Highlighted
abezverkhyi Honored Contributor.
Honored Contributor.
9876 views

Hunting Ransomware using ArcSight: proactive detection & response

Hello dear community,

This is a thread with free content to detect and stop Ransomware using ArcSight ESM & Express platform.

As you know, Ransomware attacks have risen drastically in number during last 3 years. Total damage amount caused to organizations worldwide exceeds $billions. Timeline based on Symantec research:

ransomware_discoveries.jpg

Recent research published @TechRepublic provides hints about Ransomware 2.0 incoming shortly that will be self-propagating, using encrypted communications (news?), abuse easily exploitable vulnerabilities and outdated software etc. Since there is no single silver-bullet to use Active mitigation solutions to block 100% of Ransomware, proactive detection is the way. And while there is a huge amount of claims (and some proof) that Machine Learning is the best way, ArcSight can do all it takes to spot and inform on Ransomware infections at any stage.

That being said, I want to share with the community a free version of our Ransomware Hunter package that monitors publicly known Ransomware distribution sites, C2 sites and Payment sites. The reputation feed is automatically integrated thanks to our friends @ abuse.ch! That being said, here is what we get in result:

124_ArcSight_Ransomware_Basic_Web_Dash1.png124_ArcSight_Ransomware_Basic_ActiveChannel.png

 

Package includes set of rules for checking each site connections, Cyber Kill Chain mapping, interactive dashboards for both ArcSight Web and Console, Active Lists with publicly known ransomware-related sites, behavioural indicators of ransomware infection, long-term profiling of indicators spotted on hosts, active channels and priority weights & scoring formula. Some more screens below:

124_ArcSight_Ransomware_Web_Dash.png124_ArcSight_Ransomware_Dash.png

What's the catch with free version? None! By all means this is an open framework and suggestions & contributions are welcome.

Examples of Ransowmare that package finds: TeslaCrypt | CryptoWall | TorrentLocker | PadCrypt | Locky | CTB-Locker | FAKBEN | PayCrypt | DMALocker | Cerber

Some of functionality described above is not included in basic version, more details on advanced version are included here: Ransomware Hunter by SOC Prime

Please PM for any questions, feedback is most welcome!

CISO Tactical Brief on Ransomware -

Archive: includes .ARB package, ip-rep abuse.ch feed gathering script & installation guide

MD5 hash v.1.2: e581123ff7ee3cd2a1546caacc609a0f *soc-prime-ransomware-hunter-basic-1.2.zip

SIEM requirements:

   - HPE ArcSight ESM 6.0 or higher;

   - HPE ArcSight Express 4.0 or higher.

Network access to https://goo.gl/ is required.

Log source requirements:

Firewall Logs: Cisco ASA; Cisco FWSM; CheckPoint Firewall; Palo Alto; Others

Proxy Logs: Squid; BlueCoat Proxy; Microsoft Forefront TMG; Others

Optional / Work in progress / Advanced Package

IPS/IDS Logs: TippingPoint; Snort; CheckPoint IPS; Suricata; Others

Microsoft Windows Logs: Domain Controllers; WorkStations; Other

Antivirus Logs: ESET; Kaspersky; McAffe Endpoint Security; Avast; TrendMicro; Others

~ Kind regards from SOC Prime team

Labels (3)
53 Replies
abezverkhyi Honored Contributor.
Honored Contributor.

Re: Hunting Ransomware using ArcSight: proactive detection & response

We have some feedback from the field on both freemium and advanced version. Many changes coming to v 1.1. free edition including improved accuracy of detection, false-positives reduction and kill chain. Stay tuned, updated package will be up tomorrow!

0 Likes
abezverkhyi Honored Contributor.
Honored Contributor.

Re: Hunting Ransomware using ArcSight: proactive detection & response

Package v 1.2 is now available! Please remove old package and change to new one as it has very sugnificant improvements. Upgrade from v 1.0 to 1.2 is not supported as we completely rewritten most of correlation logic.

Version 1.2 release notes

  • False positives reduction
  • Added Kill Chain categorization to events
  • Added SOC channel
  • Added historical correlation for better accuracy and false-positive reduction
  • Granular prioritization of correlated events

  Updated script. Fixed minor bugs

0 Likes
Aleks Super Contributor.
Super Contributor.

Re: Hunting Ransomware using ArcSight: proactive detection & response

While installing please go trough instructions step by step. Pay attention to deploy real-time rules, filter internal events, replace script with the new one and change schedule to run once per 6 minutes. This is for the faster delivery of malicious sites feed from abuse.ch and to reduce false positives.

0 Likes
neo12 Absent Member.
Absent Member.

Re: Hunting Ransomware using ArcSight: proactive detection & response

Hi Andrey

Thanks for sharing such a great topic.

Just want to know how do this? any instructer?

Just downloding package and Upload to ESM?

Many thanks

0 Likes
neo12 Absent Member.
Absent Member.

Re: Hunting Ransomware using ArcSight: proactive detection & response

document tells about linux server? what does it mean? cause i installed smarconnector syslog deamon to get logs from firewall.

0 Likes
abezverkhyi Honored Contributor.
Honored Contributor.

Re: Hunting Ransomware using ArcSight: proactive detection & response

Hi Neo,

Instruction is included in the archive. Its pretty much package to ESM + .sh script that will get abuse.ch feed and send it out as CEF to connector.

p.s. you're welcome, this subject was bothering us for a while so I think it belongs here..

0 Likes
abezverkhyi Honored Contributor.
Honored Contributor.

Re: Hunting Ransomware using ArcSight: proactive detection & response

script can be deployed on any linux machine that can send syslog to your connector. It sends data in CEF.

0 Likes
neo12 Absent Member.
Absent Member.

Re: Hunting Ransomware using ArcSight: proactive detection & response

Thank you for respond. I am going to deploy it on espress.However, I try to open abuse.ch but i could not. I dont know why.

regards

0 Likes
abezverkhyi Honored Contributor.
Honored Contributor.

Re: Hunting Ransomware using ArcSight: proactive detection & response

Seems to be online. Try also: https://ransomwaretracker.abuse.ch/tracker/  though I imagine if abuse.ch is blocked you won't get a subdomain access.  IP address of abuse.ch: 104.155.11.149 and 104.197.54.236 respectively.

You actually do not need access to abuse.ch directly as we pull the data over HTTPS API from google.

0 Likes
neo12 Absent Member.
Absent Member.

Re: Hunting Ransomware using ArcSight: proactive detection & response

HTTPS API? you mean .sh script?

0 Likes
abezverkhyi Honored Contributor.
Honored Contributor.

Re: Hunting Ransomware using ArcSight: proactive detection & response

Correct. Script pulls data from google API.

0 Likes
neo12 Absent Member.
Absent Member.

Re: Hunting Ransomware using ArcSight: proactive detection & response

Can We run this script on windows server instead of linux server? have you done this so far?

Regards

0 Likes
Aleks Super Contributor.
Super Contributor.

Re: Hunting Ransomware using ArcSight: proactive detection & response

Hi Neo

Unfortunately script is running only on Linux server. You can put script to your Express server.

0 Likes
neo12 Absent Member.
Absent Member.

Re: Hunting Ransomware using ArcSight: proactive detection & response

Very Lovely

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.