Security Experts:

Niara Brings UEBA to Ransomware Detection

Niara is a Silicon Valley security company just one year out of stealth mode. This week the startup launched a new user and entity based analytics (UEBA) tool designed to detect existing and unknown ransomware.

Niara is not the first company with a probability-based approach for this purpose, but it claims to differentiate itself from its competitors through the number of specific supervised and unsupervised modules designed to detect anomalies in the different phases of the ransomware kill chain.

Niara could describe itself as a next-generation anti-malware company -- but it doesn't attempt to do so. It doesn't seek to replace existing security defenses, but to augment them. Until relatively recently, most threats were either known or easily recognized: "a known bad threat," said CEO Sriram Ramachandran. "These can already be caught with existing tools. The threats haven't gone away, so why would you replace a tool that already works."

Where behavioral analytics is strong, Ramachandran suggests, is in what he calls the 'grey areas'. He uses whaling (such as the business email compromise scam) as an example. Such emails may contain no known bad elements for existing defenses to detect. Using Niara as an example, he suggested, "a bad actor could set up N1ARA.COM. From there he could forge an email pretending to be the Niara CEO instructing the CFO to wire money to a particular account. This email would contain no known bad links, and would easily be visually confused with NIARA.COM." 

There is, in fact, nothing for traditional defenses to detect as bad. However, a machine learning linguistic analysis module can examine the domain name and see that it is close but different to Niara.com. That would alert the user or admin to the possibility of an issue.

Niara's new product is designed with different modules to examine different stages in an infection. One module might examine the delivering email's header looking for anomalies. Another module might scan any attachments -- not looking for known or even unknown malware, but examining the structure of the document. It might detect other anomalies. So far there is nothing concrete. These anomalies might be entirely benign -- but a score is being established. The user can set the system to alert on a single weak signal; or he can allow these signals to build into something more concrete before being alerted.

If these weak signals do not cross the user-set threshold for alerts, the next modules take over. "But we've already found these 'weak signals'," explained Ramachandran. "We've remembered them and built them into a risk score for the user. We have already observed this user over time, and have a 'usual behavior pattern'. Let's say we later detect a C&C connection pattern emanating from this user. That gives us three connected weak signals which probably equals a strong signal -- and we raise the alert. This could happen quickly or it could be a low and slow attack. Analytics will still detect it."

This basic concept could apply to any malware; "But we have some modules specifically geared to detect the network deviations associated with ransomware," said Ramachandran. "Network scans, for example; or indications of encryption attempts on hosts, network file shares or cloud storage services. There are certain patterns of access that can be detected. These are different to the patterns associated with many other types of malware."

Niara combines both supervised and unsupervised machine learning modules in it threat detection. "Trying to detect anomalous behavior is completely unsupervised. The DNS module is a supervised learning module -- entirely 'taught' within our own labs. What differentiates us in the market is that we have a wide range of different modules looking at different stages in the malware kill chain, and we do so with a combination of supervised and unsupervised machine learning techniques. The unsupervised approach is generally good at finding anomalies, while the supervised modules are good at attributing a malicious intent. We use both in combination." And always, he added, the purpose is to detect indications of malware as early as possible within its kill chain.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.