This story comes to you as part 2 of 4 in our Ransomware Detection series in which we explore how to analyze and protect your Qumulo data at cloud scale. In part 1, we examined how to detect ransomware access patterns that could indicate a threat to your data (with Qumulo and Azure Sentinel). In part 2 below, we cover the next step to detecting ransomware: how to correlate the incoming data with external data, such as whitelists or blacklists.
Previously, we analyzed the ransomware detection workflow used with Azure Sentinel to detect suspicious access patterns to Qumulo data. One of the characteristics of ransomware is that it can hide in your system indefinitely to enable the perpetrator to plan a targeted attack. In this story, we’ll add simple data correlation techniques to the ransomware detection process to discover and prevent attacks.
External data, such as white- or blacklists, can be implemented in Azure Sentinel in various ways. For example as watchlists or as tables in CSV files. In this case, we’ll use external data in the form of static tables. See the following examples for illustration:
1. Detecting files with suspicious or known bad file extensions and;
2. Detecting a high number of access denied responses in Qumulo event logs.
Ransomware detection workflow with data correlation
The ransomware detection workflow below looks quite similar to the one explained previously in part 1—which explores detecting ransomware access patterns. The difference here is the added data correlation with incoming data. Let’s examine below how to do this.
Methods for data correlation and ransomware detection
Next we’ll cover the methods for data correlation and ransomware detection or other data breach events. These methods can be applied easily to uncover other suspicious activities as well.
1. Detect suspicious or known bad file extensions
Here we check incoming files against an external list of unwanted (blacklisted) files extensions. We create this list as a CSV file, and then store it in a blob container.
This CSV contains a list of known bad file extensions:
Extension,Description .dam,Damages Malware .dr,dropper component for a malware .gen, malware that is detected using a generic signature .kit, virus constructor .ldr, loader component of a malware .pak, compressed malware .plugin, plug-in component .remnants, remnants of a virus .worm, worm component of that malware .!bit, an internal category used to refer to some threats .!cl, an internal category used to refer to some threats .!dha, an internal category used to refer to some threats .!pfn, an internal category used to refer to some threats .!plock, an internal category used to refer to some threats .!rfn, an internal category used to refer to some threats .!rootkit, rootkit component of that malware .@m: worm mailers .@mm: mass mailer worm
We upload the CSV file to a private blob container and we get the following URL to access it:
https://sradtkeloganalytics.blob.core.windows.net/tables/unwanted_file_extensions.csv</var/www/wordpress>
However, because we don’t want this list to be publicly accessible, we create a SAS token in the Azure portal. In this way, we can access the file without providing the storage account key. The URL that we would get out of it looks like this:
https://sradtkeloganalytics.blob.core.windows.net/tables/unwanted_file_extensions.csv?sv=2020-04-08&st=2021-05-18T17%3A33%3A45Z&se=2025-12-31T18%3A33%3A00Z&sr=b&sp=r&sig=k3gHLkq7ip4sEDLmrVw3eDrjafEpvjzZG8zA7k6bkGU%3D</var/www/wordpress>
To query the content of the blacklist, we write the following query in Azure Sentinel:
externaldata (FileExt: string, Detail: string) [h"https://sradtkeloganalytics.blob.core.windows.net/tables/unwanted_file_extensions.csv?sv=2020-04-08&st=2021-05-18T17%3A33%3A45Z&se=2025-12-31T18%3A33%3A00Z&sr=b&sp=r&sig=k3gHLkq7ip4sEDLmrVw3eDrjafEpvjzZG8zA7k6bkGU%3D"] with (ignoreFirstRecord=true)
This would result in displaying the content of the CSV table (we skipped the output):
Now we can use the following query to check all touched files during the last 10 minutes on unwanted file extensions:
let timerange = 10min; let blacklist = externaldata (FileExt: string) [h"https://sradtkeloganalytics.blob.core.windows.net/tables/unwanted_file_extensions.csv?sv=2020-04-08&st=2021-05-18T17%3A33%3A45Z&se=2025-12-31T18%3A33%3A00Z&sr=b&sp=r&sig=k3gHLkq7ip4sEDLmrVw3eDrjafEpvjzZG8zA7k6bkGU%3D"] with (ignoreFirstRecord=true); QumuloAuditEvents | where EventTime >= ago(timerange) | where FileExt1 in (blacklist)
This query would list all events where files have been accessed whose file extension is listed in the external blacklist:
According to the detection workflow shown above, alerts and incident(s) would be created automatically. The security incident could be assigned to a security analyst for further investigation or a playbook can be triggered which launches automated responses.
2. Access Denied responses above threshold
In this example method, we want to detect certain actions on the filesystem. We are looking for actions that contain “access denied” responses from the filesystem that exceeded a high threshold within a time period. If access is denied more than 10 times a second, that indicates suspicious activity and the security team must be alerted.
For this use case we create a watchlist that is a static table used for lookups. In this example, the watchlist Q-Response-Codes</var/www/wordpress> contains all file system response codes. We can query the watchlist with the following:
_GetWatchlist('Q-Response-Messages')</var/www/wordpress>
Now, to track incoming events of the last 10 minutes against this list and catch any event with a response code other than “ok,” we can run the following query:
let timerange = 10min; let watchlist = (_GetWatchlist('Q-Response-Messages') | where ErrorStatus <> "ok" | project ErrorStatus) ; QumuloAuditEvents | where EventTime >= ago(timerange) | where ResponseCode in (watchlist)
We could also limit the watchlist to fs_access_denied_error</var/www/wordpress> and
http_unauthorized_error</var/www/wordpress> if we wanted the alerts to occur only on those events. To automatically alert only on access denied errors that exceed a certain threshold, we’ll create an analytic rule in Azure Sentinel that is fired up in regular intervals, and will trigger an alert only if the number of events exceeds a threshold that we can configure. From here, the alerts or incidents would be processed according to the workflow described above.
Next up is part 3 in this series on ransomware detection! We’ll look at how to use external Threat Intelligence data to support data correlation.
Qumulo Recover Q: Disaster recovery solution to help guard against ransomware
Qumulo Audit logs can be used via syslog with any SIEM solution for detection.
We also offer Qumulo Recover Q—a flexible cloud based disaster recovery solution that fits into any existing business continuity strategy. Active protection features help ensure data safety and integrity, while built-in snapshot and cloud replication features add layers of defense against real-world threats that could compromise your data or operations.
Using Recover Q in the cloud can help optimize your company’s spending for business continuity by reducing on-premises costs in favor of an on demand, cloud-native service.
Further Reading
Have a look at our two white papers to learn more about ransomware detection with Qumulo audit data and SIEM platforms, and the built-in data services (Qumulo Protect and Qumulo Secure) that come standard with your Qumulo software subscription:
- Security Architecture and Best Practices to Counter Malware
- Threat Hunting with Qumulo Audit and Azure Sentinel
Like what you see?
Contact us to book a demo or arrange a meeting. You can even test drive a fully functional Qumulo environment right from your browser: