DDOS防御专家-提供超强DDoS高防/CC防护/大流量清洗服务!
当前位置:主页 > DDOS防御 > 正文

游戏盾_防御ddos攻击命令_怎么防

06-22 DDOS防御

游戏盾_防御ddos攻击命令_怎么防

Focus on file renames to generate Ransomware alerts

If you are interested in learning more about detecting Ransomware on your network, check out the blog posts below which I published recently. There is a lot of good info in these if you want to learn more about how Ransomware can get into a network.

One of the most common questions I get on the subject of Ransomware is how can you generate an alert if any variant of Ransomware gets into a network? The key thing here is being able to detect any variant which rules out things like antivirus signatures which are designed to alert on a specific Ransomware variant.

When Ransomware strikes it seeks out local and network based storage, encrypts files and leaves behind text or HTML files containing instructions on what is required to decrypt the data. You can look at setting up alerts if specific file extensions are detected on network shares but this is not reliable as some Ransomware variants use common  extension types like .HTML.

A more reliable way is to watch out for file renames on network file shares. While rename is a valid action it is not one used a lot by network users. Any sudden increase in file renames is an indication that something suspicious is happening on your network.

I am going to use our own product LANGuardian to show you how you can trend renames and create alerts when there is a sudden increase in activity. However, you may be able to setup similar alerts in other monitoring tools if they have the ability to capture file and folder actions associated with network file shares.

LANGuardian uses network traffic as a data source so you don’t need to install agents or enable logging on your file servers. It monitors and records every access to file shares, recording details of user name, client IP address, server name, event type, file name, and data volume. Just setup a SPAN or mirror port to sniff the traffic.

If you use Cisco switches on your network, we have a free Cisco SPAN Port Configurator which makes the job really easy. Just select the port or VLAN that your file server(s) are connected to and send the data to whatever port you have your LANGuardian connected to.

Create a LANGuardian trend to focus on file renames

Before you can setup Ransomware alerts, you need to create a trend of how often renames are being detected. Our support team carried out some tests on a number of Ransomware variants. From this research we recommend a good starting point when it comes to detecting Ransomware is to generate an alert when renames go above 4 per second.

To get this alerting in place, log onto your LANGuardian and click on the All Reports option top right and select Search by File/Folder Name.

Select Rename from the action drop down and then run the report. It does not matter what date selection you use, just be sure to select the action prior to running the report.

You may or may not see results when the report completes, this does not matter. Now select Actions at the top of the report and choose Trend Report. Enter a name like File Renames and select click on the Create button.

Configure Ransomware Alerting

Follow these steps to configure Ransomware alerts

You can also send the alert via SNMP which makes it possible to integrate with tools like SolarWinds UDT and IBM QRadar to take an action like immediately disconnecting the infected client by disabling a port on a switch.

,ddos防御测试,ddos攻击与防御教材书,彻底防御cc,cc防御五秒盾代码,谷歌云服务器防御DDoS攻击么

版权保护: 本文由 DDOS防御专家 原创,转载请保留链接: /ddos1/70132.html

DDoS防御专家简介孤之剑
国内资深白帽子二十人组成员,前BAT资深网络安全工程师,知名网络安全站点板块大神,每年提交Google及微软漏洞,原sina微博负载插件开发者,现在整体防御复合攻击长期接受1-4.7T攻击,CC防护自主开发指纹识别系统,可以做到99.9999%的无敌防御。
  • 文章总数
  • 9279205访问次数
  • 建站天数

    QQ客服

    400-0797-119

    X