This story comes to you as part 3 of 4 in our Ransomware Detection series in which we explore how to analyze and protect your Qumulo data at cloud scale. In parts 1 and 2, we examined how to detect ransomware access patterns with Qumulo and Azure Sentinel, and then outlined two additional methods for detecting ransomware with data correlation. In part 3 below, we discuss how to use external Threat Intelligence data to support data correlation.


In part 2 of this series on detecting ransomware, we used static tables such as blacklists or other lookup tables for data correlation with incoming Qumulo Audit events. In this article, we’ll introduce some simple examples that use external Threat Intelligence feeds for data correlation. As a reminder, the image below illustrates the ransomware detection workflow.

ransomware detection workflow

Detecting ransomware in real time

As noted earlier in this series, potential ransomware threats or other suspicious activities should be detected before they can do any harm. One goal to achieve this is to use industry provided Automated Indicator Sharing (AIS).

AIS enables the real-time exchange of machine-readable cyber threat indicators and defensive measures to help protect participants and ultimately reduce the prevalence of cyber attacks. AIS uses an open standard data format, called Structured Threat Information Expression (STIX™), and the protocol Trusted Automated Exchange of Indicator Information (TAXII™) for machine-to-machine communication.

How to feed Threat Intelligence into an Azure Sentinel workspace

Azure Sentinel can subscribe to STIX feeds using the built in TAXII connector. There are many open source feeds, as well as professional feeds available. We’ll use Anomali’s Limo threat stream to feed Threat Intelligence into our Sentinel workspace and correlate the data with our audit events.

Using curl, we can obtain a list of feeds that are provided by limo.anomaly.com:

curl -u guest https://limo.anomali.com/api/v1/taxii2/feeds/collections/
{
"collections":
[
{
"can_read": true,
"can_write": false,
"description": "",
"id": "107",
"title": "Phish Tank"
},
{
"can_read": true,
"can_write": false,
"description": "",
"id": "135",
"title": "Abuse.ch Ransomware IPs"
},
{
"can_read": true,
"can_write": false,
"description": "",
"id": "136",
"title": "Abuse.ch Ransomware Domains"
},
{
"can_read": true,
"can_write": false,
"description": "",
"id": "150",
"title": "DShield Scanning IPs"
},
{
"can_read": true,
"can_write": false,
"description": "",
"id": "200",
"title": "Malware Domain List - Hotlist"
},
{
"can_read": true,
"can_write": false,
"description": "",
"id": "209",
"title": "Blutmagie TOR Nodes"
},
{
"can_read": true,
"can_write": false,
"description": "",
"id": "31",
"title": "Emerging Threats C&C Server"
},
{
"can_read": true,
"can_write": false,
"description": "",
"id": "33",
"title": "Lehigh Malwaredomains"
},
{
"can_read": true,
"can_write": false,
"description": "",
"id": "41",
"title": "CyberCrime"
},
{
"can_read": true,
"can_write": false,
"description": "",
"id": "68",
"title": "Emerging Threats - Compromised"
}
]
}​
How to Subscribe to a Threat Intelligence Feed

To subscribe to one of the above listed Threat Intelligence feeds, let’s walk through some quick steps in Azure Sentinel. In Sentinel, take the following steps:

  1. Click on Data connectors
  2. Enter “Taxii” in the search field
  3. Select Threat intelligence – (TAXII)
  4. Enter the feed details from the list above

For example, if you want to subscribe to the Emerging Threats C&C Server feed, you’d enter the following information into the dialog:

detecting ransomware threat intelligence feeds

This would add the feed to your workspace. After only a few seconds you can see the received TI data.

Select “Threat Intelligence” in the navigation pane to display your TI events:

Azure Sentinel Threat Intelligence data

You can query the Threat Intelligence data with the following query:

ThreatIntelligenceIndicator
| project TimeGenerated, Action, Description, NetworkIP, Url, SourceSystem

An output example is shown in the next figure:

ransomware threat intelligence cyber crime feed

How to correlate Qumulo events with Threat Intelligence data

Now, as we feed the Threat Intelligence into our Azure Sentinel workspace, we can correlate the data and check all Qumulo filesystem activity. For example, we could look for connections to any known bad IP address from our different feeds with the following query:

let timerange = 15min;
let MalIpList = (ThreatIntelligenceIndicator | where Description contains  "mal_ip" | project NetworkIP);
QumuloAuditEvents
| where ClientIP in (MalIpList)

This query will result in a list of all activities that any Qumulo node had with one of the bad known addresses from the intelligence feeds.

