Addressing Ransomware Early With AI-Based Attack Detection

By Mahesh Popudesi, Senior Product Manager for IntroSpect at Aruba, a Hewlett Packard Enterprise company
Share Post

Co-Authored by Abhijit Barde and Derek Gooley

Ransomware has evolved over the past few years. Today the target is not an individual, but the critical data that drives businesses. Once ransomware infiltrates a network perimeter’s defenses, it doesn’t need to rely on user intervention to spread across a company's internal infrastructure. It uses a range of methods to replicate without detection and the damage it does can be devastating.

To keep up with the challenge of detecting new variants, Aruba’s threat research team detonates strains of newly discovered ransomware to study their network behavior. Aruba threat research and data science teams then collaborate to define behaviors and develop new ML-based analytics models to alert on the latest strains of ransomware before they do damage.

This includes the LockerGoga attack that recently crippled Norsk Hydro’s network, with estimated losses after one week of $40 million. The research team tested LockerGoga in our behavioral “sandbox” and found that IntroSpect’s existing suite of ransomware detection analytics was able to detect it without additional training or changes.

In other words, mature AI that is based on deep research and experience does help future-proof your defenses. Let's look at the ransomware kill chain and how IntroSpect can help you detect it at various attack stages.

IntroSpect Machine Learning Sees the Entire Ransomware Kill Chain

Like many attacks that reach the inside of a network, ransomware follows a well-understood kill chain. Traditional security defenses that rely on signatures, rules and pattern matching can completely overlook these stealthy attacks that are specifically designed to elude these techniques.

There are opportunities to detect and stop ransomware at each stage of the kill chain. It is only by understanding the behavior of ransomware and building both supervised and unsupervised machine learning models to find small anomalies and specific attack behaviors that the exploit can be found early in the kill chain. To do so requires unique data sources and machine learning models to find these telltale behaviors or mechanisms.

Aruba IntroSpect has a comprehensive suite of analytics that detects ransomware throughout the kill chain. In IntroSpect’s latest release 2.5, two additional ransomware detection models were added – Beaconing and SMB Network Share Encryption – which can generate alerts in near real time.

Beyond detection, IntroSpect has a wide range of threat prioritization, investigation and response orchestration features.

Staying on top of emerging behavior—the power of AI maturity

Based on experience with AI-based solutions across network operations, user experience and security, we have found that even finely-tuned machine learning models need to keep current with the latest ransomware behavioral trends so we update IntroSpect machine learning models frequently.

If you have mature, scalable AI-based analytics in your security ecosystem, you have a much better chance of seeing attacks like ransomware before you have to pay the piper.