Security AnalyticsDetect Ransomware & Malware

Find And Stop Attacks to Minimize Damage

Identify Malware-Related Activity Across The Environment

Cyber criminals evolve their malware and ransomware faster than AV and IDS tools can keep up, which means passively waiting for alerts will leave security teams blind to stealthy and constantly-changing threats.

Ferret out hidden threats from the likes of Cryptolocker, Locky, TorrentLocker, Samas, TeslaCrypt, etc.. Corvil identifies which hosts are being attacked in real-time and streams correlated attack indicators to SIEMs for further upstream and analysis.

With real-time insight into activities commonly associated with ransomware and malware (such as encryption written over the network to mapped SMB drives) it is easy to pivot investigations to identify:

  • How was the host compromised?
  • Which user accounts access the host?
  • Does the host’s user account show unexpected behavior?

Answering those types of questions enables a more effective response, thereby eliminating the threat and limiting the damage. Additionally, insight into how the current attack bypassed existing defenses can be used to harden the environment against future threats.

 

Outcomes

  • Proactive detection and analysis
  • Simplified workflows to thwart attacks faster
  • Improved accuracy of response
  • Improved threat hunting effectiveness
  • Reduced coverage and data gaps
  • New levels of visibility and context

"If you look at network traffic from L2-7 and understand the connections, protocol, metadata, and content contained in the packets, you have almost everything you need to detect and respond to cyberthreats.”

Isolate Malware Communications

  • Tunneling and Command & Control channels
  • Encoded payloads intended to hide malicious content
  • Communication via anonymous networks like TOR and I2P
  • Anomalous use of DNS and other communications protocols

Identify The Lateral Spread Of Malware

  • Delivery of malware to new hosts
  • Remote authentication on new hosts with credentials stolen by malware
  • Encrypted files are written over the network to mapped SMB drives
  • Attempts to remotely encrypt files on mapped SMB drives
  • Active use of malicious certificates reported by threat intelligence feeds

Recognize File-Less Malware

  • Machines and user accounts invoking remote WMI/Powershell access
  • Unsigned PowerShell scripts are being used (via Endpoint Integration)
  • Users being redirected from legitimate sites to malvertising sites hosting exploit kits
  • Communication with known malicious command and control servers