Virtualization Technology News and Information
Addressing Ransomware Early With AI-Based Attack Detection

Written by Mahesh Popudesi

Ransomware has evolved over the past few years. Today the target is not an individual, but the critical data that drives businesses. Once ransomware infiltrates a network perimeter's defenses, it doesn't need to rely on user intervention to spread across a company's internal infrastructure. It uses a range of methods to replicate without detection and the damage it does can be devastating.

To keep up with the challenge of detecting new variants, Aruba's threat research team detonates strains of newly discovered ransomware to study their network behavior. Aruba threat research and data science teams then collaborate to define behaviors and develop new Machine Learning (ML)-based analytics models to alert on the latest strains of ransomware before they do damage.

This includes the LockerGoga attack that recently crippled Norsk Hydro's network, with estimated losses after one week of $40 million. Our research team tested LockerGoga in our behavioral "sandbox" and found that our existing suite of ransomware detection analytics were able to detect it without additional training or changes. In other words, mature AI that is based on deep research and experience does help future-proof Enterprise defenses.

Let's look at the ransomware kill chain and how it can be detected at various attack stages.

Machine Learning Sees the Entire Ransomware Kill Chain


Like many attacks that reach the inside of a network, ransomware follows a well-understood kill chain. Traditional security defenses that rely on signatures, rules and pattern matching can completely overlook these stealthy attacks that are specifically designed to elude these techniques.

There are opportunities to detect and stop ransomware at each stage of the kill chain. It is only by understanding the behavior of ransomware and building both supervised and unsupervised machine learning models to find small anomalies and specific attack behaviors that the exploit can be found early in the kill chain. To do so requires unique data sources and machine learning models to find these telltale behaviors or mechanisms.

Enterprises are best served with a comprehensive suite of analytics that detects ransomware throughout the kill chain. Two additional ransomware detection models are also available toe Enterprises - Beaconing and SMB Network Share Encryption - which can generate alerts in near real time. Beyond detection, Enterprises will want a wide range of threat prioritization, investigation and response orchestration features.

Staying on top of emerging behavior-the power of AI maturity

Based on experience with AI-based solutions across network operations, user experience and security, we have found that even finely-tuned machine learning models need to keep current with the latest ransomware behavioral trends so we update machine learning models frequently.

If you have mature, scalable AI-based analytics in your security ecosystem, you have a much better chance of seeing attacks like ransomware before you have to pay the piper.


About the Author

Mahesh Popudesi 

Mahesh Popudesi is a Senior Product Manager for IntroSpect UEBA at Aruba-HPE. He works on building threat and anomaly detection analytics to protect networks against insider threats as well as external threats that bypass the perimeter security. He has nearly two decades in the domain of computer networks and their security.

Published Monday, May 20, 2019 7:23 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<May 2019>