Known for its extreme damages like financial loss, permanent loss of data, and confidentiality breach, a ransomware attack continues to keep security teams on their toes. Common attack vectors attributed to ransomware include:
Ransomware attack containment involves multiple steps including (but not limited to):
The following image shows a typical kill chain for Ransomware.
With an extensive load of alerts coming from multiple controls at different stages of the attack cycle, a ransomware infection may be overlooked, causing great financial damage to an organization or irreparable data loss. Leveraging SOAR solutions helps swiftly contain such attacks, as they can automate major processes of the containment phase.
Now, let’s have a look at one of the Ransomware cases. The following figure explains the steps to identify and contain a ransomware incident.
Based on the sensitivity of data and criticality of assets, the security team would take decisions about the severity of the incident. SIRP offers extensive Asset management and prioritization of alerts through its proprietary scoring mechanism called SIRP Security Score (S3). The asset register within SIRP is used in automation playbooks for automated and quick decision-making and reporting.
Assets inventory maps hostnames, IP address, category, classification, and value of each asset.
The containment strategies are decided according to business needs. The escalation matrix and isolation strategies are determined based on the severity of the compromised endpoint. A Server has a high severity and different containment strategy than a workstation.
Now, let’s have a look at the SIRP automation playbook workflow for the Ransomware case. The following figure outlines a workflow to automate the ransomware attack remediation steps through the SIRP playbook.
SIRP supports integration with different SIEM solutions, AV engines, and EDR solutions for the collection of alerts and offenses. Some of the popular solutions are listed below:
SIRP integrates with different solutions for the collection of artifacts. For example:
SIRP has OOTB integration available for the following Threat Intelligence portals and OSINT platforms:
SIRP integrates with several Firewalls, EDRs, and MDRs, allowing you to automate multiple remedial actions. For example,
SIRP integrates with 100+ popular security tools, allowing 450+ actions to be completed or automated directly from the platform. SIRP also enables cross-platform integration. Therefore, complex and multi-tool processes can be completed in seconds with a single click. New integrations are available within 72 hours at no additional charge. A complete list of available integrations can be found here: https://www.sirp.io/integrations/