Preemptively: Ransomware Detection

By: DavidPage

Introduction of Preemptively

We wanted to give some guidance to Securonix users on how they can protect themselves against the growing threat of ransomware preemptively.

SIEM technology is intended primarily for detection. It is not designed to stop ransomware infections in the final stages, such as after data encryption has been initiated.

SIEM can be used instead to preemptively detect, respond and disrupt earlier phases in a compromise that leads to ransomware attacks, such as initial exploitation, lateral transfers or privilege escalation.

Ransomware is fast. The act of encryption can be done in minutes to seconds, but this is only the final stage of compromise. It can take days or even weeks to get access from the initial compromise all the way through to identifying and gaining access to the most valuable targets. According to a recent study, ransomware attackers have a median dwell-time of five days before they execute the final phases.

Securonix allows preemptively for early detection and containment of ransomware.
Both UEBA and Securonix Next Gen SIEM detect a variety of indicators and preemptively indicate of action as well as behavioral anomalies throughout the typical ransomware attack lifecycle. It is important that users verify and validate the data collected.

Recommendations for Data Sources preemptively

We recommend the following data sources to ensure adequate visibility and a chance of detecting ransomware early:

  • RDP logs
  • Logs of the storage/backup system
  • VPN/jump server logs
  • Logs for MFA/authentication
  • Logging Powershell script blogs
  • Raw EDR logs
  • Logs of NTA, including JA3[S] visibility
  • Logs for MFA/authentication
  • HTTPS termination logs (if feasible)
See also  Wings Etc: Is family-friendly

Recommendations of Preemptively

Securonix Threat Labs R&D has identified some of the pertinent detections that can be used to identify “early warning” behavior and TTP’s in relation to common ransomware.

AVI-WDF2-RUN EDR–SYM9-BPI. Preemptively EDR–SYM90–ERI. EDR–SYM91–ERI. EDR–SYM90–RUN EDR–SYM67–RUN EDR–SYM69–BPI. EDR–SYM71–RUN EDR–SYM117-RUN EDR–SYM89-ERI. EDR–SYM79–RUN. EDR–SYM213–RUN EDR–SYM213–RUN.

See Appendix I for more details on mapping detections to ransomware family families.

Other recommended best practices

These best practices have proven to be helpful in enabling correct data sources and detection content for the SIEM.

Reexamine your backup policy retention policies to ensure that backups are not accessible/encrypted if an operator has placed targeted ransomware. (e.g. Remote write-only backups are possible.

Security monitoring of your backup systems is essential to detect potential ransomware operators and their affiliates early enough to prevent a breach.
Security monitoring should be implemented, especially for high-value targets (HVT), as well as users and critical systems within your environment to detect ransomware operator placements earlier.

Follow the ransomware guidelines and frameworks from CISA, IST and NIT as well as Europol and other relevant entities in order to reduce ransomware risk.
Cyber hygiene and security hardening are essential in making ransomware attackers’ lives more difficult. But, even more important, it increases their dwell time so we can detect them before they explode. Each incremental maturity increase brings about peace of mind and breathing space.

Reexamine user access and permission roles to determine if your policies are in line with least privilege.

Consider if it is possible to create smaller network segments.

Deactivate commonly targeted and exploited services and features like autorun, remote Desktop, and macros.

See also  Feitan: Is muscular, short and lean.

Examine your vulnerabilities and determine which ones are being ransomware-targeted.
Many ransomware attacks begin with a phishing email or drive-by-exploitation, so raising awareness to increase organizational vigilance can reduce your susceptibility to these types of social engineering attacks.

We wish for the best, but we must be prepared for the worst. To increase your resilience to attack, ensure that you have backups of all data and a disaster recovery plan.

Additional Security Measures to Reduce Ransomware Risk

Additional security measures can also be provided that are highly effective in defending against ransomware.

Autonomous Threat Sweep

Our customers are eligible for this service at no cost. ATS Cyber Rapid Response is a microservice which autonomously collects threat intelligence for emerging threats and automatically extracts IoC and IoA. Then, it retrospectively searches in your security data to determine if you were compromised. It is possible to detect ransomware early warning and early detection.

Securonix SOAR

Ransomware works at a machine-speed, which means manual processes are unable to keep up. Automated rapid response and containment are needed to combat machine against machine. Securonix SOAR is able to speed up and automate incident qualification and investigation, as well as automate containment actions like disabling user accounts and network access.