Détecter les ransomwares à l'aide de Threat Intelligence

Détection des ransomwares

Cette histoire vous vient en tant que partie 3 de 4 dans notre Série de détection de ransomware dans lequel nous explorons comment analyser et protéger vos données Qumulo à l'échelle du cloud. Dans les parties 1 et 2, nous avons examiné comment détecter les ransomwares modèles d'accès avec Qumulo et Azure Sentinel, puis décrit deux méthodes supplémentaires pour détection de ransomware avec corrélation de données. Dans la partie 3 ci-dessous, nous expliquons comment utiliser les données externes de Threat Intelligence pour prendre en charge la corrélation des données.


Dans la partie 2 de cette série sur la détection des ransomwares, nous avons utilisé des tables statiques telles que des listes noires ou d'autres tables de recherche pour la corrélation des données avec les événements d'audit Qumulo entrants. Dans cet article, nous allons présenter quelques exemples simples qui utilisent des flux externes de Threat Intelligence pour la corrélation des données. Pour rappel, l'image ci-dessous illustre le workflow de détection de ransomware.

workflow de détection de ransomware

Détecter les ransomwares en temps réel

Comme indiqué précédemment dans cette série, les menaces potentielles de ransomware ou d'autres activités suspectes doivent être détectées avant qu'elles ne puissent nuire. L'un des objectifs pour y parvenir est d'utiliser le partage d'indicateurs automatisé (AIS) fourni par l'industrie.

L'AIS permet l'échange en temps réel de données lisibles par machine indicateurs de cybermenace et des mesures défensives pour aider à protéger les participants et, en fin de compte, réduire la prévalence des cyberattaques. AIS utilise un format de données standard ouvert, appelé Structured Threat Information Expression (STIX™), et le protocole Trusted Automated Exchange of Indicator Information (TAXII™) pour la communication de machine à machine.

Comment alimenter Threat Intelligence dans un espace de travail Azure Sentinel

Azure Sentinel peut s'abonner aux flux STIX à l'aide du connecteur TAXII intégré. Il existe de nombreux flux open source, ainsi que des flux professionnels disponibles. nous utiliserons Le flux de menaces de la limousine d'Anomali pour alimenter la Threat Intelligence dans notre espace de travail Sentinel et corréler les données avec nos événements d'audit.

En utilisant curl, nous pouvons obtenir une liste des flux fournis par limo.anomaly.com :

curl -u guest https://limo.anomali.com/api/v1/taxii2/feeds/collections/ { "collections": [ { "can_read": true, "can_write": false, "description": "", "id": "107", "title": "Phish Tank" }, { "can_read": true, "can_write": false, "description": "", "id": "135", "title": "Abuse.ch Ransomware IPs" }, { "can_read": true, "can_write": false, "description": "", "id": "136", "title": "Abuse.ch Ransomware Domains" }, { "can_read": true, "can_write": false, "description": "", "id": "150", "title": " DShield Scanning IPs" }, { "can_read": true, "can_write": false, "description": "", "id": "200", "title": "Malware Domain List - Hotlist" }, { "can_read": true, "can_write": false, "description": "", "id": "209", "title": "Blutmagie TOR Nodes" }, { "can_read": true, "can_write": false, "description": "", "id": "31", "title" : "Emerging Threats C&C Server" }, { "can_read": true, "can_write": false, "description": "", "id": "33", "title": "Lehigh Malwaredomains" }, { "can_read ": true, "can_write": false,"description": "", "id": "41", "title": "CyberCrime" }, { "can_read": true, "can_write": false, "description": "", "id": "68 ", "title": " Menaces émergentes - Compromis " } ] }​
Comment s'abonner à un flux de renseignements sur les menaces

Pour vous abonner à l'un des flux Threat Intelligence répertoriés ci-dessus, passons en revue quelques étapes rapides dans Azure Sentinel. Dans Sentinel, procédez comme suit :

  1. Cliquez sur Connecteurs de données
  2. Entrez « Taxii » dans le champ de recherche
  3. Sélectionnez Threat Intelligence - (TAXII)
  4. Entrez les détails du flux dans la liste ci-dessus

Par exemple, si vous souhaitez vous abonner au Serveur C&C des menaces émergentes flux, vous devez saisir les informations suivantes dans la boîte de dialogue :

détection des flux de renseignements sur les menaces de ransomware

Cela ajouterait le flux à votre espace de travail. Après seulement quelques secondes, vous pouvez voir les données TI reçues.

