Detectar ransomware mediante Threat Intelligence

Por Stefan Radtke

| 5 de octubre de 2021 |

Administración de datos, Seguridad de Datos

Esta historia le llega como parte 3 de 4 en nuestro Serie de detección de ransomware en el que exploramos cómo analizar y proteger sus datos de Qumulo a escala de nube. En las partes 1 y 2, examinamos cómo detectar ransomware patrones de acceso con Qumulo y Azure Sentinel, y luego describió dos métodos adicionales para detección de ransomware con correlación de datos. En la parte 3 a continuación, discutimos cómo usar datos externos de Threat Intelligence para respaldar la correlación de datos.

En la parte 2 de esta serie sobre la detección de ransomware, usamos tablas estáticas como listas negras u otras tablas de búsqueda para la correlación de datos con los eventos entrantes de Qumulo Audit. En este artículo, presentaremos algunos ejemplos simples que utilizan fuentes externas de Threat Intelligence para la correlación de datos. Como recordatorio, la siguiente imagen ilustra el flujo de trabajo de detección de ransomware.

flujo de trabajo de detección de ransomware

Detectar ransomware en tiempo real

Como se señaló anteriormente en esta serie, las posibles amenazas de ransomware u otras actividades sospechosas deben detectarse antes de que puedan causar algún daño. Uno de los objetivos para lograr esto es utilizar el uso compartido de indicadores automatizados (AIS) proporcionado por la industria.

AIS permite el intercambio en tiempo real de archivos legibles por máquina. indicadores de amenazas cibernéticas y medidas defensivas para ayudar a proteger a los participantes y, en última instancia, reducir la prevalencia de ataques cibernéticos. AIS utiliza un formato de datos estándar abierto, llamado Expresión estructurada de información sobre amenazas (STIX ™), y el protocolo Trusted Automated Exchange of Indicator Information (TAXII ™) para la comunicación de máquina a máquina.

Cómo introducir Threat Intelligence en un área de trabajo de Azure Sentinel

Azure Sentinel puede suscribirse a fuentes STIX mediante el conector TAXII integrado. Hay muchos feeds de código abierto, así como feeds profesionales disponibles. Usaremos Flujo de amenazas Limo de Anomali para alimentar Threat Intelligence en nuestro espacio de trabajo de Sentinel y correlacionar los datos con nuestros eventos de auditoría.

Usando curl, podemos obtener una lista de feeds que son proporcionados por limo.anomaly.com:

curl -u invitado https://limo.anomali.com/api/v1/taxii2/feeds/collections/ {"collections": [{"can_read": true, "can_write": false, "description": "", "id": "107", "title": "Phish Tank"}, {"can_read": true, "can_write": false, "description": "", "id": "135", "title": "Abuse.ch Ransomware IPs"}, {"can_read": true, "can_write": false, "description": "", "id": "136", "title": "Abuse.ch Ransomware Domains"}, {"can_read": true, "can_write": false, "description": "", "id": "150", "title": "DShield Scanning IPs"}, {"can_read": true, "can_write": false, "description": "", "id": "200", "title": "Lista de dominios de malware - Hotlist"}, {"can_read": true, "can_write": false, "description": "", "id": "209", "title": "Blutmagie TOR Nodes"}, {"can_read": true, "can_write": false, "description": "", "id": "31", "title" : "Servidor C&C de amenazas emergentes"}, {"can_read": true, "can_write": false, "description": "", "id": "33", "title": "Lehigh Malwaredomains"}, {"can_read ": verdadero," can_write ": falso,"description": "", "id": "41", "title": "CyberCrime"}, {"can_read": true, "can_write": false, "description": "", "id": "68 "," title ":" Amenazas emergentes: comprometidas "}]}

Cómo suscribirse a una fuente de inteligencia sobre amenazas

Para suscribirse a uno de los feeds de Threat Intelligence enumerados anteriormente, veamos algunos pasos rápidos en Azure Sentinel. En Sentinel, siga los siguientes pasos:

Haga clic en conectores de datos
Ingrese "Taxii" en el campo de búsqueda
Seleccione Inteligencia de amenazas - (TAXII)
Ingrese los detalles del feed de la lista anterior

Por ejemplo, si desea suscribirse al Servidor C&C de amenazas emergentes feed, debe ingresar la siguiente información en el cuadro de diálogo:

detección de feeds de inteligencia de amenazas de ransomware

Esto agregaría el feed a su espacio de trabajo. Después de solo unos segundos, puede ver los datos de TI recibidos.

Seleccione "Threat Intelligence" en el panel de navegación para mostrar sus eventos de TI:

Datos de Azure Sentinel Threat Intelligence

Puede consultar los datos de Threat Intelligence con la siguiente consulta:

ThreatIntelligenceIndicator | project TimeGenerated, Action, Description, NetworkIP, Url, SourceSystem


An output example is shown in the next figure:


How to correlate Qumulo events with Threat Intelligence data
Now, as we feed the Threat Intelligence into our Azure Sentinel workspace, we can correlate the data and check all Qumulo filesystem activity. For example, we could look for connections to any known bad IP address from our different feeds with the following query:
let timerange = 15min;
let MalIpList = (ThreatIntelligenceIndicator | where Description contains  "mal_ip" | project NetworkIP);
QumuloAuditEvents
| where ClientIP in (MalIpList)
This query will result in a list of all activities that any Qumulo node had with one of the bad known addresses from the intelligence feeds.
This is a good example where we’d need to start automation. If the above query would show any positive results, we’d like to automatically create an alert, an incident and potentially fire up an automated response. In this case the assigned data security analyst would investigate if this IP address did ever show up earlier in our environment and take action if it did.
In any case, we would update the rules in our firewall(s) so that this address gets totally blocked out. This is a good example of preventive action. Even though this IP address had (hopefully) never contacted our network, we’d block it in advance because we know (from the TI feed) it’s related to malware activities.

