Skip to main content

General Documents

Defend against cryptojacking attacks and protect your Infrastructure

Abstract

Download PDF

Category: Analytics and SIEM, Data Enrichment and Threat Intelligence, Forensic and Malware Analysis, Endpoint

Cyware Products Used:

  • Respond

  • Orchestrate

  • Intel Exchange

  • Collaborate

Third-Party Integrations Used:

  • Splunk SIEM: SIEM solution to identify hits to the IOCs and watchlist malicious IOCs

  • Crowdstrike Falcon Endpoint Detection and Response: Endpoint Detection and Response solution to detect crypto-jacking attacks and block malicious IOCs.

  • Active Directory: CMDB database to retrieve affected user details.

Problem Statement

Cryptojacking attacks are becoming highly prevalent recently as they have a low entry barrier and high financial gains. Attackers gain access to devices and run crypto-mining malware with just a few lines of code, operating undetected in the background to mine cryptocurrency.

Attackers often bait users into clicking links in phishing emails and downloading cryptojacking malware to their devices.

Solution

Cryptojacking attacks targeting larger-scale enterprises lead to more significant harm. The attack's slow performance reduces business productivity, causing inefficiency and system crashes that lead to downtime and result in financial losses. Furthermore, expensive high-performance servers that are meant for critical operations become inefficient due to mining.

To proactively defend against the cryptojacking attack, Cyware offers a solution that automatically detects cryptojacking attempts and takes the necessary actions.

Defend_against_cryptojacking_attacks_and_protect_your_Infrastructure.svg

How do we solve this problem?

  1. Retrieve Cryptojacking Alerts: The solution starts by retrieving cryptojacking alerts from the endpoint detection and response (EDR) tool.

  2. Create Incident: The playbook extracts the indicators such as the host details, IP address, and user details, and creates an incident in Respond.

  3. Enrichment: The indicators and user details from the crypto-jacking alerts are sent for enrichment.

    1. IOC Enrichment: The IOCs identified in the cryptojacking alert are sent to Intel Exchange for enrichment. Intel Exchange enrichment provides important details such as confidence scores, attack behavior, threat relationships, and more.

    2. Asset Enrichment: The asset identified in the cryptojacking alert is sent to the CMDB database for enrichment. After enrichment is completed, the hostname, asset group, system details, and user details are updated to the Respond incident.

  4. Retrieve SIEM Logs: The affected host details are sent to the SIEM tool to get all the recent logs for the affected host.

  5. Block IOCs: The malicious IOCs identified in the cryptojacking alert are blocked on the EDR and Firewall.

  6. Quarantine Asset: The playbook now sends a Collaborate crisis notification alert to the affected user asking for approval to quarantine the host.

    1. Approved: If the user approves the request, the asset gets quarantined by using the EDR tool.

    2. Rejected: If the user rejects the request, the playbook creates an action in Respond to quarantine the asset.

  7. Identify Hits to IOC: The playbook now checks the SIEM logs to find out if any user has already clicked or accessed the malicious IOC. If any other hits to the IOC are found, the playbook creates a new incident and initiates all the response actions again.

Benefits
Secure ‌Infrastructure

The solution allows organizations to monitor, detect and respond quickly to cryptojacking attacks that can cause financial loss due to system downtime caused by component failure.

Going Beyond Incident Investigation

The playbook not just helps organizations respond to specific cryptojacking attacks but also helps capture the learning from the incidents to put in place long-term strategic controls. This helps organizations to defend against any such future attempts by using the unique capabilities of the fusion center.

Faster Detection and Response Times

Cyberattacks on critical infrastructure components can cause severe damage to the data and intellectual property of an organization. Hence an automated playbook plays an important role in countering the threat at machine speed instead of relying on slower, manual processes.