Detecting ransomware with QRadar using behavioral analysis
Ransomware is one of the top trending concerns in any business; hundreds of business are seeing their data being encrypted even with the latest security solutions. As most of anti-virus solutions are signature based, they are not fully capable of detecting the latest ransomware strains. In this post we will be discussing how to configure QRadar to detect ransomware threats in real time by observing events’ behaviour.
Ransomware may seem a complex attack, but most of them are actually quite simple: The malware encrypts files and then shows a ransom message to the user. The objective of the attacker is to encrypt the files as fast as possible to maximize the impact (if the encryption is slow the user may notice and stop the attack before all the files gets encrypted), and that’s how we can detect the threat.
In a simple language, the encryption process consists in: open a file, read a file, write the encrypted file, close the file. If you are monitoring your servers with QRadar, every time a file is updated an event is generated. So if you detect a high volume of “file update” events in a short period of time, it may be a sign of a ransomware infection.
Based on that, to implement an effective ransomware monitoring capability on QRadar all you need to do is:
- Ensure file audit is enabled on your windows servers: You need to be able to see events such as “File open”, “File Update” and “File Delete”. Before creating any rule, search for those event names to make sure you are getting them. Please note that this can considerably increase your EPS rate, so if you have a large environment and you’re enabling file-access audit consider enabling it in stages and observing your EPS rate.
- Create an offense rule that detect multiple file updates: A good threshold is 500 file updates in a minute. If you see more than 500 file updates in less than a minute, that’s an indication that there is an automated process updating your files (which may be a sign of ransomware).
If you have any mitigation system (such as IBM BigFix or McAfee EPO), you can even trigger a mitigation action to stop the ransomware. For example with QRadar you can send a “process kill” request to IBM BigFix, which will quickly login into the machine and kill the ransomware process.
It is important to note that QRadar is detecting ransomware through system behaviour. This puts QRadar in advantage if compared to regular signature-based anti-virus solutions, since we will be capable of detecting “zero-day” ransomware, which anti-virus solutions may not have signature for it.
This post is based on a very interesting video series called “QRadar Stopping Ransomware” by Jose Bravo. If you want to see step-by-step of how to configure your SIEM to stop ransomware, you should check out his youtube channel.