					Note: it would make a lot of sense to not only correlate Qumulo events against Threat Intelligence data. In fact, running those correlations and the (automated) responses against client events, firewall events and Active Directory events makes even more sense ! You’d uncover these malicious connections much earlier. Also, you may want to look for malicious URLs on your firewall, internet gateway or http proxy server to block these sites, before any user can try to access them.
How to use Machine Learning to detect ransomware and suspicious anomalies
Azure Sentinel has some Analytic Rules that use Machine Learning (ML) to uncover anomalies or detect ransomware in your data storage environment. Microsoft has introduced a new rule type, called Anomaly, for this purpose. You don’t need to worry about managing the ML run-time environment for suspicious anomalies, because Azure Sentinel takes care of everything behind the scenes.
You can find these rules in Azure Sentinel in the Analytics tab, and it seems Microsoft is adding more over time. These rules use ML to train a model for a couple of days to set the baseline for usual conditions. This could be network traffic patterns, login patterns in Azure Active Directory (Azure AD), firewall alarms, web requests, and more. The parameters of the pre-defined rules can be modified to balance the noise level to a meaningful level.
The algorithms in the pre-defined rules are not trained for Qumulo events. However, using them with events from other sources—such as Azure AD or firewalls—improves ransomware detection, and reduces investigation and threat hunting time.
Following are the 3 main use cases for using machine learning to detect ransomware.
1. Additional signals to improve ransomware detection
Data security analysts can use anomalies to detect new threats and make existing detections more effective. A single anomaly is not a strong signal of malicious behavior, but when combined with several anomalies that occur at different points on the cyber kill chain, their cumulative effect is much stronger. Security analysts can enhance existing detections as well by making the unusual behavior identified by anomalies a condition for alerts to be fired.
2. Evidence during investigations
Data security analysts also can use anomalies during investigations to help confirm a breach, find new paths for investigating it, and assess its potential impact. For example, when investigating an incident that involves a user and an IP address, a security analyst can query the user and the IP address in the "Anomalies" table to find out other anomalous activities performed by that user and that happened on that IP address. These data help security analysts reduce the time spent on investigations.
3. The start of proactive threat hunts
Threat hunters can use anomalies as context to help determine whether their queries have detected suspicious behavior. When the behavior is suspicious, the anomalies also point toward potential paths for further hunting. These clues provided by anomalies reduce both the time to detect a threat and its chance to cause harm.
We just reviewed how to run queries to detect ransomware and other suspicious activities. Next, we'll show you how to automate these ransomware detection queries in Azure Sentinel.
Qumulo Recover Q: Disaster recovery solution to help guard against ransomware
Qumulo Audit logs can be used via syslog with any SIEM solution for detection.
We also offer Qumulo Recover Q—a flexible cloud based disaster recovery solution that fits into any existing business continuity strategy. Active protection features help ensure data safety and integrity, while built-in snapshot and cloud replication features add layers of defense against real-world threats that could compromise your data or operations.
Using Recover Q in the cloud can help optimize your company’s spending for business continuity by reducing on-premises costs in favor of an on demand, cloud-native service.
Further Reading
Have a look at our two white papers to learn more about ransomware detection with Qumulo audit data and SIEM platforms, and the built-in data services (Qumulo Protect and Qumulo Secure) that come standard with your Qumulo software subscription:

Security Architecture and Best Practices to Counter Malware
Threat Hunting with Qumulo Audit and Azure Sentinel

Like what you see?
Contact us to book a demo or arrange a meeting. You can even test drive a fully functional Qumulo environment right from your browser:
Test drive Qumulo for free
Explore a fully functional Qumulo environment, right in your browser.
Try Demo


				
				
				
				
				Share this post

Stefan Radtke


Dr. Stefan Radtke, Field CTO EMEA, has spent his career working in technology and is the principal evangelist of universal-scale storage for Qumulo. He started as employee #1 in EMEA in 2017 as Technical Director where he built a fantastic multi-national technical team. Recently he took over the role of the Field CTO and he is now focusing on building a strong technical team for Cloud Q. He’s a certified AWS Solution Architect Professional and Azure Solution Architect Expert.


				
				
				
				
				
				
				
				
				
				Categories
    
        Case Study
    
        Company & Culture
    
        Customer Success
    
        Customers
    
        Data Management
    
        Data Security
    
        DataBytes
    
        Engineering
    
        Higher Ed
    
        How To
    
        Hybrid Cloud
    
        Perspective & Trends
    
        Product & Solutions
    
        Qumulo on Quora
    
        Thought Leaders