Shared file protection against unauthorised encryption using a Buffer-Based Signature Verification Method

IF 3.8 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Journal of Information Security and Applications Pub Date : 2024-09-09 DOI:10.1016/j.jisa.2024.103873

{"title":"Shared file protection against unauthorised encryption using a Buffer-Based Signature Verification Method","authors":"","doi":"10.1016/j.jisa.2024.103873","DOIUrl":null,"url":null,"abstract":"<div><p>Understanding the attributes of critical data and implementing suitable security measures help organisations bolster their data-protection strategies and diminish the potential impacts of ransomware incidents. Unauthorised extraction and acquisition of data are the principal objectives of most cyber invasions. We underscore the severity of this issue using a recent attack by the Clop ransomware group, which exploited the MOVEit Transfer vulnerability and bypassed network-detection mechanisms to exfiltrate data via a Command and Control server. As a countermeasure, we propose a method called Buffer-Based Signature Verification (BBSV). This approach involves embedding 32-byte tags into files prior to their storage in the cloud, thus offering enhanced data protection. The BBSV method can be integrated into software like MOVEit Secure Managed File Transfer, thereby thwarting attempts by ransomware to exfiltrate data. Empirically tested using a BBSV prototype, our approach was able to successfully halt the encryption process for 80 ransomware instances from 70 ransomware families. BBSV not only stops the encryption but also prevents data exfiltration when data are moved or written from the original location by adversaries. We further develop a hypothetical exploit scenario in which an adversary manages to bypass the BBSV, illicitly transmits data to a Command and Control server, and then removes files from the original location. We construct an extended state space, in which each state represents a tuple that integrates user authentication and system components at the filesystem level.</p></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":null,"pages":null},"PeriodicalIF":3.8000,"publicationDate":"2024-09-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2214212624001753/pdfft?md5=68d74f2ecd64919a7bca1979c6adbfbd&pid=1-s2.0-S2214212624001753-main.pdf","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information Security and Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2214212624001753","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Understanding the attributes of critical data and implementing suitable security measures help organisations bolster their data-protection strategies and diminish the potential impacts of ransomware incidents. Unauthorised extraction and acquisition of data are the principal objectives of most cyber invasions. We underscore the severity of this issue using a recent attack by the Clop ransomware group, which exploited the MOVEit Transfer vulnerability and bypassed network-detection mechanisms to exfiltrate data via a Command and Control server. As a countermeasure, we propose a method called Buffer-Based Signature Verification (BBSV). This approach involves embedding 32-byte tags into files prior to their storage in the cloud, thus offering enhanced data protection. The BBSV method can be integrated into software like MOVEit Secure Managed File Transfer, thereby thwarting attempts by ransomware to exfiltrate data. Empirically tested using a BBSV prototype, our approach was able to successfully halt the encryption process for 80 ransomware instances from 70 ransomware families. BBSV not only stops the encryption but also prevents data exfiltration when data are moved or written from the original location by adversaries. We further develop a hypothetical exploit scenario in which an adversary manages to bypass the BBSV, illicitly transmits data to a Command and Control server, and then removes files from the original location. We construct an extended state space, in which each state represents a tuple that integrates user authentication and system components at the filesystem level.

查看原文本刊更多论文

使用基于缓冲区的签名验证方法保护共享文件，防止未经授权的加密

了解关键数据的属性并实施适当的安全措施，有助于组织加强数据保护战略，降低勒索软件事件的潜在影响。未经授权提取和获取数据是大多数网络入侵的主要目的。我们通过 Clop 勒索软件组织最近的一次攻击强调了这一问题的严重性，该组织利用 MOVEit Transfer 漏洞，绕过网络检测机制，通过指挥和控制服务器外泄数据。作为对策，我们提出了一种名为 "基于缓冲区的签名验证"（BBSV）的方法。这种方法是在文件存储到云之前将 32 字节标签嵌入文件，从而提供更强的数据保护。BBSV 方法可以集成到 MOVEit 安全托管文件传输等软件中，从而挫败勒索软件外泄数据的企图。通过使用 BBSV 原型进行经验测试，我们的方法能够成功阻止来自 70 个勒索软件家族的 80 个勒索软件实例的加密过程。BBSV 不仅能阻止加密，还能在数据被对手从原始位置移动或写入时防止数据外泄。我们进一步开发了一种假想的利用场景，即对手设法绕过 BBSV，非法将数据传输到指挥与控制服务器，然后从原始位置删除文件。我们构建了一个扩展的状态空间，其中每个状态都代表一个元组，在文件系统层面集成了用户验证和系统组件。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Information Security and Applications Computer Science-Computer Networks and Communications

CiteScore

10.90

自引率

5.40%

发文量

206

审稿时长

56 days

期刊介绍： Journal of Information Security and Applications (JISA) focuses on the original research and practice-driven applications with relevance to information security and applications. JISA provides a common linkage between a vibrant scientific and research community and industry professionals by offering a clear view on modern problems and challenges in information security, as well as identifying promising scientific and "best-practice" solutions. JISA issues offer a balance between original research work and innovative industrial approaches by internationally renowned information security experts and researchers.