Hunting Ransomware using ArcSight: proactive detection & response
Hello dear community,
This is a thread with free content to detect and stop Ransomware using ArcSight ESM & Express platform.
As you know, Ransomware attacks have risen drastically in number during last 3 years. Total damage amount caused to organizations worldwide exceeds $billions. Timeline based on Symantec research:
Recent research published @TechRepublic provides hints about Ransomware 2.0 incoming shortly that will be self-propagating, using encrypted communications (news?), abuse easily exploitable vulnerabilities and outdated software etc. Since there is no single silver-bullet to use Active mitigation solutions to block 100% of Ransomware, proactive detection is the way. And while there is a huge amount of claims (and some proof) that Machine Learning is the best way, ArcSight can do all it takes to spot and inform on Ransomware infections at any stage.
That being said, I want to share with the community a free version of our Ransomware Hunter package that monitors publicly known Ransomware distribution sites, C2 sites and Payment sites. The reputation feed is automatically integrated thanks to our friends @ abuse.ch! That being said, here is what we get in result:
Package includes set of rules for checking each site connections, Cyber Kill Chain mapping, interactive dashboards for both ArcSight Web and Console, Active Lists with publicly known ransomware-related sites, behavioural indicators of ransomware infection, long-term profiling of indicators spotted on hosts, active channels and priority weights & scoring formula. Some more screens below:
What's the catch with free version? None! By all means this is an open framework and suggestions & contributions are welcome.
Examples of Ransowmare that package finds: TeslaCrypt | CryptoWall | TorrentLocker | PadCrypt | Locky | CTB-Locker | FAKBEN | PayCrypt | DMALocker | Cerber
Some of functionality described above is not included in basic version, more details on advanced version are included here: Ransomware Hunter by SOC Prime
Please PM for any questions, feedback is most welcome!
MD5 hash v.1.2: e581123ff7ee3cd2a1546caacc609a0f *soc-prime-ransomware-hunter-basic-1.2.zip
- HPE ArcSight ESM 6.0 or higher;
- HPE ArcSight Express 4.0 or higher.
Network access to https://goo.gl/ is required.
Log source requirements:
Firewall Logs: Cisco ASA; Cisco FWSM; CheckPoint Firewall; Palo Alto; Others
Proxy Logs: Squid; BlueCoat Proxy; Microsoft Forefront TMG; Others
Optional / Work in progress / Advanced Package
IPS/IDS Logs: TippingPoint; Snort; CheckPoint IPS; Suricata; Others
Microsoft Windows Logs: Domain Controllers; WorkStations; Other
Antivirus Logs: ESET; Kaspersky; McAffe Endpoint Security; Avast; TrendMicro; Others
~ Kind regards from SOC Prime team
We have some feedback from the field on both freemium and advanced version. Many changes coming to v 1.1. free edition including improved accuracy of detection, false-positives reduction and kill chain. Stay tuned, updated package will be up tomorrow!
Package v 1.2 is now available! Please remove old package and change to new one as it has very sugnificant improvements. Upgrade from v 1.0 to 1.2 is not supported as we completely rewritten most of correlation logic.
Version 1.2 release notes
- False positives reduction
- Added Kill Chain categorization to events
- Added SOC channel
- Added historical correlation for better accuracy and false-positive reduction
- Granular prioritization of correlated events
Updated script. Fixed minor bugs
While installing please go trough instructions step by step. Pay attention to deploy real-time rules, filter internal events, replace script with the new one and change schedule to run once per 6 minutes. This is for the faster delivery of malicious sites feed from abuse.ch and to reduce false positives.
Instruction is included in the archive. Its pretty much package to ESM + .sh script that will get abuse.ch feed and send it out as CEF to connector.
p.s. you're welcome, this subject was bothering us for a while so I think it belongs here..
Seems to be online. Try also: https://ransomwaretracker.abuse.ch/tracker/ though I imagine if abuse.ch is blocked you won't get a subdomain access. IP address of abuse.ch: 126.96.36.199 and 188.8.131.52 respectively.
You actually do not need access to abuse.ch directly as we pull the data over HTTPS API from google.