On Agent: On Time. Every Time.

How deep is your love? How high is the sky? How long is a minute?

We can answer the third one: In the case of Maze ransomware, it’s plenty of time to encrypt tens of thousands of files. Unfortunately, if a business relies on the cloud, for virus signatures or reputation lookups, time is “the biggest gotcha,” according to SentinelOne Senior Threat Researcher Jim Walter.

“Time is a big, sprawling thing,” Walter says. “Even if you’re talking fractions of a second, that’s still plenty of time for bad stuff to keep happening while the machine is trying to make a decision on what’s good or bad.”

Cooking Your Goose Takes a Fraction of a Second

It can be hard to imagine how much damage can occur in 1 minute. In one test, SentinelOne’s Labs recorded 23,969 events triggered by Maze within the span of a mere 60 seconds. Each one of those events is a file being encrypted in preparation for attackers holding a virtual gun to a kidnapped company’s head and demanding a ransom to unlock its data. All this damage underscores why local protection models—as in, those that are located on endpoints and don’t need to pause to fetch marching orders from the cloud—are superior to products that suffer from cloud lag and the dwell time it grants attackers.

Maze is one of many examples that show how and why local endpoint agents are crucial to neutralizing high-velocity attacks. Whereas some EPP (Endpoint Protection) and EDR (Endpoint Detection and Response) technologies have to remote-shell into endpoints and fix them with scripts, SentinelOne’s technology tracks and contextualizes everything on a device, identifying malicious acts in real-time and automating the required responses with local AI (artificial intelligence) agents on every endpoint. They can connect to the cloud, but they don’t have to: the local agents don’t need to be slowed down by that back-and-forth, freeing them from the lag time it takes to check in with the cloud to find out what to do.

Why On Time Matters: To Avoid Getting CryptoWalled

CryptoWall ransomware is an example of how an unknown malware can pop up and use fileless techniques to bypass traditional defenses. Before it encrypted anything, it started by deleting volume shadow copies to make sure that there was no way to recover encrypted files. VSS (Volume Shadow Copy Service) is a built-in Windows feature that can be used to create backup copies or snapshots of files and volumes, even when they’re in use. SentinelOne has also seen malware that disables VSS by using WMI (Windows Management Instrumentation) to evade detection by AV signatures. It’s not just CryptoWall: in fact, deleting shadow copies is a common technique used by ransomware.

In such a situation, local agents beat out cloud-reliant models because they don’t have to rely solely on AV signatures. Rather, they can carefully monitor processes and interrelationships in order to sniff out malicious behavior—including the noxious behavior of nuking shadow copies.

Why Local Matters: To Sniff Out LOLers

More recently, other fileless techniques have cropped up to bypass traditional defenses. A year ago, we saw a new malware threat—Nodersok/Divergent—that downloaded its own LOLBins (Living Off the Land Binaries). LOLBins are non-malicious binaries that researchers or cyber criminals have discovered can be used to hide their tracks and evade cyber defenses.

In September 2019, thousands of machines were infected by the Nodersok malware, which downloaded and installed a copy of the Node.js framework to convert infected systems into proxies and perform click-fraud. It might not sound all that serious, but the fact that its creators managed to infect so many systems means that they could also have pivoted to deploy other, more dangerous modules, such as ransomware or banking Trojans.

Ebook: Understanding Ransomware in the Enterprise
This guide will help you understand, plan for, respond to and protect against this now-prevalent threat. It offers examples, recommendations and advice to ensure you stay unaffected by the constantly evolving ransomware menace.

Why On-Device Detection Matters: Ramsay Trojan’s Air-Gap Skipping

One of the most recent examples of why on-device detection beats cloud reliance comes in the form of the Ramsay Trojan: malware that emerged in late 2019 with a focus on both persistence and data exfiltration from air-gapped systems.

As SentinelOne’s Walter says in his May 2020 writeup of the new malware, (ongoing) analysis suggests that the malware “was developed for advanced targeted campaigns by a threat actor primarily interested in organizations trying to protect the most sensitive of information.” But, he emphasizes, as is often the case with specialized malware, there’s once again the chance that it will pivot to focus on new targets.

Regardless of it being a novel threat, SentinelOne protects against Ramsay. “Even when the network is disconnected such as with an air-gapped device, the SentinelOne agent will detect the malware locally on-device,” Walter says. This video shows how it works:

SentinelOne vs Ramsay Trojan

What Happens When Clouds Evaporate?

Besides the time factor, some attackers directly target cloud connectivity itself. Migo Kedem, SentinelOne’s Senior Director of Products & Marketing, says the company has seen examples of malware that can actually disconnect its targets. While SentinelOne’s local models can use connectivity, it’s a relief that they’re not dead in the water without it. “If the connection is lost, SentinelOne would offer protection in a very similar, though not identical, way,” he says. “We use connectivity when it’s available, primarily to save resources as you don’t need to analyse something that’s already known. But unlike other products, we don’t rely on connectivity to protect the device. Known or unknown, connected to the cloud or not, the local agent will do the work of detecting and protecting against attacks.”

Here’s how it works: Pre-execution, SentinelOne’s single, local agent replaces traditional virus signatures with a Static AI engine to provide protection. It doesn’t stop there. Even if the threat isn’t recognized, SentinelOne’s Behavioral AI engines track all processes and their interrelationships, regardless of how long they’re active. When an agent detects malicious activities, it responds automatically, at machine speed. The local engine is vector-agnostic: it works with file-based malware, scripts, weaponized documents, lateral movement, fileless malware, and even zero-days.

Finally, post-execution, SentinelOne’s ActiveEDR—the behavioral AI model—provides rich forensic data and can mitigate threats automatically, perform network isolation, and auto-immunize the endpoints against newly discovered threats. As a final, last safety measure, SentinelOne can even roll back an endpoint to its pre-infected state.

Go Local to Avoid Getting Hosed

Not to beat a dead horse, but it’s important to emphasize that time matters. A lot.

Any modern ransomware can completely F-up a disk in half a minute,” says SentinelOne’s Walter. “If [any cloud-based protection] response was in a minute, you could be completely hosed.”

Another regrettable aspect of cloud reliance is that “the bad guys are smart,” Walter says. They know how to use antivirus products just like the good guys do. Attackers will take the time to test a given service, whether it’s homegrown protection or otherwise. “If they’re able to do those tests, which predominantly require vendors or services to have cloud lookup mechanisms or API functionality, the bad guys will take advantage of that and, say, not release malware until it can pass those models.”

You don’t want to give the bad guys the time they need to do what they do, whether it’s encrypt files, exploit dwell time by infiltrating other parts of the network, plant spyware, wipe out your VSS shadow copies, deploy secondary malware, or test out whatever AV system you’ve rigged up.

You want local agents because that precious time should be spent stopping attacks before they wreak havoc. You want to spend that time fixing whatever attackers do manage to assault. In short, you want local agents so you can have what the CIA has so memorably referred to as “a colossal pain in the posterior” for attackers.