IntroSpect and Ransomware
07-18-2019 09:55 AM
Ronald Kent from the US Security team wrote this article after the series of ransomware attacks that strike US municipalities. But also we see a rise of in Europe
"There’s been a noticeable uptick in ransomware attacks in the last week (City of Baltimore, City of Amarillo, Cleveland Airport, and others). Analysis of the malware is ongoing through several prominent threat research firms, but in the meantime there’s a lot we can do to help protect our IntroSpect install base. Release 2.5 (which is due to be released shortly), will have new detection capabilities around common ransomware activities and also beaconing detection. Until then, here’s some practical steps we can take:
- Ensure that our default ransomware feeds are enabled, working, and have ingested recent threat intel data (check the Analytics page). Better yet, have the customer consider subscribing to one of the more highly curated STIX/TAXII feeds like ThreatStream, then integrate these into IntroSpect.
- Create a saved search (or rule) to look for SMB and RDP traffic that is happening outside of the local network, as these can provide C2 mechanisms in addition to a larger and more vulnerable attack surface. Example queries: app_id:SMB and (src_internal:no or dest_internal:no) and app_id:RDP and (src_internal:no or dest_internal:no)
- Some of the newer ransomware variants (like Robbinhood) do NOT encrypt connected shares, so SMB or other share enumeration analytics will not see this. In fact with Robbinhood, it actually disconnects from any existing network shares and encrypts only the local drives. It’s possible that this (and other) variants are spread via PsExec, which we can detect with IntroSpect. Ensure that the default PSEXEC analytic is enabled in IntroSpect, and also consider increasing the severity of this to have a greater impact on any associated entities’ risk score, as the default value is only 10.
- Create a saved search (or rule) to look for DNS traffic to .bit top level domains. Some of these variants are using nslookup for C2 addresses, and our packet processor should be able to see this activity if we’re tapped in the right place. The query you can use for either a saved search or rule is: app_id:DNS and dns_name:*.bit
- Robbinhood (and possibly other variants) will deliberately stop the endpoint services from McAfee, Symantec, Sophos, and others, so while endpoint tools may not be able to detect any further activity, the servers for these products should detect when communication has been lost and generate an alert. Consider sending these alerts to IntroSpect via our 3rd party alert support to give additional context at this critical point in the kill chain. This is also a good reason why we need IntroSpect monitoring network traffic in the first place. Agents can easily be disabled – but the network doesn’t lie.
- There are some published IOC’s for some of the newer ransomware variants (like Robbinhood). It is possible, although not likely, that we could detect these hashes via our packet processor, assuming object extraction is enabled and we have good visibility on network traffic. Note that this would only apply to unencrypted or decrypted traffic via http, so the likelihood of IntroSpect seeing these malware IOC’s traverse the network is low - but not zero. An example query on the conversations page would look like this: object_hash:3bc78141ff3f742c5e942993adfbef39c2127f9682a303b5e786ed7f9a8d184b "I would like also to add to Ronald's article the following points:
- Aruba IntroSpect offers more than 16 supervised and unsupervised machine learning models to detect all the stages of ransomware attack thanks to the ability of IntroSpect to look at networking DPI , Logs and IOC
- The new IntroSpect 2.5 offers uniquely in the market a supervised machine learning to detect ransomware activities in near realtime.
- with the combination with ClearPass, Aruba offers a solution to isolate rapidly the source of the attack, and prevent further propagation