Sophos Endpoint Tamper Protection Thwarts a Sophisticated Ransomware Attack

Tamper Protection is one of those powerful but lesser-known protection capabilities that works away quietly in the background. It prevents adversaries from turning off defenses in Sophos Intercept X Endpoint, our market leading EDR solution, so they can deploy their payloads.

Recently, Tamper Protection was thrust into the spotlight when it was key to Sophos identifying and thwarting a novel ransomware attack in which the attackers used a malicious driver signed with a legitimate Windows Hardware Compatibility Publisher digital certificate from Microsoft. The driver specifically targets processes used by major endpoint detection and response (EDR) software packages and we have strong confidence that it is associated with the attack group behind Cuba ransomware.

Creating a malicious driver from scratch and getting it signed by a legitimate authority is very difficult, but it’s also incredibly effective because the driver can essentially carry out any processes without question.

Virtually all EDR software is vulnerable to this new driver but, fortunately, the Tamper Protection capability in Sophos Endpoint ensured that the adversary’s attempt to disable our protection failed. This enabled other protection technologies in Sophos Endpoint to successfully halt the ransomware attack. Sophos Rapid Response, our incident response experts, stepped in to successfully neutralize the incident, and the investigation triggered a comprehensive collaboration between Sophos and Microsoft to take action and address the threat.

The importance of layered protection

With cybersecurity there is no silver bullet, no single protection capability that will stop every threat. Each attack combines a different set of tactics, techniques, and procedures (TTPs), and as a result there is no ‘one size fits all’ protection solution. What works against one attack, will not always work against the next one.

To optimize your defenses you need layered protection: multiple sophisticated security capabilities with each playing its part in defending against advanced attacks. Sophos Endpoint is packed with these layers of protection, including:

• Credential theft protection that prevents unauthorized system access
• Exploit protection to stop the techniques adversaries use
• Anti-ransomware protection which identifies and blocks malicious encryption attempts
• And, of course, tamper protection

Combining multiple layers of protection technologies enables us to optimize our customers’ defenses. Testament to the quality of our defenses – and the power of layered protection – we stop 99.98% of threats up-front (AV-TEST average score), and recently earned perfect scores in SE Labs endpoint protection report.

Plus, these layers generate high-quality signals that the defenders in Sophos MDR, our market-leading 24/7 managed detection and response service, can use to swiftly identify, investigate and respond to adversarial activities before damage is done.

Check Tamper Protection is enabled with the Sophos Account Health Check

The Sophos Account Health Check enables Sophos Endpoint EDR and server protection customers to quickly identify and address configuration issues with their Sophos protected devices. Available to all customers that manage their Sophos security through the Sophos Central platform, it performs a number of key checks:

• Software assignment – do devices have all the right software assigned to them?
• Threat policy ​– are policies using recommended settings?
• Exclusions​ – are any exclusions creating significant exposure?​
• Tamper protection – has tamper protection been disabled on any computers or servers?

Our newly released ‘Fix Automatically’ feature allows IT teams to easily enable Tamper Protection for all devices, elevating security posture in just a couple of clicks.

Access the Account Health Check from the main Sophos Central navigation panel and use the intuitive dashboard to remediate any issues.

While recommended settings are automatically applied with all new Sophos deployments, over time issues can develop as devices are added and removed, team members change, and different software subscriptions are purchased. We recommend customers review the health check at least every three months to maintain a healthy environment.