5.7.2.14. `Ransomware detect` screen

5.7.2.14.1. Introduction

The `Ransomware detect` screen enables to :

  • Activate the engine and show its state

  • Set the engine sensitivity

  • Investigate on the alerts and the detection threshold

  • Define the list of files not to be analyzed and therefore consider them to be healthy

This screen is only accessible to members of the operator group.

5.7.2.14.3. Screen description

After pressing the `Ransomware detect` command on the `Detection Strategy\Threat intel` menu, the `Ransomware detect` screen is displayed.

../../../../_images/GCE103_RANSO_01.PNG

For administrator group members, the following message is displayed: `Error 403:Insufficient permissions`.

Part

Function

`Settings`

Engine settings

`Investigation`

Session activity

`Ignore list`

Files that are defined in the list of ignored IP addresses are considered healthy.

5.7.2.14.4. Part `Settings` of the screen `Ransomware detect`

This part is used to :

  • Activate the engine

  • Show its state

  • Set the engine sensitivity

  • Define the list of files not to be analyzed and therefore consider them to be healthy

../../../../_images/GCE103_RANSO_01.PNG

Item

Name

Function

1

`Settings`

Includes all engine settings

2

`Ransomware detect activation`

Engine Activation Zone

3

`Enabled`

This selector activates or deactivates the engine in the selected GCaps

4

`Gcaps`

This field displays the selected GCaps (default = all)

5

`Sensitivity`

Engine sensitivity adjustment area

7

`Sensitivity level`

Sensitivity slider enables to adjust the sensitivity threshold to raise an alert

6

`Engine state`
Indicates the current state : training state or running
In training state:

- The following message is displayed : `The engine is accumulating data before training (x%)`.
- The engine is trained with legitimate data corresponding to the specific traffic (for further information, see the Analysing the Ransomware detect alerts)
- If this is the first training, the engine does not trigger alerts. Otherwise alerts are triggered with the previous settings.

In Running state:

- The following message is displayed : `The engine is running`
- The engine raises alerts according to the sensitivity

8

`Discard changes` button

Button to cancel current changes

9

`Save changes` button

Button to save current changes
The user chooses a sensitivity level.
To display an alert on an SMB stream, the engine will analyze parts of that stream (sample).
Each sample is analyzed and scored.
When a sample’s score exceeds the detection threshold, that sample is potentially attributed to ransomware.
When the number of samples that have exceeded the detection threshold is higher than the detection threshold set by the sensitivity setting then a Ransomware-type alarm is created.
It is therefore this number of samples that exceeded the detection threshold that is defined by the adjustment of the sensitivity.

Level

Definition

`Very low`
Sensitivity 1: the detection threshold is higher than the optimum value defined by the engine training.
Generates fewer alerts, including fewer false positives

`Low`

Sensitivity 2

`Standard`
Sensitivity 3: default value.
The detection threshold is at the optimal value defined by the engine training.-

`High`

Sensitivity 4

`Very high`
Sensitivity 5: The detection threshold is lower than the optimum value defined by the engine training.
Generates more alerts, including more false positives
The engine will then issue all alerts whose sensitivity level is less than or equal to the configured sensitivity level:

  • For example, if the user sets the maximum sensitivity level (5), the engine will issue level 1,2,3,4 and 5 alerts

  • If the user sets the sensitivity level to 3 (default), the engine will issue level 1, 2 and 3 alerts

  • If the user sets the sensitivity level to 1 (the least sensitive), the engine will only issue level 1 alerts

Important

In order to use the Ransomware detect engine correctly, GCaps must have:

  • SMB logging enabled

  • SMB stream-depth parameter set to 100MB minimum.
    The default value when pairing a GCap is only 10MB on some profiles, a notification is then issued.

5.7.2.14.5. Part `Investigation` of the screen `Ransomware detect`

This part is used to investigate on the alerts and the detection threshold.

../../../../_images/GCE103_RANSO_02.PNG

Item

Name

Function

1

`Investigation`

Display information about the score of the detected samples

2

`Session activity`

Allow to find a sample after entered the session_ID

3

`Current threshold`

Samples with a score above the current threshold are counted as alerts

4

Examples of samples defined as alerts

These samples have values higher than the current threshold
Ransomware detect engine analyzes every SMB session by splitting it in small time-windows.
In this graph, each dot represents the individual score given to each time-window of each session.
Dots with the same color belong to the same SMB session.
An alert is risen when the aggregated score of the individual dots exceed the current threshold.

5.7.2.14.6. Part `Ignore list` of the screen `Ransomware detect`

This part is used to define the list of files not to be analyzed and therefore consider them to be healthy

../../../../_images/GCE103_RANSO_03.PNG

Item

Name

Function

1

`Ignore list`

Window to create the IP addresses to ignore

2

`Most frequent source IP detected`

Field displaying the most frequent source IP addresses detected

3

`Manually add source IP`

Button to add a source IP address to ignore

4

`Ignored IP`
Field listing the IP addresses to ignore
It is possible to specify a time range