Strengths: Rapid, unassisted detection and remediation of ransomware attacks delivered by phishing. Lots of documentation but only for existing customers.
Weaknesses: We would like a little more meat on the website – perhaps an FAQ, for example. Also, some of the best documentation only is available to existing customers.
Verdict: This is an excellent approach to first phase interdiction for ransomware attacks and shows a solid understanding of the ransomware process and how to manage its delivery through phishing.
There are three stages to ransomware attack management: pre-attack, or delivery, attack and post-attack or clean-up/remediation. IronTraps addresses the pre-attack phase. There are some fallacies that can seriously impact you in a ransomware incident. The two big ones are that the appearance of the ransom demand signals an attack, and that all you need to do is backup and you'll be safe.
Believing the first fallacy results in an encrypted mess because the ransom message often - usually, in fact - is the last thing the ransomware does. Believing the second may result in restoring from an already infected backup. That is not always true, so by no means should you just ignore backup. The interesting thing about this product is that it focuses on the pre-attack phase but has a neat little trick to help in the cleanup.
IronTraps assumes that it takes roughly one to two minutes for a ransomware infection to take hold. In our test bed, using a current version of Locky, we observed that the actual time to infect a few thousand files was seconds. However, we inserted the ransomware directly into the target directory so it was much faster than a phishing-introduced ransomware. In any case, there are clues that IronTraps picks up on to take advantage of every second.
First, when the victim clicks on something in the phish, it likely is not the ransomware. Rather, it is more likely to be a downloader. Picking up on that action, IronTraps has a headstart on stopping the infection. It picks this up straight from the phishing message which it has identified as potentially malicious.
But the best-laid plans and all that - or Murphy, if you prefer - may throw a spanner in the works. That's where the trick comes in. IronTraps has already caught the downloader, started analysis in the cloud and interdicted the ransomware. Since we're talking about just a minute or so, that is not an unreasonable action. The infection is quickly interdicted and this all is done without the user's knowledge and the user is back in operation before they even know there has been a problem.
Of course, while all of this activity is progressing, the SOC team has been notified and the IRONSCALES servers have begun phishing forensics. IRONSCALES applies multi-AV, sandbox scans and proprietary analytics and responds as indicated by the forensics. When an attack is verified - a matter of a very few seconds at most - automatic remediation starts including appropriate quarantines, disabling links and cleaning up the infection part of the attack. Intrusion signatures generated on an attack basis go to the endpoints, the server and the SIEM so the first mis-click is the last.
The dashboard is simplicity itself, but in that simplicity is everything the SOC needs to manage ransomware attacks with IronTraps. The tool integrates with MS Exchange servers and SIEMS. The intelligence created out of the attack is created and propagated in under a minute so it is doubtful that a ransomware attack will get past it. We tested it with Locky and also a newly created copy of Satan, a do-it-yourself ransomware product that is somewhat different every time you build it. Neither test malware got past IronTraps and we found no encrypted files in our test bed.
Support is solid and although the website is a bit heavy in marketing language, it does have lots of good information, a blog and some white papers and use cases.