When Eric visited his client website to get information to prepare his next meeting, he did not notice the website had been compromised and also contained an exploit kit. Clicking through these annoying pop-up windows talking about untrusted Flash and Java content, he went about his business, took notes for his meeting and went home. After the computer was idle for a while, the ransomware payload downloaded from the exploit kit started work encrypting files on Eric’s machine and all attached network shares.
As these events occurred, telemetry was being recorded on the machine. Notably, the Microsft SysInternal Sysmon monitoring tool with Cyber Defence Corporation’s recommended settings that were automatically pushed to Eric’s machine when the SMARTSentinel agent was installed, recorded every process that was executed on the machine. The SMARTSentinel agent then collected the information from the Windows log and uploaded the relevant information to the SMARTSentinel analytics cloud for further processing.
Once in the cloud, the log information from Eric’s machine is analyzed with various heuristics and compared to Eric’s machine baseline. Through entity tracking, the SMARTSentinel analytics cloud determines that the ransomware process is a new addition to Eric’s machine and flags it as an alert, indicating the need for human review.
Once Julie, the person in charge of I.T. security, receives the alert, she notices right away that new software was started on Eric’s machine as SMARTSentinel flags the hash for the program as something that was never seen before on the network. Digging a little deeper via the SMARTSentinel UI, she finds that this weird program was started from Adobe Flash, suggesting a web compromise, and that further activity from the program includes connexions to internal file servers. She immediately escalates the incident and starts remediation right away.
Using the SMARTSentinel response module, she immediately tasks the victim’s machine agent to enable Windows firewall rules blocking outgoing traffic from the victim machine (except connexions to the SMARTSentinel cloud). Then, she creates a detection rule that fires off every time the hash linked to the ransomware is found on the network and she attaches a response policy to the rule to immediately kill the process before any harm can be done. She is now confident that the situation will not get any worse, and she can spend a bit more time doing more in-depth analysis.
By using the SMARTSentinel graph view, entity database and ability to drill down into the logs, she finds out that Eric’s computer was running outdated Adobe Flash software and that this software is also running on a few other machines. However, these machines do not report any deviations from the baseline and the hash for that vulnerable software on the software graph only links to this ransomware incident. With the assurance that the scope of the incident is fully understood, Julie can now start the recovery, taking a mental note to patch the vulnerable software once this incident is resolved.