Ransomware and Intrusion Detection

Last July 2021, the Italian Region Lazio, was hit by a ransomware attack, disabling its IT systems, including the COVID-19 vaccination portal: it encrypted almost every file in the data centre. A month ago, Italian railways operator Trenitalia (part of Ferrovie dello Stato group) main services were shouted down after its systems were damaged by a ransomware attack: ticketing systems by the stations were out of service, especially in small-medium stations, even two weeks after the attack occurred.

The ransomware attack is the most popular and it is the top threat in 2020-2021 (ENISA Threat Landscape (ETL) report): the attacker encrypts victims’ data and requests a ransom.

It is usually delivered through targeted phishing attacks or downloaded from trap websites, sophisticated ransomware is also delivered as a secondary in-memory payload without ever touching the disk, making it harder to detect and highly evasive.

The digitalization and the increased information transfer rate, also caused by increased remote working (due to the recent COVID-19 pandemic), have enlarged the attack surface, providing intruders with an environment full of opportunities. Therefore, intrusion detection systems (IDS), together with other type of security measures, is required to run modern connected business, they monitor and control intrusive activities in a certain host and/or network.

Data and or traffic is collected and analysed and malicious activities are then reported to Security Operation Centers (SOC) for further investigations by cybersecurity experts and/or correlation engines.

Traditionally, IDS are Host-based or Network-based and implement Signature-based or Behavioral-based detection, but recent incidents have been highlighting the fact that the cybersecurity landscape handles pretty diverse event streams, consequently, recent studies on intrusion detection have expanded the field by integrating different detection techniques and by applying other types of techniques, such as big-data and Machine Learning.

In the context of CITYSCAPE, Intrusion Detection has been implemented by Engineering (www.eng.it) with the adoption of open-source tools integrated with an Anomaly detection Procedure to identify what is normal network traffic from what is unknown or unusual (anomaly). The solution provided is implemented using Machine Learning algorithms, combined to classify traffic: the model is trained with pilots’ normal network traffic and potentially will increase the accuracy of traditional classification algorithms. Although the market is already full of big labels, CITYSCAPE tries to make its way on the market with promising initial results and also by introducing a solution which is relevant to any sector, for every type of enterprise that needs to monitor network infrastructure, but at the same time, it focuses on every single user/client by identifying its unknown traffic or misbehaviour activities.