Networks can’t afford lockdowns: Identifying cyber-threats before they become endemic

Stephan Klokow portrait

By Stephan Klokow
Published on: 11.01.2021

Reading time: ( words)
Categories: Network security

Almost three months ago, a massive Ryuk attack was carried out on over 250 US health care centers and hospitals1, preventing access to electronic health records, critical technologies and patient transfers. Ryuk is a human-operated strain of ransomware that encrypts a device’s data and disables Windows Defender, Microsoft Windows System Restore and network backup services so that without an external backup, device owners have to pay a ransom to hackers to decrypt and restore their files and applications. While Universal Health Services (UHS) reported that systems had been restored by the next day, they did not disclose if any ransom was paid to the attackers and many hospitals had, by then, resorted to using paper records and had to transfer critical patients to other nearby hospitals.

In October, Software AG, a German software conglomerate, was hacked by the Clop group. A week after Software AG refused to pay up a whopping USD23 million in ransom, customer and employee information was found to have been leaked by Clop onto the dark web.

Just last month, US cybersecurity firm FireEye itself was hit by what it suspects to be a state-sponsored cyberattack. The attackers were looking to steal information on FireEye’s government clients and had successfully stolen some of FireEye’s Red Team tools – tools it used to simulate actual cyber-attacks to evaluate organizations’ security readiness.

The start of an attack

Most attacks aim for the end user as their point of attack; in other words, the attack begins with a human error. Phishing, the act of luring individuals to perform an action or provide sensitive data by disguising oneself as a reputable source, is one such method. A research by Trend Micro found that phishing was the precursor to 91 % of cyberattacks1. In the Ryuk attack for instance, it was suspected that Emotet, a ransomware loader that made way for Ryuk to be installed, gained access to hospitals’ IT systems through phishing emails sent to hospital staff that were laden with malicious JavaScripts, links, programs or macro-enabled documents and spreadsheet files.

Once an attack has gained access to the system, it spreads laterally via the local network or application cloud. Once Emotet has been loaded, a malware-as-a-service or access-as-a-service program such as Trickbot is installed. Both Trojans then spread to as many devices as they can within the same network, looking for sensitive data that can be sold or making way for ransomware such as Ryuk to be deployed.

Other attacks directly target servers with weak security controls. These include denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks, brute-force password attacks and misconfiguration attacks. Some attacks, such as SQL injections, leverage code that doesn’t sanitize user inputs before executing them, giving hackers access to a website’s entire database.

Given this multitude and variety of cyber-attacks, we can clearly deduce that no component of an IT infrastructure, from the end user to the network and the server, is spared from the possibility of cybercrimes.

SaaS and remote-working

Of course, some organizations are more vulnerable than others. Organizations heavily reliant on software as a service (SaaS) and cloud applications, such as OneDrive and Dropbox, have a higher risk as these applications sync file systems across many devices, thus speeding up a malware or ransomware’s lateral spread by syncing a malware-infected file on one device with other devices and then encrypting the files on other devices.

The ongoing pandemic has only exacerbated the situation. 90 % of IT leaders surveyed said they experienced an increase in cyber-attacks due to the pandemic. This can mostly be attributed to the sudden shift to remote working, which caused significant delays in the deployment of new security projects as IT teams struggled to manage overloaded VPNs and a host of personal devices that needed to be patched remotely. While physical shops and factories went into lockdown, the cyber-world kept its doors open as activities shifted online and data traffic surged on all ends.

As a result, according to Atlas VPN, average ransom payouts increased by 178 % from Q4 2019 to Q3 20202. To avoid having to fork out hundreds of thousands in ransom payments and damage costs, organizations will continue to invest in security solutions including next-generation firewalls, unified threat management systems, intrusion detection and prevention systems, network access controls, web filters, anti-virus and anti-malware software.

The role of DPI

One of the most pivotal functions in any security solution is deep packet inspection (DPI). The DPI engine R&S®PACE 2 boasts the ability to identify, classify and extract metadata from IP traffic in real time, enabling the detection of threats and malicious activity in the network as they spread. With its weekly-updated signature library, the engine can perform a fine-grained extraction of all content information, applications and services passing through a network to identify any suspicious patterns or behavior.

In the case of the Ryuk attack, for instance, the ability to detect the ransomware as it spread through the hospital’s local network or even better, to detect it before it was accessed by the first hospital device, would have been invaluable.

DPI can be deployed as a standalone network function or as a built-in component of an existing network security solution such as an IPS or IDS. It can be deployed as a proprietary appliance or as a software on a virtualized platform, and it can be installed anywhere – in the cloud and on premises, supporting not just traditional environments, but also emerging corporate network models such as the secure access service edge (SASE) and cloud-native container networks.

Cyber-attacks are taking increasingly ‘creative’ and unpredictable shapes. Take deepfakes, for instance, where a video or audio is convincingly altered to manipulate human speech. Ransomware attacks alone increased by 91 % from Q3 2019 to Q3 20202. The takeaway from this constant year-on-year growth is that cyberattacks are here to stay.

DPI is ahead of the culprits as it helps to detect not just established threats, but also traffic anomalies and suspicious behavior, thereby apprehending threats before they take shape. In many ways, companies and network operators take on cyber-threats the same way superheroes take on the evil forces in many an epic tale or big screen franchise. Stopping these threats in their tracks requires the right tools. DPI is one of these tools, and used well, keeps the world of networks and digital assets operating at best performance to deliver top-notch services to billions of users depending on them.

Download our case study with Saint Security to find out how the DPI engine R&S®PACE 2 enabled the network security vendor to fingerprint malicious activity and unlock the full potential of their AI-based analysis methodologies:


1) Spear-Phishing Email: Most Favored APT Attack Bait - Trend Micro -

2) Average ransom payout jumped 178% in a year - Atlas VPN -

Stephan Klokow portrait

Stephan Klokow

Contact me on LinkedIn

Stephan holds a degree in computer science and has more than 13 years of leadership experience in IT as well as product and software development. Since 2017, he has been the director of DPI at ipoque. As part of his professional career, he has been responsible for the development of digital products and solutions for smart home and IoT technology and has lead national and international IT projects. When he's not at work, he spends time with his family. You might also bump into him on the soccer field or at the gym.


Related material

ipoque blog - discover the latest news and trends in IP network analytics

Sign up for our newsletter

Stay informed about the latest news and insights from ipoque