Ransomware & How Snare Can Help: Extended Forensic Logging Capabilities

How Snare Can Help: Extended Forensic Logging Capabilities

Snare offers a number of products that help customers with their log collection needs. These logs can be vital in understanding the timeline of a ransomware attack and performing root cause analysis of the responsible processes. However, as outlined above, with an increasing number of trusted services being compromised, conventional log collections systems (such as SIEMs) may leave key forensic data lost amongst the noise. There are many aspects to ransomware detection and detecting intruders on your network. Snare offers a number of extended logging capabilities that can help highlight the signs of ransomware within your organisation, such as:

Registry Integrity and Access Monitoring – Snare is able to monitor registry locations for access or changes to any and all registry keys stored within a system. Quite often, ransomware will look to persist post boot, so monitoring key registry locations that enable this behaviour can act as an early warning system.

File Integrity and Access Monitoring – Snare is able to monitor files or directories for access and changes to specified locations. In the event of a ransomware attack, large amounts of file changes will occur, generating 1000’s of FIM/FAM logs in a short time. Snare products are even able to provide customisable threshold alerts, meaning alerts can be generated if more than 100 file events occur within 5 second window (usually the sign of a process making bulk adjustments to files).

These are just a few of the XFL (Extended Forensic Logging) capabilities of Snare products.

If you would like to learn more, visit our contact page and member of our team will be happy to help.