Ransomware Detection Using Threat Intelligence Feeds with Extended Security Management (ESM)

Summary:

This document discusses using Enhanced Security Management (ESM) with Threat Intelligence feeds to detect ransomware in a company's network. Ransomware is malware that encrypts files, making them inaccessible unless a ransom is paid. The article suggests several prevention strategies such as layered protection, antivirus software, and security awareness training. To specifically detect ransomware, the document recommends using ArcSight Activate Framework or creating custom ESM content. This involves identifying, collecting, and updating known Ransomware entities from sources like RansomwareTracker every 10 minutes. These data are imported into ESM in various ways such as via a flex connector that updates IP addresses to active lists. Filters based on inbound/outbound communications help track ransomware activities. Active Lists contain indicators of ransomware, and rules match these against known IOCs. A Ransomware Dashboard provides detailed statistics about the attacks. Additional data processing settings and labels enhance threat detection. This setup helps in proactive identification and detailed analytics of ransomware within a company's network.

Details:

This article discusses Ransomware Detection using Threat Intelligence feeds with ESM - Micro Focus Community. Ransomware is a common malware that encrypts user files, making them unavailable until the victim pays a ransom to receive the decryption key. Social engineering attacks are often used in the infection process. Common infection vectors include malicious email attachments, compromised websites, and malvertising. The article highlights several best practices for prevention: implementing layered protection with firewalls, IDS/IPS systems, antivirus software, and security awareness programs to educate users about social engineering threats. Keeping systems updated and having backup procedures are also important factors in minimizing risks. The article then focuses on using threat intelligence data through the ArcSight Activate Framework or by building custom ESM content to detect ransomware network communications. To start, Ransomware known entities from a Threat Intelligence source should be identified, collected, and updated periodically. A sample script provided downloads Ransomware lists (IPs, hosts, domains) from RansomwareTracker every 10 minutes. After obtaining the data, it can be imported into ESM in various ways: manually via the ArcSight Console or automatically using a flex connector that reads the downloaded csv file and sets IP addresses as destination addresses. A lightweight rule will then write this data to an active list. The provided text outlines a comprehensive strategy for detecting ransomware using Enhanced Security Management (ESM) within an organization's network. Key components include the creation of filters and active lists to identify specific types of network activity associated with ransomware, along with rules that match these events against known indicators of compromise (IOCs). 1. **Filters**: These are used to set conditions for tracking inbound or outbound communications, potentially across multiple resources within ESM. Special attention is paid to creating separate filters for each direction of traffic due to the directional nature of ransomware activities. 2. **Active Lists**: Consisting of IP addresses, domains, and URLs that are considered indicators of ransomware activity, these lists are dynamically populated by lightweight rules which update them based on data from connectors. The properties and fields of active lists can be adjusted according to the environment's needs and security requirements. 3. **Rules**: Depending on how active lists are managed (either one or two tiers), there can be lightweight rules that populate these lists and standard rules that match events against the contained IOCs within the lists. Rules for inbound/outbound communications add a layer of specificity to detection efforts. 4. **Active Channel**: This channel is used to display correlated ransomware event information, which could serve as either the primary active channel in the Security Operations Center (SOC) or a specialized channel dedicated solely to this purpose. 5. **Ransomware Dashboard**: To provide more detailed statistics and insights into ransomware activities, this dashboard combines various resources such as data monitors and query viewers that showcase specific aspects of external ransomware destinations over the last 24 hours and week. 6. **Additional Data and Labels**: The implementation includes settings for additional data processing like enabling unparsed event handling and setting up labels to identify ESM threats, reflecting a comprehensive approach towards threat detection and management. This setup not only helps in proactive identification of ransomware activities but also provides detailed analytics on the scale and nature of these attacks within the organization's network infrastructure.