This is a good example where we’d need to start automation. If the above query would show any positive results, we’d like to automatically create an alert, an incident and potentially fire up an automated response. In this case the assigned data security analyst would investigate if this IP address did ever show up earlier in our environment and take action if it did.

In any case, we would update the rules in our firewall(s) so that this address gets totally blocked out. This is a good example of preventive action. Even though this IP address had (hopefully) never contacted our network, we’d block it in advance because we know (from the TI feed) it’s related to malware activities.

Note: it would make a lot of sense to not only correlate Qumulo events against Threat Intelligence data. In fact, running those correlations and the (automated) responses against client events, firewall events and Active Directory events makes even more sense ! You’d uncover these malicious connections much earlier. Also, you may want to look for malicious URLs on your firewall, internet gateway or http proxy server to block these sites, before any user can try to access them.

How to use Machine Learning to detect ransomware and suspicious anomalies

Azure Sentinel has some Analytic Rules that use Machine Learning (ML) to uncover anomalies or detect ransomware in your data storage environment. Microsoft has introduced a new rule type, called Anomaly, for this purpose. You don’t need to worry about managing the ML run-time environment for suspicious anomalies, because Azure Sentinel takes care of everything behind the scenes.

You can find these rules in Azure Sentinel in the Analytics tab, and it seems Microsoft is adding more over time. These rules use ML to train a model for a couple of days to set the baseline for usual conditions. This could be network traffic patterns, login patterns in Azure Active Directory (Azure AD), firewall alarms, web requests, and more. The parameters of the pre-defined rules can be modified to balance the noise level to a meaningful level.

The algorithms in the pre-defined rules are not trained for Qumulo events. However, using them with events from other sources—such as Azure AD or firewalls—improves ransomware detection, and reduces investigation and threat hunting time.

Following are the 3 main use cases for using machine learning to detect ransomware.

1. Additional signals to improve ransomware detection

Data security analysts can use anomalies to detect new threats and make existing detections more effective. A single anomaly is not a strong signal of malicious behavior, but when combined with several anomalies that occur at different points on the cyber kill chain, their cumulative effect is much stronger. Security analysts can enhance existing detections as well by making the unusual behavior identified by anomalies a condition for alerts to be fired.

2. Evidence during investigations

Data security analysts also can use anomalies during investigations to help confirm a breach, find new paths for investigating it, and assess its potential impact. For example, when investigating an incident that involves a user and an IP address, a security analyst can query the user and the IP address in the “Anomalies” table to find out other anomalous activities performed by that user and that happened on that IP address. These data help security analysts reduce the time spent on investigations.

3. The start of proactive threat hunts

Threat hunters can use anomalies as context to help determine whether their queries have detected suspicious behavior. When the behavior is suspicious, the anomalies also point toward potential paths for further hunting. These clues provided by anomalies reduce both the time to detect a threat and its chance to cause harm.

We just reviewed how to run queries to detect ransomware and other suspicious activities. Next, we’ll show you how to automate these ransomware detection queries in Azure Sentinel.

Qumulo Recover Q: Disaster recovery solution to help guard against ransomware

Qumulo Audit logs can be used via syslog with any SIEM solution for detection.

Qumulo Recover QWe also offer Qumulo Recover Q—a flexible cloud based disaster recovery solution that fits into any existing business continuity strategy. Active protection features help ensure data safety and integrity, while built-in snapshot and cloud replication features add layers of defense against real-world threats that could compromise your data or operations.

Using Recover Q in the cloud can help optimize your company’s spending for business continuity by reducing on-premises costs in favor of an on demand, cloud-native service.

Further Reading

Have a look at our two white papers to learn more about ransomware detection with Qumulo audit data and SIEM platforms, and the built-in data services (Qumulo Protect and Qumulo Secure) that come standard with your Qumulo software subscription:

Like what you see?

Contact us to book a demo or arrange a meeting. You can even test drive a fully functional Qumulo environment right from your browser:

Test drive Qumulo for free

Test drive Qumulo for free

Explore a fully functional Qumulo environment, right in your browser.

Try Demo