Alert on high sustained CIFS writes


#1

I’m trying to setup an alert where we can catch sustained CIFS writes. Examples for use would be to catch if a machine is copying large amounts of data for an extended period of time. We had a case where a user had executed ransomware where definitions did not yet exist for our Virus Scan. The result was files being rapidly replaced with encrypted version of themselves. It was crawling through one drive and network share at a time. Backups prevented any data loss, but I would like to be quickly alerted to any such event if it happens again. Cutting response times is key.

The metric in Extrahop I’m looking at is extrahop.device.cifs_server:req_write and I am applying the alert to our CIFS server. I still am getting way too many alerts for this to be useful (especially after business hours). I’m looking for a good threshold to set that would work and not alert on too many false positives. Back when our malicious event was happening, the infected machine was writing at well over 400% that of any other CIFS client. My current (not great) settings:

Thanks in advance for any recommendations to better tune this alert.


#2

Hi @bdockery, the forums will have something very interesting for you in a few days.


#3

Hi @fignewton, would you please link to the awesomeness you’ve mentioned?


#4

Thanks for the reminder, @jenn. @bdockery, in case you haven’t seen it, we now have a ransomware detection bundle that not only looks for sustained CIFS writes, but also digs into the file extension details.

See here: Ransomware Bundle