Skip to main content

General Documents

Ransomware Detection and Response | Cyware Use Cases

Abstract

Download PDF

An automated playbook-driven response process, like Cyware, is a proven effective solution for ransomware detection and response.

Category: Data Enrichment and Threat Intelligence, Endpoint

Cyware Products Used:

  • Cyware Fusion and Threat Response (CFTR)

  • Orchestrate (CO)

  • Cyware Threat Intelligence eXchange (CTIX)

Third-Party Integrations Used:

  • VirusTotal: To enrich ransomware indicators.

  • Crowdstrike Falcon Endpoint Detection and Response (EDR): To block the malicious IOCs.

Problem Statement

Ransomware attacks have grown in numbers and severity over the last few years. The average incident cost and downtime due to ransomware attacks have also increased. Without adequate detection and response measures, organizations end up losing access to their valuable data and even incur damages to their reputation when the stolen data is leaked by threat actors.

Solution

Ransomware operators typically design the exploits to spread laterally across an organization’s network to infect and encrypt data on as many devices as possible from a single execution. An automated playbook-driven response process has proven to be effective in containing such attacks in the early stages.

Ransomware_Detection_and_Response.svg

How do we solve this problem?

The Ransomware Detection and Response workflow detects ransomware activity based on threat intelligence from the Crowdstrike Falcon Endpoint Detection application. This helps security teams proactively detect ransomware activity at an early stage even before the threat makes an impact. The ransomware response playbook performs the following activities.

  1. Incident Trigger: After receiving a ransomware communication alert from the EDR tool, the incident is automatically created and investigated in the Cyware Fusion and Threat Response (CFTR) platform. This use case receives ransomware communication alerts to known malicious IPs from the Crowdstrike Falcon Endpoint Detection application. See Crowdstrike Falcon Endpoint Detection connector.

  2. Incident Validation: This phase involves incident correlation and enrichment.

    1. Incident Correlation: CFTR fetches the host and user information and correlates it with existing investigations to connect the dots between the threat elements.

    2. Incident Enrichment:

      • Indicator Enrichment: CFTR orchestrates with CTIX and other threat intelligence sources such as VirusTotal to fetch malware hash reputation.

      • User Enrichment: The workflow fetches the affected assets and identifies the owners of the assets using the configuration management database (CMDB) and correlates that with user and asset records in CFTR. See the Get List of Devices endpoint.

  3. Containment: If the alert is found to be true-positive after completion of the initial triage, CFTR deploys the below actions immediately to determine the impact and scope of the ransomware attack. This assists in containing the spread of ransomware infection to other devices on the network.

    1. Threat Quarantine: The malicious hash is blocked on the Crowdstrike Falcon Endpoint Detection application. You can also configure a preferred endpoint management tool. See Endpoint integrations.

    2. Asset Quarantine: The impacted user asset is quarantined using the Crowdstrike Falcon Endpoint Detection application. You can also configure a preferred endpoint management tool. See Endpoint integrations.

  4. Response and Remediation: To ensure complete threat response and remediation, you can also include optional configurations to the use case. See Optional Configurations.

  5. Closure: If required, the CFTR platform is leveraged to deploy remediation actions, and steps are repeated. If the asset is found clean, it is unquarantined and the incident is closed.

Optional Configurations
  1. Response and Remediation: To ensure a complete threat response, a sub-playbook can be configured as part of the main playbook to perform the following tasks.

    1. Antivirus Scan: An antivirus scan is performed on the affected and associated assets to ensure that the infection is contained and has not spread. This is then communicated to the user.

    2. Security Control Checks: CFTR queries and checks the security software and patch history on the affected user’s asset.

    3. Security Control Patching: If the device is not patched or no security software is found on the affected asset, a ticket is raised in the ITSM tool.

    4. Retrospective Search: The workflow queries the SIEM or EDR platform for similar alerts to ensure that no other assets or machines are affected. See Analytics and SIEM integrations.

      • New Incident Creation: If new assets or machines are found to be infected, then an incident is created in CFTR for the newly detected asset or machine.

Benefits

Reduce Detection and Response Times

A ransomware infection can spread very quickly across a network of connected devices. Hence an automated playbook plays an important role in countering the threat at machine speed instead of relying on slower, manual processes.

Standardize Response Process

A ransomware response automation playbook helps standardize the response actions for threats behaving similarly and it also helps incorporate learnings from previous incidents.

Simplify Security Governance

An automated playbook simplifies the governance of security teams to execute the ransomware response process with limited resources.