Sélectionnez « Threat Intelligence » dans le volet de navigation pour afficher vos événements TI :

Données Azure Sentinel Threat Intelligence

Vous pouvez interroger les données Threat Intelligence avec la requête suivante :

ThreatIntelligenceIndicator
| project TimeGenerated, Action, Description, NetworkIP, Url, SourceSystem

An output example is shown in the next figure:

ransomware threat intelligence cyber crime feed

How to correlate Qumulo events with Threat Intelligence data

Now, as we feed the Threat Intelligence into our Azure Sentinel workspace, we can correlate the data and check all Qumulo filesystem activity. For example, we could look for connections to any known bad IP address from our different feeds with the following query:

let timerange = 15min;
let MalIpList = (ThreatIntelligenceIndicator | where Description contains  "mal_ip" | project NetworkIP);
QumuloAuditEvents
| where ClientIP in (MalIpList)

This query will result in a list of all activities that any Qumulo node had with one of the bad known addresses from the intelligence feeds.

This is a good example where we’d need to start automation. If the above query would show any positive results, we’d like to automatically create an alert, an incident and potentially fire up an automated response. In this case the assigned data security analyst would investigate if this IP address did ever show up earlier in our environment and take action if it did.

In any case, we would update the rules in our firewall(s) so that this address gets totally blocked out. This is a good example of preventive action. Even though this IP address had (hopefully) never contacted our network, we’d block it in advance because we know (from the TI feed) it’s related to malware activities.

Note: it would make a lot of sense to not only correlate Qumulo events against Threat Intelligence data. In fact, running those correlations and the (automated) responses against client events, firewall events and Active Directory events makes even more sense ! You’d uncover these malicious connections much earlier. Also, you may want to look for malicious URLs on your firewall, internet gateway or http proxy server to block these sites, before any user can try to access them.

How to use Machine Learning to detect ransomware and suspicious anomalies

Azure Sentinel has some Analytic Rules that use Machine Learning (ML) to uncover anomalies or detect ransomware in your data storage environment. Microsoft has introduced a new rule type, called Anomaly, for this purpose. You don’t need to worry about managing the ML run-time environment for suspicious anomalies, because Azure Sentinel takes care of everything behind the scenes.

You can find these rules in Azure Sentinel in the Analytics tab, and it seems Microsoft is adding more over time. These rules use ML to train a model for a couple of days to set the baseline for usual conditions. This could be network traffic patterns, login patterns in Azure Active Directory (Azure AD), firewall alarms, web requests, and more. The parameters of the pre-defined rules can be modified to balance the noise level to a meaningful level.

The algorithms in the pre-defined rules are not trained for Qumulo events. However, using them with events from other sources—such as Azure AD or firewalls—improves ransomware detection, and reduces investigation and threat hunting time.

Following are the 3 main use cases for using machine learning to detect ransomware.

1. Additional signals to improve ransomware detection

Data security analysts can use anomalies to detect new threats and make existing detections more effective. A single anomaly is not a strong signal of malicious behavior, but when combined with several anomalies that occur at different points on the cyber kill chain, their cumulative effect is much stronger. Security analysts can enhance existing detections as well by making the unusual behavior identified by anomalies a condition for alerts to be fired.

2. Evidence during investigations

Data security analysts also can use anomalies during investigations to help confirm a breach, find new paths for investigating it, and assess its potential impact. For example, when investigating an incident that involves a user and an IP address, a security analyst can query the user and the IP address in the "Anomalies" table to find out other anomalous activities performed by that user and that happened on that IP address. These data help security analysts reduce the time spent on investigations.

3. The start of proactive threat hunts

Threat hunters can use anomalies as context to help determine whether their queries have detected suspicious behavior. When the behavior is suspicious, the anomalies also point toward potential paths for further hunting. These clues provided by anomalies reduce both the time to detect a threat and its chance to cause harm.

We just reviewed how to run queries to detect ransomware and other suspicious activities. Next, we'll show you how to automate these ransomware detection queries in Azure Sentinel.

Qumulo Recover Q: Disaster recovery solution to help guard against ransomware

Qumulo Audit logs can be used via syslog with any SIEM solution for detection.

Qumulo Recover QWe also offer Qumulo Recover Q—a flexible cloud based disaster recovery solution that fits into any existing business continuity strategy. Active protection features help ensure data safety and integrity, while built-in snapshot and cloud replication features add layers of defense against real-world threats that could compromise your data or operations.

Using Recover Q in the cloud can help optimize your company’s spending for business continuity by reducing on-premises costs in favor of an on demand, cloud-native service.

Further Reading

Have a look at our two white papers to learn more about ransomware detection with Qumulo audit data and SIEM platforms, and the built-in data services (Qumulo Protect and Qumulo Secure) that come standard with your Qumulo software subscription:

Like what you see?

Contact us to book a demo or arrange a meeting. You can even test drive a fully functional Qumulo environment right from your browser:

Test drive Qumulo for free

Test drive Qumulo for free

Explore a fully functional Qumulo environment, right in your browser.

Try Demo

Share this post