Crypto-mining has witnessed an exponential rise owing to handsome financial benefits it promises, even though stiff competition threatens to keep small-time miners out and forces sophisticated ones to invest in the upgradation of their setups to remain competitive. Illegal miners have also jumped in droves and have devised cunning but innovative schemes requiring minimum costs to earn profits to remain relevant in this competitive environment. Malicious miners resort to stealing computing power and resources of computing stations over the internet or by capturing entire networks on enterprise level to harness computing power on a collective basis. An effective threat assessment in this scenario reveals that crypto-mining threats must be blocked on the network, cloud and endpoint level.
At the network level, pool-based mining is employed to capture the speed and processing power of the networks to compete against specialized mining rigs. Network security against illicit mining requires deep packet inspection, anomaly detection, and NetFlow analysis. Traffic should be analyzed in real time and extensive data models be used to detect anomalies and malicious patterns in encrypted traffic without resorting to decryption. Techniques such as sandboxing and malicious file analysis should be employed.
In collaboration with recursive Domain Name System (DNS) providers, crypto-mining classifications of domains, IPs and URLs can be detailed by analyzing mapping of domain names to IPs and analyzing this diverse telemetry to detect threats and anomalies. Based on this classification, users can then block outbound traffic for such suspicious destinations. Even if mining software is installed on systems, its specific traffic over the network is blocked. The same is applicable to mobile and IoT devices on a network.
The most critical component for crypto-attacks is the endpoint where the most sought commodity, computing power, exists. In this context, endpoint protection solutions have a vital role to play in warding off illegal mining. Since mining applications are exceedingly evasive, endpoint solutions should continuously observe and scrutinize file and command line activity. This also requires recognizing patterns related to attack propagation when mining applications move through the network, institute persistence and establish outbound connections with the crypto-miner’s setup.
HOLISTIC THREAT & INTELLIGENCE ASSESMENT
Detecting illegal crypto mining activity can be extremely tricky. In addition to methods described earlier, it is essential to take stock of illegal mining threats through threat intelligence, crypto-mining detection tools and employing best practices to defend against illegal mining. It is pivotal to identify coverage and gaps in visibility, asses the working environment using intelligence and analyze the findings.
Additionally, telemetry across DNS and URLs, network traffic, files, emails, and cloud applications must be examined and correlated. This can be achieved using machine learning, artificial intelligence and vulnerability research to unmask deceptive mining deployments. Researchers, incident response teams and forensic evaluators should work in step to ensure well rounded and all-inclusive protection. It is highly recommended that solutions employing automated updates and threat responses carved from threat intelligence be made a part of protection portfolios.