Highlighted
vpeter1
New Member.
1789 views

Detecting Ransomware with ArcSight (ESM)?

Hi all,

Does anyone have ransomware activity/detection experience? We get logs from many next-gen FW/WAF device, each one can detect various forms of ransomware and will alert it as spyware, malware, backdoors, etc. and those events will then trigger our rules to fire in ESM's ActiveChannels, etc. That's easy enough but what about 0-days or ransomware that has yet to be defined by the security devices we're monitoring? How can we see the newest ransomware activity just by looking at our logs in ArcSight?

Also, ransomware usually employs dynamic domain generating algorithms (DGA). Does anyone know how best to spot DGA traffic in ArcSight; how can we use SIEM to tell if a PC is infected w/ ransomware just from the random URLs it's calling/accessing?

Any advice would be most appreciated.

Labels (2)
0 Likes
8 Replies
jefferyhamstra Super Contributor.
Super Contributor.

Re: Detecting Ransomware with ArcSight (ESM)?

I don't think you're going to find an out of the box solution, your best bet is going to be trying to find a good reliable list of known bad actor IP/URL and comparing your firewall/proxy traffic to this list.

0 Likes
tkachouba Trusted Contributor.
Trusted Contributor.

Re: Detecting Ransomware with ArcSight (ESM)?

Hi Peter,


The SOC Prime guys just put together some interesting content relating to detecting ransomware using open source threat intelligence sources.  I haven't had a chance to test it but it does look interesting and I appreciate them sharing with the community. 

0 Likes
vpeter1
New Member.

Re: Detecting Ransomware with ArcSight (ESM)?

This is great! And we've actually been testing the package in our environment. Thanks again to SOC Prime and Andrey B!

For now though, it doesn't really detect ransomware with DGA's as a factor (it just uses known bad domains/URLs).

Maybe only with advanced/paid subscription would we get that extra bit of detection I'm not sure.

So for now, I'm still trying to figure the best way to spot DGA-related ransomware traffic in ArcSight.

0 Likes
gregkap Absent Member.
Absent Member.

Re: Detecting Ransomware with ArcSight (ESM)?

Hi,

You could always check a specific workstation for suspicious connections looking for specific ports and suspicious downloads. Usually we use a dashboard to monitor our customers connections (outbound/inbound) and we filter out most common ports, then you can identify any suspicious ports like Tor network etc. Also, you can use an active channel to monitor suspicious attachments/downloads and exclude common executable or most file types like .jpeg or .jpg and monitor the suspicious ones.

0 Likes
abezverkhyi Honored Contributor.
Honored Contributor.

Re: Detecting Ransomware with ArcSight (ESM)?

Hi Peter!

Thank you for raising this subject!  We are working on DGA evaluation too, however it needs to be one of the factors of identifying the infection. DGA presense will point to malware, other indicators like specific Windows events, Tor connections, exact known C2 and Distribution sites URL's will point to ransomware and often specific family. What I am trying to say is that finding DGA will give you much broader scope of findings, and ransomware will be one of the subsets. Our Tor tracking will often turn out to be a DGA request too..

I'd be glad to discuss in private more details and hear your feedback. If you want please email me @ ab@socprime.com and I will arrange a free trial for commercial package. It includes much more than basic one, including Tor connections monitoring, probability scoring etc.

p.s. Once we're happy with our DGA detection rule-set, there is high chance we include it with free/basic package too. It just needs more tests and tuning before sharing out with all community Also I think getting URL's from web gateways is easier to do, DNS logs can be tricky if we look at performance. Then again if one already has them collected we're in perfect situation. On other hand, maybe someone already has HPE DMA

​ thank you for recommendation, I did not expect we catch so much attention

Cheers,

Andrii

0 Likes
abezverkhyi Honored Contributor.
Honored Contributor.

Re: Detecting Ransomware with ArcSight (ESM)?

Hi Grigorios,

Totally agree, it is very effective to to profile the knowns, then filter down to unknowns and apply more sophisticated techniques. Tor is very tricky here, we find out that most malicious Tor traffic will mask itself as legit, say HTTPS/443, especially hidden bridges or meek's . By the way, we're looking for partner in Greece, let's connect?

Appreciate,

Andrii

0 Likes
vpeter1
New Member.

Re: Detecting Ransomware with ArcSight (ESM)?

Thanks for the invite Andrey. Yes, please share Ransomware (w/DGA) Hunter when it's ready

0 Likes
neo12 Absent Member.
Absent Member.

Re: Detecting Ransomware with ArcSight (ESM)?

Hi Peter

please follow up Andrey B as they have been promoting solution for hunting ransomeware .

i went ahead and do exactly they said and now it is working very well.

Regards

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.