SECNOLOGY : Challenges of using SIEM to detect ransomware

Ransomware is clearly on the rise. Businesses small and large, are increasingly becoming targets of advanced ransomware activity. Regrettably, most security experts don’t have enough experience with ransomware in professional environments to halt the spread of infections. This article looks into some of the struggles security teams may encounter when trying to use SIEM correlation rules to pinpoint behavior and activity related to ransomware infections.

Zooming away for increased visibility

Recently, the acceptance of this attack practice among hacker groups has become a motivation for members of the security community to publish several blog posts, which have analyzed specific ransomware binaries and reported on their conclusions. Unfortunately, these binaries change frequently, and a single binary file provides only one piece of the huge and complex ransomware puzzle. With this in mind, SECNOLOGY’s threat research team has taken a different approach to investigating ransomware.

The 6 steps of the ransomware kill chain

These steps are pervasive through all the strains we tested and are consistent when faced with the arrangement or improvement of a particular strain.

– Distribution operation – hackers use techniques such as social engineering and compromised websites to deceive or coerce users into downloading a dropper that triggers the infection.

– Malicious code infection – the malware downloads an executable that installs the ransomware itself.

– Malicious payload installation – the ransomware installs itself, integrates itself into a system and establishes persistence to exist beyond a reboot.

– Scanning – the ransomware looks for files to be encrypted, both locally and on resources accessible over the network.

– Encryption – the detected files are encrypted.

– Payday – a ransom note is created, displayed to the victim, and the hacker awaits to take the payment.

Detectable behavior of ransomware

For each step in the ransomware kill chain, there are actions that leave traces in data logs, but linking them to the ransomware itself can be problematic. It is hard to create correlation rules in the SIEM that can recognize early warning signs of ransomware, as SIEMs traditionally don’t have the background necessary to correctly identify and link anomalies. The factors needed to fit together the ransomware tale from these logging artifacts occurs from analysis of user behavior.

As an example, here’s an observable ransomware activity from the analysis: A process in a temporary location, or a known process but in a new location, reads or deletes large numbers of files.

Without the comprehension of how the affected user typically acts, it is difficult to design meaningful detection logic that will not generate false positives but it is better to have false positive then undetected real positive. For example, a static threshold on reading or deleting files wouldn’t be able to take into account a user’s tasks, the divisions they belong to, or what they usually do in their daily activities.

Here are some contingent questions that behavioral modeling can answer that would vastly aid in detection and precision:
– What is the standard number of files that the user/peer must read/modify/delete?
– Is this process usually performed by the user or its peers?
– Is this the normal executable file location for the process?
– Does it have access to network resources that it does not typically have?

The User and Entity Behavior Analysis (UEBA) solution automatically collects this missing context by examining existing SIEM data or ingesting logs directly, then submitting them to the data science tenant. Machine learning and behavioral modeling show what the normal and abnormal imply for the users and entities involved. This level of comprehensive information makes it fast and easy to discover unusual behavior, such as that related to ransomware.

SECNOLOGY continuously monitors and evaluates reported security risks in the industry and news. Once a major attack is reported, SECNOLOGY is doing its best efforts to take immediate action to establish the security of its system and code. This was done after the SolarWinds attack and was repeated during that attack. We are also working hard to continually confirm that all of our patches and security protocols are up to date. Unfortunately, ransomware and blockchain attacks will continue for a long time. That’s why SECNOLOGY will remain vigilant and committed to finding ways to improve how we can help our customers, partners and industry organizations prepare.

To learn more about SECNOLOGY, please visit this link: www.secnology.com

Or contact us directly using the contact form.