HPE Aruba Networking Blogs

Ransomware Decoded: Five Keys To Detect Stealthy Attack Signals Early

By Ron Kent, National Cyber Security Senior Systems Engineer

Although ransomware has been a threat for 30 years, it’s dramatically different and increasingly dangerous today. There’s been an uptick in customers expressing concern about it especially given recent incidents where a large ransom was paid or an enormous cost was incurred to remediate an existing infection.

In this blog post, we will discuss why it’s still a threat, Aruba's approach to detecting ransomware and how this is different from other solutions you may know of.

One reason ransomware has spanned multiple decades is because authors are constantly changing their tactics, techniques and procedures (TTPs). For example,

  • Some ransomware variants exploit EternalBlue (CVE-2017-0144) and use these SMB vulnerabilities to propagate through the network on unpatched Windows machines. Other variants use vulnerabilities in RDP to propagate, and the list goes on.
  • More recently, there’s concern that the BlueKeep vulnerability (CVE-2019-0708) could be used similarly, although an attack using this method hasn't been confirmed yet.
  • To further compound the problem, newer ransomware variants (like Robbinhood) will immediately try to stop over 180 Windows services for antivirus and other agents that could either be used to detect the malware or prevent the encryption of the drive.

What can you trust to give you timely and reliable signals of infection?

While there are no magic bullets to staying ahead of the bad guys and detecting the ransomware du jour, Aruba IntroSpect has an effective way to address ransomware with a layered defense and machine learning as the foundation.

When IntroSpect was initially developed, we kept in mind that while agents can be disabled and logs can be altered by either malware or malicious insiders, the network doesn't lie. So, a majority of our analytics utilize L4-L7 Deep Packet Inspection to address this very real challenge.

Detecting Ransomware
Let’s walk through a few examples of how IntroSpect uses multiple mechanisms – including ransomware specific analytics – that all work in concert throughout the kill chain to detect manifestations of malware or ransomware infections on the network.

  1. STIX / TAXII Threat Intelligence Feeds. Sometimes it's just basic blocking and tackling that's needed. IntroSpect uses third-party STIX / TAXII compatible threat intelligence feeds in order to strafe through network traffic and find known command and control and malware hosting sites.
  2. Email Attachment Spoofing. Since email is one of the most common vectors of infection, IntroSpect looks at the attachment name of emails for evidence of spoofing.
  3. Detecting Beacons. An IntroSpect supervised machine learning algorithm looks for regular, low and slow communication between an infected host and a potential C2 domain. This may indicate malware (including ransomware) communicating to the attacker to download further instructions or files.
  4. Host/Port Scan. An IntroSpect unsupervised machine learning algorithm looks for an abnormal number of unique internal IPs or ports accessed by a host. This uses both historical and peer baselines for comparison.
  5. Network share encryption. One of IntroSpect's newest analytics detects evidence of network share encryption. This is a supervised machine learning algorithm that has been trained in Aruba's Threat Labs on file system activity of a large array of ransomware families.This analytic generalizes to new and previously unseen malware variants, without signatures or rules, by learning hidden patterns of file system activity that indicate the likelihood of an infection.

Both rapid detection and response are essential to stop ransomware before it does damage. When IntroSpect is integrated with Aruba ClearPass Policy Manager and any of the above analytics fired or there was increase in risk score indicating an active ransomware attack, ClearPass could take an immediate policy-based action to quarantine the user or device and possibly prevent any lateral movement, sensitive data access, or data exfiltration. This alone can keep one infected machine from becoming a thousand.

IntroSpect is a powerful platform for surfacing the subtle signs of malware and ransomware from the sea of IT and network data that it continuously ingests and monitors. IntroSpect arms the SOC team with purpose-built threat analytics that span the entire kill chain. Additionally, the ransomware-specific analytics can generalize to new variants without signatures, scripts, rules or other hardcoded means that depend on prior knowledge. And once ransomware is detected, the SOC team can stop it in its tracks by taking immediate action with ClearPass Policy Manager to contain it and prevent it from spreading even further.

Get more information on how IntroSpect detects and remediates ransomware.

Get more information on ClearPass.