Editor’s note: This is part two of a series on threat detection.

In the initial blog of this series, “Detection 101: Top 5 Detection Data Sources,” we covered the data sources foundational to successful SecOps and their corresponding threat detections. In this second installment, we delve into the important detections needed to locate and identify malware and ransomware.

Malware is a broad term that encompasses various types of malicious software designed to harm or exploit computer systems, networks, or users. This includes viruses, trojans, worms, adware, spyware, and of course ransomware.

Ransomware is a specific type of malware that encrypts files or locks down a victim’s computer or network, rendering it inaccessible until a ransom is paid.

Malware Detections: Starting the DIR Process

Endpoints are the common initial access point for threat actors and are a cornerstone of malware threat detection. Most malware, from ransomware to trojans, attempts to compromise endpoints, which is why endpoint detection and response (EDR) solutions play a major role in protecting against these threats. When it comes to detecting malware attempting to compromise an endpoint, endpoint telemetry can originate from the endpoint antivirus or EDR solution, as well as from the endpoint operating system (OS).

Antivirus and EDR technology use a variety of techniques to locate malware, including behavioral analysis, signature-based detection, machine learning, and AI. Once the EDR technology locates a potential threat, it fires an alert to trigger an investigation. For example, if an EDR or antivirus solution detects a QakBot banking trojan, it will trigger an alert to prompt further investigation and response (refer to the table below).

Detection Rules and Data Sources for Malware and Ransomware: Endpoint Rules

Detection Rule Data Source(s)
Antivirus Malware Found Antivirus
Persistent Malware Infection Antivirus
Multiple Malware Signatures on Single Host Antivirus
Reoccurring Malware Antivirus
Malware Not Cleaned EDR, Antivirus

While EDRs and operating systems are the major avenue for detecting malware, they are not the only data source that can inform detections. Multiple data sources are needed to provide optimal detection coverage for malware. For example, a threat signature for ransomware can be detected in multiple tools including network intrusion detection system or a cloud access security broker (CASB), or within a user behavior analytics system. Having multiple layers of protection can increase the likelihood of detecting a malware threat (refer to the table below).

Detection Rules and Data Sources for Malware and Ransomware: Holistic Approach

Detection Rule Data Sources
Ransomware Activity - Signature Detected CASB, User Behavior Analytics, or Network Intrusion Detection
Threat File Hash Detected EDR, Antivirus, Email Security, or Network Intrusion Detection
High Severity Malware Signature EDR, Antivirus, or Network Intrusion Detection

In addition, combining endpoint data with data from other sources provides a more comprehensive and high-fidelity approach to detecting malware. For example, when malware specifically targets endpoints, it gains initial access and then establishes communication with command-and-control (C2) infrastructure to receive further instructions. This C2 infrastructure (domain or IP address) can be identified in threat intelligence feeds. To provide a high-fidelity alert, detection rules can be created by combining an endpoint antivirus alert with network telemetry (forward proxy, flow data, and firewalls), all of which are informed by threat intelligence (refer to the table below).

Detection Rules and Data Sources for Malware and Ransomware: Multi-Data Source Rules

Detection Rule Data Sources
Malware Followed by Connection to Threat Host Antivirus combined with Flow Data, Forward Proxy, or Firewall

An optimal approach to detecting malware uses as many relevant data sources and rules as possible. Deploying detections across all elements of the attack surface that might have visibility to malware or ransomware ensures that you detect and mitigate threats promptly.

Informing Malware Detection: Threat Intelligence

Threat intelligence plays a significant role in detecting malware by providing insights and actionable information to security teams. As mentioned above, threat intelligence helps identify known indicators of compromise (IoCs). These IoCs include specific patterns, signatures, or behaviors associated with known malware strains or attack techniques. By leveraging threat intelligence feeds, your security tools can cross-reference these IoCs to proactively detect malware. This enables organizations to quickly identify and block malicious IP addresses, domain names, file hashes, URLs, or other patterns found in network traffic, helping prevent malware infections.

In addition, threat intelligence provides contextual information and analysis about the threat landscape. It goes beyond simple indicators and includes details about the tactics, techniques, and procedures (TTPs) employed by threat actors, their motivations, infrastructure, and target industries. This contextual understanding helps security professionals recognize and interpret the behavior and intentions of attackers. With this knowledge, organizations can tune their detection mechanisms for more proactive malware detection.

Threat intelligence also enhances incident response efforts by providing actionable information about specific malware strains or attack campaigns. This enables incident response teams to effectively detect, isolate, and mitigate malware infections, minimizing the impact of the attacks and enabling faster recovery.

Measuring Detection Effectiveness

The initial blog of this series explained the importance of measuring the breadth and diversity of data sources along with measuring the mean time to resolve (MTTR) incidents. Beyond those baseline metrics, to better understand how your security operations are performing when detecting malware and ransomware, you should also examine:

  • MITRE ATT&CK coverage: Measuring successful or partially successful threat hunts across your environment helps you gauge how proactive you are being to counter malware.
  • Response playbooks usage: By comparing the number of escalated true-positive alerts to the number of automated playbooks run you can gauge how proactive your team is being in responding to threats. Using playbooks to respond to true-positive alerts can speed up response and minimize the possibility of human error.


The next blog in our series will focus on phishing and business email compromise (BEC) threat detection. We’ll provide actionable guidance and practical tips to improve your phishing and BEC detection capabilities. Security is an ongoing journey, and by continuously improving your detection strategies, you can adapt to the evolving threat landscape and protect your valuable assets.