Highlighted
Honored Contributor.
Honored Contributor.
11043 views

Hunting Ransomware using ArcSight: proactive detection & response

Hello dear community,

This is a thread with free content to detect and stop Ransomware using ArcSight ESM & Express platform.

As you know, Ransomware attacks have risen drastically in number during last 3 years. Total damage amount caused to organizations worldwide exceeds $billions. Timeline based on Symantec research:

ransomware_discoveries.jpg

Recent research published @TechRepublic provides hints about Ransomware 2.0 incoming shortly that will be self-propagating, using encrypted communications (news?), abuse easily exploitable vulnerabilities and outdated software etc. Since there is no single silver-bullet to use Active mitigation solutions to block 100% of Ransomware, proactive detection is the way. And while there is a huge amount of claims (and some proof) that Machine Learning is the best way, ArcSight can do all it takes to spot and inform on Ransomware infections at any stage.

That being said, I want to share with the community a free version of our Ransomware Hunter package that monitors publicly known Ransomware distribution sites, C2 sites and Payment sites. The reputation feed is automatically integrated thanks to our friends @ abuse.ch! That being said, here is what we get in result:

124_ArcSight_Ransomware_Basic_Web_Dash1.png124_ArcSight_Ransomware_Basic_ActiveChannel.png

 

Package includes set of rules for checking each site connections, Cyber Kill Chain mapping, interactive dashboards for both ArcSight Web and Console, Active Lists with publicly known ransomware-related sites, behavioural indicators of ransomware infection, long-term profiling of indicators spotted on hosts, active channels and priority weights & scoring formula. Some more screens below:

124_ArcSight_Ransomware_Web_Dash.png124_ArcSight_Ransomware_Dash.png

What's the catch with free version? None! By all means this is an open framework and suggestions & contributions are welcome.

Examples of Ransowmare that package finds: TeslaCrypt | CryptoWall | TorrentLocker | PadCrypt | Locky | CTB-Locker | FAKBEN | PayCrypt | DMALocker | Cerber

Some of functionality described above is not included in basic version, more details on advanced version are included here: Ransomware Hunter by SOC Prime

Please PM for any questions, feedback is most welcome!

CISO Tactical Brief on Ransomware -

Archive: includes .ARB package, ip-rep abuse.ch feed gathering script & installation guide

MD5 hash v.1.2: e581123ff7ee3cd2a1546caacc609a0f *soc-prime-ransomware-hunter-basic-1.2.zip

SIEM requirements:

   - HPE ArcSight ESM 6.0 or higher;

   - HPE ArcSight Express 4.0 or higher.

Network access to https://goo.gl/ is required.

Log source requirements:

Firewall Logs: Cisco ASA; Cisco FWSM; CheckPoint Firewall; Palo Alto; Others

Proxy Logs: Squid; BlueCoat Proxy; Microsoft Forefront TMG; Others

Optional / Work in progress / Advanced Package

IPS/IDS Logs: TippingPoint; Snort; CheckPoint IPS; Suricata; Others

Microsoft Windows Logs: Domain Controllers; WorkStations; Other

Antivirus Logs: ESET; Kaspersky; McAffe Endpoint Security; Avast; TrendMicro; Others

~ Kind regards from SOC Prime team

Labels (2)
53 Replies
Highlighted
Honored Contributor.
Honored Contributor.

We have some feedback from the field on both freemium and advanced version. Many changes coming to v 1.1. free edition including improved accuracy of detection, false-positives reduction and kill chain. Stay tuned, updated package will be up tomorrow!

0 Likes
Highlighted
Honored Contributor.
Honored Contributor.

Package v 1.2 is now available! Please remove old package and change to new one as it has very sugnificant improvements. Upgrade from v 1.0 to 1.2 is not supported as we completely rewritten most of correlation logic.

Version 1.2 release notes

  • False positives reduction
  • Added Kill Chain categorization to events
  • Added SOC channel
  • Added historical correlation for better accuracy and false-positive reduction
  • Granular prioritization of correlated events

  Updated script. Fixed minor bugs

0 Likes
Highlighted
Super Contributor.
Super Contributor.

While installing please go trough instructions step by step. Pay attention to deploy real-time rules, filter internal events, replace script with the new one and change schedule to run once per 6 minutes. This is for the faster delivery of malicious sites feed from abuse.ch and to reduce false positives.

0 Likes
Highlighted
Absent Member.
Absent Member.

Hi Andrey

Thanks for sharing such a great topic.

Just want to know how do this? any instructer?

Just downloding package and Upload to ESM?

Many thanks

0 Likes
Highlighted
Absent Member.
Absent Member.

document tells about linux server? what does it mean? cause i installed smarconnector syslog deamon to get logs from firewall.

0 Likes
Highlighted
Honored Contributor.
Honored Contributor.

Hi Neo,

Instruction is included in the archive. Its pretty much package to ESM + .sh script that will get abuse.ch feed and send it out as CEF to connector.

p.s. you're welcome, this subject was bothering us for a while so I think it belongs here..

0 Likes
Highlighted
Honored Contributor.
Honored Contributor.

script can be deployed on any linux machine that can send syslog to your connector. It sends data in CEF.

0 Likes
Highlighted
Absent Member.
Absent Member.

Thank you for respond. I am going to deploy it on espress.However, I try to open abuse.ch but i could not. I dont know why.

regards

0 Likes
Highlighted
Honored Contributor.
Honored Contributor.

Seems to be online. Try also: https://ransomwaretracker.abuse.ch/tracker/  though I imagine if abuse.ch is blocked you won't get a subdomain access.  IP address of abuse.ch: 104.155.11.149 and 104.197.54.236 respectively.

You actually do not need access to abuse.ch directly as we pull the data over HTTPS API from google.

0 Likes
Highlighted
Absent Member.
Absent Member.

HTTPS API? you mean .sh script?

0 Likes
Highlighted
Honored Contributor.
Honored Contributor.

Correct. Script pulls data from google API.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.