Elastic Endpoint Security protects enterprises from ransomware

The SOC team's objectives are to reduce the time to detection and rapidly remediate threats within their network. The SOC team faces three major challenges to meeting these objectives:

• Skills: Analysts must understand advanced attacker methods and the technologies 
• Tools: Analysts must have the right tools to gather relevant host data and analyze it in time to stop damage and loss
• Process: Current processes are dominated by data collection and known indicator search, which is not designed to identify unique, polymorphic attacks

Prior to Elastic Endpoint Security, the help desk received an alert for a malicious file on an endpoint. The alert highlighted a suspicious activity on the machine, triggering a ticket to the security team’s Tier 1 SOC analyst. The analyst scanned the infected host system with an anti-malware software, identified a variant of the Locky ransomware, and deleted the malicious ransomware file. Once the file was deleted, the IT administrator re-imaged the machine and restored encrypted data from a backup. The Tier 1 SOC analyst changed the alert status to ‘resolved’ and the help desk closed the ticket thinking that ransomware was removed. 

Although the file was deleted, the malicious process was still running on the infected systems. Because the attack included a persistence mechanism — a common technique used by attackers to maintain access after system reboot — the ransomware executed on reboot and a Tier 2 SOC investigated the alert. Despite the time the SOC team spent detecting, analyzing, and responding to the alert, they failed to eliminate the threat from the infected system. 

With Elastic Endpoint Security deployed on endpoints, the Tier 1 SOC analyst now receives an alert before the JavaScript downloads and the file executes. The signature-less malware engine generates an alert with a MalwareScore™ — a high-confidence score depicting the maliciousness of a file. The security analyst deletes the file with a single click on the alert. To ensure that the file has no remnants on the system, the Tier 1 analyst runs network, process, and persistence hunts to eliminate any suspicious activity. In less than a minute, the Tier 1 analyst gathers the data and explores various automated hunt capabilities, including how:

• The automated network hunt finds suspicious communications to C2 
• The process hunt identifies suspicious processes that were not backed by a file 
• Automated persistence hunting in Elastic Endpoint Security identifies an uncommon path where a file is running from the temp directory

Once the hunt artifacts are detected, the Tier 1 analyst deletes the file, kills the process, and stops persistence without any business disruption. The automated hunts enable the SOC to look for similar occurrences across the environment and stop further damage and loss.

Elastic Endpoint Security reduces the time, cost, and complexity of traditional incident response by instantly detecting techniques and patterns used by ransomware and memory-resident malware at the earliest and all phases of the kill chain — all without traditional indicators of compromise (IoCs). Our unique prevention technology halts attacker techniques such as encryption and lateral movement within the network to prevent damage and loss.