The Security Operations Center at Net Friends regularly assesses various forms of malicious software and known attack methods. This helps hone their detection skills and improve defensive and response measures. One of our company values is Sharing Knowledge, which is why an explainer like this will help other small and mid-sized businesses design their own strategies to protect against, and respond to, ransomware like Maze.
What is Maze?
The security vendor TripWire describes Maze as “a particularly sophisticated strain of Windows ransomware that… also steals the data it finds and exfiltrates it to servers controlled by malicious hackers who then threaten to release it if a ransom is not paid.”
Maze will make its way into your network via these primary delivery methods:
- Via email attachment
- In a Microsoft Word document
- As a website link
- Through a compromised workstation management agent (remember the Solarwinds attack?)
How to Prevent Attacks?
A successful prevention strategy must address all possible known vectors for the malware. Net Friends recommends a “defense in depth” strategy of multiple overlapping systems to protect against Maze.
For example, a defense in depth strategy should include:
- Email security policy enhancements
- Security software that scans all attachments and embedded links
- DNS records, such as DKIM, that enhance email security
- Regular security training
Unfortunately, attackers keep innovating and finding new schemes to thwart preventative measures. What’s more, when your preventative measures fail, your organization must be ready to act to contain the malicious code within seconds. As a ransomware attack begins delivering its malicious payload, it will spread faster than humans can react. By the time a security analyst is investigating a suspicious log entry, Maze has already compromised multiple systems and is trying to exfiltrate data.
The only effective response strategy is automation. Network administrators must automate the process of detecting suspicious activity, matching it to a known attack pattern, and isolating the systems or applications thought to be compromised. This strategy is known as MDR: Managed Detection and Response.
How Can MDR Block Maze Ransomware?
Companies using Managed Detection and Response to block Maze should look at four main tactics:
- Configure policies on firewalls that watch for IoCs, or Indicators of Compromise, that signal when a Maze infection is in progress. For example, at the time of writing, Net Friends is tracking more than 48 IoCs related to Maze. If the firewall detects an IoC, it should shut the connection down, preventing Maze from contacting its “command and control” servers.
- Deploy EDR (Endpoint Detection & Response) agents on laptops and desktops. These agents continually watch for the suspicious patterns of computer activity that are the indirect evidence of infection by a new variant of Maze. If such a pattern is detected, isolate that endpoint from the network until your Security Operations Center can investigate.
- Coordinate tactics 1 and 2 using SOAR tools (Security Orchestration, Automation, and Response) that are integrated into your network. Your SOAR platform should incorporate the latest updates on Maze gathered from sources like MITRE ATT&CK, Palo Alto’s Threat Brief and FireEye’s Threat Research.
- Develop “playbooks” for a potential Maze attack to improve your response time and effectiveness. Verify your playbooks using Breach and Attack Simulation (BAS) software.
What’s the Next Step?
If you want more information on MDR, or are considering ways to implement MDR as part of your broader security strategy, please contact Net Friends. When you enroll in MDR services with Net Friends, you can trust that no matter how an attack begins on your network, it will be terminated on our watch with unmatched speed and thoroughness. Our team of security analysts and experts, along with our top-tier tools and playbooks, are the most important protection your business needs to keep your data and reputation safe.