This 4-part series on Ransomware Detection explores how to analyze and protect Qumulo data at cloud scale. In part 1 below, we discuss how to detect suspicious access patterns that could indicate a ransomware attack. In part 2, we’ll look at how adding data correlation techniques can help uncover and prevent more potential attacks. In part 3, we’ll reveal how to use external Threat Intelligence feeds for data correlation. In part 4, we’ll show how to automate these queries with Qumulo audit data & Azure Sentinel.
Previously we wrote about the built-in data protection and security controls that comes standard with the Qumulo File Data Platform. We explained why a holistic security approach that includes network, compute, device and event-monitoring techniques, together with data correlation and analysis, is preferable over siloed security solutions that are embedded in the storage system. The goal being to detect threats before they reach your file data storage. And, if they do, to have a cloud based backup and disaster recovery strategy that ensures business continuity.
That’s where this series on threat hunting and ransomware detection begins.
In this article, we’ll look at a typical ransomware detection workflow. Then we’ll dive into how these detection techniques can be used with Azure Sentinel to detect suspicious access patterns to Qumulo data, which could indicate ransomware.
How Qumulo’s audit logging feature integrates with SIEM
While you could use any industry-standard security information and event management (SIEM) platform, we decided to use Azure Sentinel as the SIEM and security orchestration, automation, and response (SOAR) solution for this implementation for the following reasons:
- Azure Sentinel is a cloud-based solution that requires no infrastructure setup in your data center.
- Sentinel operates at cloud scale for systems that reside on-premises, in Azure or any other cloud environment.
- There is no up-front license cost. You pay only for the data you ingest and store in Azure Monitor logs.
- There is no cost for analyzing and processing the data.
- Sentinel contains advanced security analytics and threat intelligence features and it provides a rich set of connectors to many other common platforms.
- Response automation can be implemented with logic apps, running any kind of required code. In addition, a number of pre-built logic apps can be used to automate responses and to connect to a large number of other IT systems.
In a previous blog post, titled Secure Your Data with Qumulo Audit and Azure Log Analytic, we described how Qumulo Audit data is ingested into Azure Sentinel. With that data alone we can hunt for and detect suspicious access patterns that could indicate a ransomware attack.
Ransomware detection workflow to detect suspicious access patterns
In the first step we’ll use Qumulo Audit data to look for suspicious access patterns.
There are various ways to perform threat hunting and detect ransomware. Let’s examine the following techniques:
- Event Data is ingested in Azure Monitor Logs
- With automated KQL queries, we look for suspicious access patterns.
- If there is no positive match, we’ll keep watching new incoming data
- In case of a positive match, Sentinel can create a security alert and optionally an incident. The incident is being used for assignment to a data security analyst and management of the alert(s). Multiple alerts of a similar type can be grouped into one incident as well.
- Based on the type of incidents, a Playbook can be launched that can take almost any actions such as: send a notification to data security analysts, remove suspicious data, block access to data, block a user, change firewall rules, and more. (Automated response mechanisms will be covered later in this series).
- After a Playbook is ran or data security analysts have investigated the incidents, the incident status would be updated, and then closed or eventually further processed.
Now that we have an idea of the ransomware detection workflow, let’s see two simple examples of suspicious activity.
Detecting ransomware (examples) or other potential suspicious activity
One of the easiest ways to uncover a potential suspicious activity is to identify when someone tried to login repeatedly, but where the login failed. This could be either a login to the WebUI, the API, or even when trying to mount an SMB export.
Uncover too many failed login attempts (example 1)
To find those failed login attempts within the last 30 minutes, we could fire up a simple KQL query in which QumuloAuditEvents is a function that we use to extract separate fields from the raw audit data; it’s explained in further detail here.
QumuloAuditEvents | where EventTime > ago (30m) | where ResponseCode == "STATUS_LOGON_FAILURE"
The result would be a list of all login attempts with all relevant information that is needed to further analyze what happened:
Instead of firing up this query manually, we would, of course, create a rule that runs it every 30 minutes (or whatever interval we want). The handling of the alerts or incidents would then proceed in the way described above.
While this would just cover failed logins on Qumulo, you should consider using the Sentinel Connector for Microsoft Defender for Identity to steam identity events from your Active Directory server directly into Azure Sentinel. This would provide you with more options to analyze suspicious activity that are related to file access to and from Qumulo, rather than broader activities related to authentication.
Detect ransomware access patterns (example 2)
If a specific client machine is accessing files in a directory at high speed, it is an indication that a process is reading files, encrypting them and writing them back to the same place (sometimes even the same filename or filename with additional suffix).
The following query would filter out events from the past 5 minutes that indicate a high IO rate (IO operations per second) in directories from a single client that exceed a configurable threshold (here we set it at 500).
let max_IOPS = 500; QumuloAuditEvents | where EventTime > ago (5m) | summarize events_count=count() by bin(EventTime,1s), ClientIP, Directory | where events_count > max_IOPS
The shortcoming of this query is that it may also catch application activities that run with high IO rates on regular workloads. However, ransomware tends to read and write with high IO rates at the same time: reading and then immediately writing the same (encrypted) data.
Let’s expand the query, so that it only shows results with reads and writes from the same client, writing/reading to the same directory:
let max_IOPS = 500; QumuloAuditEvents | where EventTime > ago (5m) | summarize events_count_write=countif(Operation == "fs_write_data"), events_count_read=countif(Operation == "fs_read_data") by bin(EventTime,1s), ClientIP, Dir1 | where events_count_write > max_IOPS and events_count_read > max_IOPS
This is obviously a very simple ransomware detection mechanism that works for several ransomware attacks. However, more sophisticated ransomware versions have been observed that delay write operations over longer periods of time, so the above query alone would not be sophisticated enough to capture them. To detect those types of ransomware attacks, we’d use data correlation with external threat intelligence data. That’s the topic of part 2 in this series on ransomware detection.
Qumulo Recover Q: disaster recovery solution to help guard against ransomware
Qumulo Audit logs can be used via syslog with any SIEM solution for ransomware detection.
We also offer Qumulo Recover Q—a flexible cloud based disaster recovery solution that fits into any existing business continuity strategy. Using Recover Q in the cloud can help optimize your company’s spending for business continuity by reducing on-premises costs in favor of an on demand, cloud-native service. Active protection features help ensure data safety and integrity, while built-in snapshot and cloud replication features add layers of defense against real-world threats that could compromise your data or operations.
Qumulo on Azure as a Service, for instance, includes built-in role-based access control for all users, activity auditing for all users and files, and encryption of data at rest coupled with Azure’s Security services to help you repel external threats. In our video below, you can see how Qumulo on Azure makes cloud file services simple and can help keep your data safe with disaster recovery capabilities including continuous replication, erasure coding, snapshots, and automatic failover.
Further Reading
Have a look at our two white papers below to learn more about ransomware detection with Qumulo audit data and SIEM platforms, and the built-in data services (Qumulo Protect and Qumulo Secure) that come standard with your Qumulo software subscription:
- Security Architecture and Best Practices to Counter Malware
- Threat Hunting with Qumulo Audit and Azure Sentinel
Like what you see?
Contact us to book a demo or arrange a meeting. You can even test drive a fully functional Qumulo environment right from your browser.