Written by Mahesh Popudesi
Ransomware has evolved over the past few years. Today the
target is not an individual, but the critical data that drives businesses. Once
ransomware infiltrates a network perimeter's defenses, it doesn't need to rely
on user intervention to spread across a company's internal infrastructure. It
uses a range of methods to replicate without detection and the damage it does
can be devastating.
To keep up with the challenge of detecting new variants,
Aruba's threat research team detonates strains of newly discovered ransomware
to study their network behavior. Aruba threat research and data science teams
then collaborate to define behaviors and develop new Machine Learning
(ML)-based analytics models to alert on the latest strains of ransomware before
they do damage.
This includes the LockerGoga attack that recently
crippled Norsk Hydro's network, with estimated losses after one week of $40
million. Our research team tested LockerGoga in our behavioral
"sandbox" and found that our existing suite of ransomware detection
analytics were able to detect it without additional training or changes. In
other words, mature AI that is based on deep research and experience does help
future-proof Enterprise defenses.
Let's look at the ransomware kill chain and how it can be
detected at various attack stages.
Machine Learning Sees the Entire Ransomware Kill Chain
Like many attacks that reach the inside of a network,
ransomware follows a well-understood kill chain. Traditional security defenses
that rely on signatures,
rules and pattern matching can completely overlook these stealthy attacks that
are specifically designed to elude these techniques.
There are opportunities to detect and stop ransomware at
each stage of the kill chain. It is only by understanding the behavior of
ransomware and building both supervised
and unsupervised
machine learning models to find small anomalies and specific attack behaviors
that the exploit can be found early in the kill chain. To do so requires unique
data sources and machine learning models to find these telltale behaviors or
mechanisms.
Enterprises are best served with a comprehensive suite of
analytics that detects ransomware throughout the kill chain. Two additional
ransomware detection models are also available toe Enterprises - Beaconing
and SMB Network Share Encryption - which can generate alerts in near real
time. Beyond detection, Enterprises will want a wide range of threat
prioritization, investigation and response orchestration features.
Staying on top of emerging behavior-the power of AI
maturity
Based on experience with AI-based solutions across network
operations, user experience and security, we have found that even finely-tuned
machine learning models need to keep current with the latest ransomware
behavioral trends so we update machine learning models frequently.
If you have mature, scalable AI-based analytics in your
security ecosystem, you have a much better chance of seeing attacks like
ransomware before you have to pay the piper.
##
About the Author
Mahesh Popudesi is
a Senior Product Manager for IntroSpect UEBA at Aruba-HPE. He works on building
threat and anomaly detection analytics to protect networks against insider
threats as well as external threats that bypass the perimeter security. He has
nearly two decades in the domain of computer networks and their security.