LAS VEGAS—Among the most pernicious forms of malware today is ransomware, which encrypts user devices until a fee is paid to the attacker. There are a number of different ways to find and defend against ransomware, including detecting attacks through network visibility, which is where ExtraHop Network enters the picture.In a video interview at the Interop conference here, Raja Mukerji, co-founder and president of ExtraHop Networks, detailed how his firm's network visibility platform can help detect and remediate ransomware.Mukerji noted that a challenge with some types of ransomware detection technologies is they look north-south, that is traffic moving in and out of an enterprise to some form of hacker command-and-control node. The challenge with many types of ransomware approaches today is that it spreads east-west inside of an enterprise or data center. He explained that with ransomware, before there is even a command-and-control channel setup to transfer data outside of enterprise, an attacker will encrypt files and do bad things on the east-west corridor inside of the enterprise."Because ExtraHop provides scalable visibility into East-West traffic, whether it's LDAP, DNS or storage, we can show the establishment a ransomware bastion within the enterprise before it reports back," Mukerji said.
For example, based on the network and user visibility provided by ExtraHop it's possible to identify if there has been some form of unusual file access. As such, if a user is found to be renaming and encrypting files, that's unusual access and could be an indication of a ransomware attack. "Based on the fact that you can take a look and understand access patterns, identify anomalies and identify that bad things are happening in opaque areas that weren't really understood before, we can really shine a light and show what's happening with ransomware," Mukerji said.
- eWeek