rupeshtiwari/Use Case: Protecting E-commerce Order Data from Ransomware.md

## Use Case: Protecting E-commerce Order Data from Ransomware.md

      
    Raw
  

              Use Case: Protecting E-commerce Order Data from Ransomware.md
            
          
    For a real-world use case, we can choose sample e-commerce order data to set up a Security Analytics detector to protect against ransomware attacks. E-commerce platforms are frequent targets due to the valuable financial data they hold.
Use Case: Protecting E-commerce Order Data from Ransomware


Scenario:

We want to set up a Security Analytics detector in Amazon OpenSearch Service to monitor for ransomware activities like data exfiltration and system state backup deletion, commonly seen in ransomware attacks like BlackCat and LockBit.
Steps to Set Up Security Analytics Detector

Step 1: Access OpenSearch Dashboards


Sign in to your OpenSearch Dashboards.
Navigate to the "Security Analytics" section.


Step 2: Define the Detector


Go to Detectors:

Click on "Create Detector".
Name: E-commerce Ransomware Protection
Description: Detects potential ransomware activities targeting e-commerce order data.


Select Data Source:

Choose the relevant indexes or index patterns, e.g., opensearch_dashboards_sample_data_ecommerce.


Select Log Types and Rules:

Choose System Activitiy Microsoft Windows as the log type.
Add relevant Sigma rules:

Rclone Execution via Command Line or PowerShell
Delete Volume Shadow Copies via WMI with PowerShell
Wbadmin Delete Systemstatebackup
Suspicious Scheduled Task Creation Involving Temp Folder


Step 3: Configure Detection Rules


Rclone Execution via Command Line or PowerShell:

Description: Detects the execution of RClone utility, which is used for data exfiltration.
How It Helps: Prevents data exfiltration attempts, protecting sensitive order data.


Delete Volume Shadow Copies via WMI with PowerShell:

Description: Monitors for deletion of Volume Shadow Copies using PowerShell.
How It Helps: Prevents disabling backups, a common tactic in ransomware attacks.


Wbadmin Delete Systemstatebackup:

Description: Detects attempts to delete system state backups using wbadmin.exe.
How It Helps: Protects backups from deletion, ensuring data recovery options.


Suspicious Scheduled Task Creation Involving Temp Folder:

Description: Detects the creation of scheduled tasks in temporary folders, often used by ransomware.
How It Helps: Identifies suspicious scheduled tasks, indicating potential ransomware activity.


Step 4: Mapping Fields for Security Analytics Detector

Given the sample e-commerce order data, here are the mappings for the provided detection rule fields to the corresponding data source fields:


Rule field name
Mapped log field name


winlog.event_data.ParentImage
products.manufacturer


winlog.event_data.Image
products.price


winlog.event_data.HostApplication
customer_full_name


winlog.event_data.Description
event.dataset


timestamp
order_date


source.ip
geoip.region_name


process.command_line
products.sku


destination.ip
geoip.country_iso_code


This mapping ensures each field is unique and corresponds to a relevant data source field in the sample e-commerce order data.

Step 5: Set Detection Interval


Set the detection interval to an appropriate value, e.g., every 5 minutes, to ensure timely detection.Set the detection interval to an appropriate value, e.g., every 5 minutes for testing purposes. If you want immediate feedback, consider setting a shorter interval, such as 1 minute, during initial testing.
Select Next


Step 6: Set Up Alert Triggers


Create Trigger:

Trigger Name: Ransomware Activity Alert
Detection Type: Any rules, any severities, any tags.
Alert Severity: 1 (Highest)


Send Notification:


Notification Channel: Choose Slack, Email, or another preferred channel. In this demo I select "Chime".


Message Subject: "Potential Ransomware Activity Detected"


Message Body:
Triggered alert condition: Ransomware Activity Alert
Severity: 1 (Highest)
Threat detector: E-commerce Ransomware Protection
Description: Detects potential ransomware activities targeting e-commerce order data.
Detector data sources: opensearch_dashboards_sample_data_ecommerce


Sub-steps to Create a Slack Channel:


Click "Manage Channels":


-   This will open the channel management interface in a new tab.


Create Channel:

Click "Create Channel".
Channel Type: Select "Chime".
Name: E-commerce Alerts
Webhook URL: Enter the Slack incoming webhook URL.
Save the Channel:

Click "Save" to create the channel.


Creating Chime Webhook Steps:

Create a chat room "Testing"
Select "Room Settings"

Select Add webhook , give name ransomware-demo-aos


Copy URL and paste on channel webhook url in OpenSearch Dashboards


Step 7: Finalize and Create Detector


Review all configurations and mappings.
Click "Create Detector" to save and activate the detector.


