Machine Learning for Ransomware detection
10 March 2021
Over the last few months, you would have noticed the prevalence of Ransomware attacks reported in the news. High-profile and often highly advanced ransomware variants, such as Egregor, Maze, REvil/Sodinokibi have been noted in almost every industry around the globe.
In fact, over the last three to four months there has been an uptake of notifiable events, the majority of which presented in the media have been high-profile attacks. One needs only refer to the Hackney Council incident as a single illustration, which is still suffering the backlash from an attack months later.
“This new era of offensive AI leverages various forms of machine learning to supercharge cyberattacks, resulting in unpredictable, contextualised, speedier, and stealthier assaults that can cripple unprotected organisations,” – Forrester Report (2020).
In response, SecurityHQ released a white paper entitled Ransomware Controls – SecurityHQ’s Zero Trust x40, in which a collection of simple and common-sense mitigations were provided, with the aim to break the adversarial tactics required to successfully orchestrate an enterprise wide ransomware attack, and to explore how to become more proactive, rather than reactive, with regards to security processes.
Some of the elements mentioned include how anomaly detection and Artificial Intelligence (AI) and Machine Learning (ML) can be used to detect ransomware across an entire kill chain, but this requires further discussion. Especially with regards to detecting early indicators around initial access, lateral movement and privileges escalation that contributes to a successful ransomware attack.
Artificial Intelligence (AI) and Machine Learning (ML) to contextualise, rather than predefine threats
Unsupervised ML and AI can be used across a host of different infrastructures. So, it should not matter if deployment is made into the network, or switched to see East, West, North, or South traffic, if you deploy in the cloud, in the Statistical Analysis System (SAS) environment, or looking at logs. Instead of creating a use case of more than say 50 megabytes in 10 minutes to a malicious threat, if you say that there is an unusual amount of data, at a strange time, to a new or unusual domain on the Internet, then all these unusual contextual factors can be based on the context of each individual organisation deployed into. This can be used to detect and stop the early stages of ransomware and cyber-attacks, to fight against them, while maintaining normal operations.
“As cyberattacks grow in volume and complexity, Artificial Intelligence (AI) is helping under-resourced security operations analysts stay ahead of threats. Curating threat intelligence from millions of research papers, blogs and news stories, AI provides instant insights to help you fight through the noise of thousands of daily alerts, drastically reducing response times,” – IBM.
This paper will focus on some of the earlier indications of a breach that can lead to a successful ransomware strike. Including how Artificial Intelligence (AI) and Machine Learning (ML) are used to contextualise, rather than predefine threats. This is done via an analysis of the threat landscape with regards to COVID-19, a view on related phishing attacks and the internet facing attack surface, Advanced Persistent Threats (APT’s), Remote Code Execution (RCE’s), and low-level threat actors. Followed by a look into the detection of ransomware across the Cyber Kill Chain, and analysis of initial access of publicly exposed infrastructure and internal recon, including a discussion of attack and recon tools in SMB, with a look at model template flexibility.
Download the White Paper here.