EDR: Can EDR detect many files being renamed which can occur during a ransomware attack?
Article ID: 288205
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Can EDR detect many files being renamed which can occur during a ransomware attack?
Environment
- EDR Server: All versions
- EDR Sensor: All versions
- EDR Console: All versions
Resolution
EDR (as a technology, not a product) is a not a good solution for ransomware if it's already running.
It is good for detecting the TTPs that perhaps precede the attack if you are laying the groundwork for a large attack (lateral movement, credential theft, etc.)
But once ransomware is running, detection is not a good solution in that it's only going to let you know within minutes/hours anyway.
(All of the watchlists on EDR are run in a 10 minute cycle.)
For ransomware, what's really needed is prevention vs. detection. Even if the alert fires instantaneously, investigating what is happening
will take longer than the encryption process, even assuming the SOC is watching in real-time.
Endpoint Standard (CBC) and App Control both have strong ransomware prevention.
It is good for detecting the TTPs that perhaps precede the attack if you are laying the groundwork for a large attack (lateral movement, credential theft, etc.)
But once ransomware is running, detection is not a good solution in that it's only going to let you know within minutes/hours anyway.
(All of the watchlists on EDR are run in a 10 minute cycle.)
For ransomware, what's really needed is prevention vs. detection. Even if the alert fires instantaneously, investigating what is happening
will take longer than the encryption process, even assuming the SOC is watching in real-time.
Endpoint Standard (CBC) and App Control both have strong ransomware prevention.
Feedback
Yes
No
Powered by
