Contents
Insider Threat Detection
The Elastio CLI enables proactive detection of file encryption changes across your machines, adding a robust layer of security against insider threats and malicious non-ransomware encryption. This feature operates in background mode on both Linux and Windows or directly via the CLI on Linux.
iScan Modes
-
Dual Encryption Detection Modes:
- Ransomware-and-Entropy-Detection: Combines ransomware detection with non-ransomware encryption detection.
- Full-and-Encryption-Detection: Covers malware, ransomware, and non-ransomware encryption detection.
Comprehensive Reporting
Generates detailed reports highlighting
- Detected non-ransomware encryption.
- Suspicious file activity.
Example report for EBS ransomware scan with encryption detection enabled. The list of encrypted files is limited to (up to 100 entries).
{
"schema":"v1",
"scan_target":{
"kind":{
"kind":"path",
"path":"/home/ubuntu/test-ed-scan",
"meta":{
"asset_source":"elastio:asset:generic-host:s:ip-172-31-40-19",
"cpu_cores_count":4,
"os_name":"Ubuntu"
},
"basic_meta":{
"asset_id":"elastio:asset:file:s:generic-host:s:ip-172-31-40-19:/home/ubuntu/test-ed-scan",
"timestamp":"2024-06-11T11:04:08.109171300Z"
}
},
"name":"elastio:asset:file:s:generic-host:s:ip-172-31-40-19:/home/ubuntu/test-ed-scan"
},
"started":"2024-06-11T11:04:20.691576442Z",
"finished":"2024-06-11T11:04:21.205944482Z",
"child_job_id":"j-01j03fgsgf65ctn25b4fr497f2",
"report_data":{
"Ransomware":{
"files":[
],
"files_truncated":0,
"summary":{
"errors":[
],
"deduplicated_errors":[
],
"filesystem_traversal_errors":[
],
"inaccessible_dir_entries":{
"entries":[
],
"total_inaccessible_entries":0
},
"total":72,
"detected_rans":[
],
"iscan_db_downloaded":true
},
"entropy_detection_summary":{
"file_status":[
{
"Suspicious":"/home/ubuntu/test-ed-scan/test-dir-2/file_example_ODS_10.ods"
},
{
"Encrypted":"/home/ubuntu/test-ed-scan/test-dir-2/file-sample_500kB.doc"
},
{
"Encrypted":"/home/ubuntu/test-ed-scan/test-dir-2/file-sample_1MB.odt"
},
{
"Encrypted":"/home/ubuntu/test-ed-scan/test-dir-2/file-example_PDF_1MB.pdf"
},
{
"Encrypted":"/home/ubuntu/test-ed-scan/test-dir-2/file-sample_1MB.rtf"
},
{
"Encrypted":"/home/ubuntu/test-ed-scan/test-dir-2/file_example_XLSX_5000.xlsx"
},
{
"Encrypted":"/home/ubuntu/test-ed-scan/test-dir-2/file_example_XLS_10.xls"
},
{
"Encrypted":"/home/ubuntu/test-ed-scan/test-dir-2/file-sample_500kB.docx"
}
]
},
"billing_stats":{
"files_scanned_size":25206980,
"files_in_resource":74,
"files_in_resource_size":25207494
}
}
}
}
Using iScan
To utilize iScan, specify the detection mode using the appropriate switch in the elastio iscan command. For example:
Example Command
The following command scans an AWS EC2 instance for ransomware activity and encryption changes in background mode:
sudo -E elastio iscan --ec2-instance-id <aws-ec2-instance-id> --vault <vault-name> --monitor --background ransomware-and-encryption-detection
Command Breakdown:
-
--ec2-instance-id <aws-ec2-instance-id>: Specifies the EC2 instance to scan. -
--vault <vault-name>: Identifies the Elastio vault for storing results. -
--monitor --background: Enables continuous monitoring in the background. -
ransomware-and-encryption-detection: Activates dual ransomware detection and non-ransomware encryption detection.
By leveraging iScan, you enhance your defense against insider threats and malicious encryption activities, ensuring a more secure environment.