RANSOMWARE RESPONSE
Rely on the visibility of Open NDR to detect reconnaissance and respond effectively to ransomware events.
ELIMINATE VISIBILITY GAPS
Ransomware is a persistent, evolving threat that demands defensive investments beyond the endpoint. But most organizations lack visibility and detection around unmanaged devices, critical assets, cloud workloads, and lateral movement. Because of this, they miss ransomware early warning signs and struggle to quickly and cost effectively respond to attacks when they occur.
Corelight's Open NDR Platform delivers complete network visibility and powerful new security capabilities to detect, investigate, respond to and recover from ransomware attacks that disrupt critical business operations.
- Spot ransomware reconnaissance
- Identify SSH file upload & download activity
- Illuminate encrypted remote desktop actions
- Reveal lateral movement in Microsoft file shares
Close the case on ransomware
Spot reconnaissance activities
Many adversaries survey their target environment before they drop ransomware payloads or exfiltrate stolen data. Corelight’s network visibility can reveal ransomware-related port scanning activity and suspicious probes.
Detect RDP brute forcing
Ransomware attacks often begin via a compromise of weak RDP servers [MP4]. Corelight detects RDP brute forcing and known RDP clients associated with ransomware attacks.
Identify risky encrypted connections
Corelight brings light to the darkness by identifying early-stage encrypted connections, including hundreds of VPN clients, and illuminating activity such as the use of self-signed and expired certificates.
Illuminate lateral movement
After gaining an initial foothold, ransomware adversaries work their way toward your critical assets. Corelight detects lateral movement activity in SMB and DCE-RPC traffic such as those related to remote file copy events.
Detect Command & Control
Adversaries need to connect with a C2 server to drop ransomware payloads and exfiltrate data. Corelight detects over 50 different types of C2 activity on your network.
Spot suspicious SSH activity
Before the end stage of a ransomware attack, adversaries may test their infrastructure and foothold. Corelight illuminates adversarial behaviors such as large and small-file transfers over SSH or the presence of human keystrokes.
Identify scope
Every connection in a ransomware attack generates a Corelight conn.log, which can be used in conjunction with other Corelight evidence around file and DNS activity to quickly determine the scope of a ransomware attack after a breach.
Recover files
Corelight extracts and reassembles over 200 different file types from wire traffic, which can be flexibly stored on-premise or in the cloud to support file recovery needs.
Verify containment
Use Corelight to provide ongoing network monitoring for IOCs and behaviors to confirm the adversary is out of your environment and can’t repeat the attack.
Filter out the noise
Growing alert noise from security tools plagues security teams and a lack of evidence makes it hard to validate if a given ransomware alert is a true positive or false positive. With complete visibility from Corelight, analysts can cut through the noise of third party tools, such as one Corelight customer who was unable to validate a ransomware alert from a third-party due to its total lack of context and visibility.
Call their bluff
In high stakes ransomware investigations, many security teams are unable to answer key questions and default to worst-case assumptions. With complete visibility from Corelight, teams can avoid costly overreactions. One customer, when confronted with a $10 million ransomware demand, used Corelight to prove the exfiltrated data being held for ransom had no real value while providing legal aircover for refusing to pay the ransom.