Use Case: Protecting E-commerce Order Data from Ransomware

Scenario:

We want to set up a Security Analytics detector in Amazon OpenSearch Service to monitor for ransomware activities targeting e-commerce order data. This setup will help protect against attacks like BlackCat, Hive, LockBit, and Conti.
Steps to Set Up Security Analytics Detector

Step 1: Access OpenSearch Dashboards


Sign in to OpenSearch Dashboards.
Navigate to "Security Analytics".

Step 2: Define the Detector


Go to Detectors:

Click "Create Detector".
Name: E-commerce Ransomware Protection
Description: Detects potential ransomware activities targeting e-commerce order data.


Select Data Source:

Choose opensearch_dashboards_sample_data_ecommerce.


Step 3: Select Log Type and Detection Rules


Log Type: Microsoft Windows
Detection Rules: Choose relevant rules such as:

Rclone Execution via Command Line or PowerShell
Delete Volume Shadow Copies via WMI with PowerShell
Wbadmin Delete Systemstatebackup
Suspicious Scheduled Task Creation Involving Temp Folder


Step 4: Map the Fields


destination.ip: geoip.country_iso_code
process.command_line: products.sku
source.ip: geoip.region_name
timestamp: order_date
winlog.event_data.Description: event.dataset
winlog.event_data.HostApplication: customer_full_name
winlog.event_data.Image: products.price
winlog.event_data.ParentImage: products.manufacturer

Step 5: Set Detection Interval


Set the detection interval to an appropriate value, such as every 5 minutes. For testing purposes, consider setting a shorter interval, such as 1 minute.

Step 6: Set Up Alert Triggers


Create Trigger:

Trigger Name: Ransomware Activity Alert
Detection Type: Any rules, any severities, any tags.
Alert Severity: 1 (Highest)


Send Notification:

Notification Channel: Select "Slack" from the options.
Message Subject: "Potential Ransomware Activity Detected"
Message Body:
Triggered alert condition: Ransomware Activity Alert
Severity: 1 (Highest)
Threat detector: E-commerce Ransomware Protection
Description: Detects potential ransomware activities targeting e-commerce order data.
Detector data sources: opensearch_dashboards_sample_data_ecommerce


Sub-steps to Create a Slack Channel:


Click "Manage Channels":

This will open the channel management interface in a new tab.


Create Channel:

Click "Create Channel".
Channel Type: Select "Slack".
Name: E-commerce Alerts
Webhook URL: Enter the Slack incoming webhook URL.
Save the Channel:

Click "Save" to create the channel.


Return to Alert Trigger Setup:

After creating the Slack channel, return to the alert trigger setup.
Select the newly created Slack channel (E-commerce Alerts) from the "Notification Channel" dropdown.


Step 7: Finalize and Create Detector


Review all configurations and mappings.
Click "Create Detector" to save and activate the detector.

Testing the Detector

Method: Inserting Logs Manually via Dev Tools

To manually insert a log that will trigger the detector, follow these steps:


Access Dev Tools:

Navigate to "Dev Tools" in OpenSearch Dashboards.


Insert Test Log:

Use the following command to insert a log that mimics a ransomware activity, such as a suspicious PowerShell command. Replace <INDEX_NAME> with your index name, e.g., opensearch_dashboards_sample_data_ecommerce.


POST /<INDEX_NAME>/_doc
{
  "geoip": {
    "country_iso_code": "US",
    "region_name": "California",
    "location": {
      "lon": -118.2437,
      "lat": 34.0522
    }
  },
  "order_date": "2024-05-31T18:11:31+00:00",
  "event": {
    "dataset": "sample_ecommerce"
  },
  "customer_full_name": "John Doe",
  "products": [
    {
      "sku": "rclone.exe",
      "price": 100.00,
      "manufacturer": "EvilCorp"
    }
  ]
}


Run the Detector:

If you have set the detection interval to 1 minute, wait for the interval to pass.


Review Alerts:

Check the alerts section to see if the inserted log triggers any alerts. The alert should be sent to the configured Chime channel.


By following these steps, you can test your Security Analytics detector setup in Amazon OpenSearch by manually inserting logs that simulate ransomware activities. This approach ensures your detector is functioning correctly and provides timely alerts to mitigate ransomware attacks.
Summary

By setting up the detector with a shorter interval or manually triggering it, you can effectively test the Security Analytics detector in Amazon OpenSearch. This approach ensures early detection and prompt response to potential ransomware threats, safeguarding valuable e-commerce order data.
Implementing these steps helps ensure your detector is functioning correctly and provides timely alerts to mitigate ransomware attacks.
For more details, refer to the OpenSearch Security Analytics Documentation.
References


https://opensearch.org/docs/latest/security-analytics/sec-analytics-config/detectors-config/
Rule field name	Mapped log field name
winlog.event_data.ParentImage	products.manufacturer
winlog.event_data.Image	products.price
winlog.event_data.HostApplication	customer_full_name
winlog.event_data.Description	event.dataset
timestamp	order_date
source.ip	geoip.region_name
process.command_line	products.sku
destination.ip	geoip.country_iso_code