Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Niara Brings UEBA to Ransomware Detection

Niara is a Silicon Valley security company just one year out of stealth mode. This week the startup launched a new user and entity based analytics (UEBA) tool designed to detect existing and unknown ransomware.

Niara is a Silicon Valley security company just one year out of stealth mode. This week the startup launched a new user and entity based analytics (UEBA) tool designed to detect existing and unknown ransomware.

Niara is not the first company with a probability-based approach for this purpose, but it claims to differentiate itself from its competitors through the number of specific supervised and unsupervised modules designed to detect anomalies in the different phases of the ransomware kill chain.

Niara could describe itself as a next-generation anti-malware company — but it doesn’t attempt to do so. It doesn’t seek to replace existing security defenses, but to augment them. Until relatively recently, most threats were either known or easily recognized: “a known bad threat,” said CEO Sriram Ramachandran. “These can already be caught with existing tools. The threats haven’t gone away, so why would you replace a tool that already works.”

Where behavioral analytics is strong, Ramachandran suggests, is in what he calls the ‘grey areas’. He uses whaling (such as the business email compromise scam) as an example. Such emails may contain no known bad elements for existing defenses to detect. Using Niara as an example, he suggested, “a bad actor could set up N1ARA.COM. From there he could forge an email pretending to be the Niara CEO instructing the CFO to wire money to a particular account. This email would contain no known bad links, and would easily be visually confused with NIARA.COM.” 

There is, in fact, nothing for traditional defenses to detect as bad. However, a machine learning linguistic analysis module can examine the domain name and see that it is close but different to Niara.com. That would alert the user or admin to the possibility of an issue.

Niara’s new product is designed with different modules to examine different stages in an infection. One module might examine the delivering email’s header looking for anomalies. Another module might scan any attachments — not looking for known or even unknown malware, but examining the structure of the document. It might detect other anomalies. So far there is nothing concrete. These anomalies might be entirely benign — but a score is being established. The user can set the system to alert on a single weak signal; or he can allow these signals to build into something more concrete before being alerted.

If these weak signals do not cross the user-set threshold for alerts, the next modules take over. “But we’ve already found these ‘weak signals’,” explained Ramachandran. “We’ve remembered them and built them into a risk score for the user. We have already observed this user over time, and have a ‘usual behavior pattern’. Let’s say we later detect a C&C connection pattern emanating from this user. That gives us three connected weak signals which probably equals a strong signal — and we raise the alert. This could happen quickly or it could be a low and slow attack. Analytics will still detect it.”

This basic concept could apply to any malware; “But we have some modules specifically geared to detect the network deviations associated with ransomware,” said Ramachandran. “Network scans, for example; or indications of encryption attempts on hosts, network file shares or cloud storage services. There are certain patterns of access that can be detected. These are different to the patterns associated with many other types of malware.”

Advertisement. Scroll to continue reading.

Niara combines both supervised and unsupervised machine learning modules in it threat detection. “Trying to detect anomalous behavior is completely unsupervised. The DNS module is a supervised learning module — entirely ‘taught’ within our own labs. What differentiates us in the market is that we have a wide range of different modules looking at different stages in the malware kill chain, and we do so with a combination of supervised and unsupervised machine learning techniques. The unsupervised approach is generally good at finding anomalies, while the supervised modules are good at attributing a malicious intent. We use both in combination.” And always, he added, the purpose is to detect indications of malware as early as possible within its kill chain.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.