify malicious activities and potential threats on the network. By applying behavioral analytics and machine learning to network traffic, NDR solutions can detect anomalies, malicious payloads, and unauthorized communications. It’s uniquely capable of uncovering attacker behaviors from the network and providing visibility via the network, something other security tools are not designed to do.

Key capabilities of NDR include:

• Traffic analysis: NDR tools analyze network traffic to identify unusual patterns or suspicious activities associated with ransomware, such as Cobalt Strike beaconing, lateral movement, command and control communications, data staging, and data exfiltration.
• Behavioral analysis: They employ machine learning algorithms to detect deviations from normal network behavior, flagging potential threats even in encrypted traffic.
• Threat intelligence integration: NDR solutions leverage threat intelligence feeds to enhance detection capabilities and identify known malicious entities.

Beyond these key capabilities, NDR platforms provide organizations with an essential safety net with:

• Passive monitoring: Passive monitoring uses real and holistic network data and larger data volumes for the clearest insight into your network status. You can use passive monitoring to analyze trends in traffic and network utility, with specific insight into particular connections, data sets, time periods, and more.
• Decryption: Decrypting network communications helps security leaders confidently detect and respond to many common threat behaviors, with insight into database traffic or the encrypted portion of Kerberos, MS-RPC, and other Microsoft protocols.
• Advanced behavioral analysis (i.e. AI/ML): Machine learning and cloud-scale AI allow organizations to better detect, prioritize, and surface threats.

While EDR and NDR each provide valuable insights into different aspects of ransomware and other threats, and can be a powerful integration. By combining endpoint and network visibility, organizations gain a comprehensive understanding of their security posture and can detect threats more efficiently and effectively. A commissioned study conducted by Forrester Consulting on behalf of ExtraHop found that a composite organization representative of interviewed customers revealed that RevealX decreased time to threat detection by 83% and time to threat resolution by 87%.

Developing operational resilience to risk with NDR

Ransomware attacks often involve multiple stages, starting with the initial compromise of an endpoint and culminating in the encryption (and potential exfiltration) of critical data. EDR works to detect the early stages of an attack, such as malicious file downloads or suspicious attempts to execute code on endpoints.

However, with threat actors increasingly finding ways to disable or otherwise evade EDR tools, NDR platforms provide organizations with an essential safety net for ransomware attacks. Sophisticated NDR platforms detect the post-compromise behaviors that take place on the network and that signal a ransomware attack well before it’s too late. For example, during a ransomware attack, threat actors often use PowerShell, a legitimate command-line interface and scripting tool in Microsoft Windows, to prompt the remote launch of a Cobalt Strike beacon, which then allows them to establish communications with a command and control (C2) server. This is one of a number of behaviors associated with ransomware attacks that NDR tools can detect.

By integrating EDR and NDR, organizations can:

• Detect ransomware attacks at multiple points in the kill chain, from initial infection to data exfiltration and nearly every stage in between.
• Respond quickly to contain and stop the attack, thereby mitigating the risk of data loss and business disruption.
• Gain visibility into the entire attack surface, including endpoints and network traffic, enabling more effective threat hunting and incident response.

By taking a network-based approach, NDR can fill critical visibility and coverage gaps, particularly when it’s often impossible to get an agent on every endpoint and when attackers employ workarounds. This is because every asset, whether in the cloud or the on-premises data center, uses the network to communicate. That makes NDR the ultimate source of truth for cloud and hybrid security.

With RevealX organizations can achieve complete situational awareness and 360-degree cyberthreat visibility across the entire hybrid attack surface, from on-premises to multi-cloud to distributed workforces and operations.

EDR and NDR are indispensable components of a comprehensive cybersecurity strategy. By working together, they provide organizations with the visibility, insights, and capabilities needed to defend against sophisticated threats like ransomware and safeguard their mission critical assets.

In our upcoming webinar “The Anatomy of a Ransomware Attack, Revealed”, ExtraHop security experts will walk through each step of a ransomware attack to showcase how RevealX can stop the attack in its tracks, no matter where it's found on the network. See the power of RevealX in action here.