Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Niara Brings UEBA to Ransomware Detection

Niara is a Silicon Valley security company just one year out of stealth mode. This week the startup launched a new user and entity based analytics (UEBA) tool designed to detect existing and unknown ransomware.

Niara is a Silicon Valley security company just one year out of stealth mode. This week the startup launched a new user and entity based analytics (UEBA) tool designed to detect existing and unknown ransomware.

Niara is not the first company with a probability-based approach for this purpose, but it claims to differentiate itself from its competitors through the number of specific supervised and unsupervised modules designed to detect anomalies in the different phases of the ransomware kill chain.

Niara could describe itself as a next-generation anti-malware company — but it doesn’t attempt to do so. It doesn’t seek to replace existing security defenses, but to augment them. Until relatively recently, most threats were either known or easily recognized: “a known bad threat,” said CEO Sriram Ramachandran. “These can already be caught with existing tools. The threats haven’t gone away, so why would you replace a tool that already works.”

Where behavioral analytics is strong, Ramachandran suggests, is in what he calls the ‘grey areas’. He uses whaling (such as the business email compromise scam) as an example. Such emails may contain no known bad elements for existing defenses to detect. Using Niara as an example, he suggested, “a bad actor could set up N1ARA.COM. From there he could forge an email pretending to be the Niara CEO instructing the CFO to wire money to a particular account. This email would contain no known bad links, and would easily be visually confused with NIARA.COM.” 

There is, in fact, nothing for traditional defenses to detect as bad. However, a machine learning linguistic analysis module can examine the domain name and see that it is close but different to Niara.com. That would alert the user or admin to the possibility of an issue.

Niara’s new product is designed with different modules to examine different stages in an infection. One module might examine the delivering email’s header looking for anomalies. Another module might scan any attachments — not looking for known or even unknown malware, but examining the structure of the document. It might detect other anomalies. So far there is nothing concrete. These anomalies might be entirely benign — but a score is being established. The user can set the system to alert on a single weak signal; or he can allow these signals to build into something more concrete before being alerted.

If these weak signals do not cross the user-set threshold for alerts, the next modules take over. “But we’ve already found these ‘weak signals’,” explained Ramachandran. “We’ve remembered them and built them into a risk score for the user. We have already observed this user over time, and have a ‘usual behavior pattern’. Let’s say we later detect a C&C connection pattern emanating from this user. That gives us three connected weak signals which probably equals a strong signal — and we raise the alert. This could happen quickly or it could be a low and slow attack. Analytics will still detect it.”

This basic concept could apply to any malware; “But we have some modules specifically geared to detect the network deviations associated with ransomware,” said Ramachandran. “Network scans, for example; or indications of encryption attempts on hosts, network file shares or cloud storage services. There are certain patterns of access that can be detected. These are different to the patterns associated with many other types of malware.”

Niara combines both supervised and unsupervised machine learning modules in it threat detection. “Trying to detect anomalous behavior is completely unsupervised. The DNS module is a supervised learning module — entirely ‘taught’ within our own labs. What differentiates us in the market is that we have a wide range of different modules looking at different stages in the malware kill chain, and we do so with a combination of supervised and unsupervised machine learning techniques. The unsupervised approach is generally good at finding anomalies, while the supervised modules are good at attributing a malicious intent. We use both in combination.” And always, he added, the purpose is to detect indications of malware as early as possible within its kill chain.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.