We've been having a few discussions about how we would use correlation for detection of RansomWare indicators. Typically looking at inbound email for potential subject line keywords, attachment presence and type or whether the email contains hyperlinks etc.
Given the fast pace of RansomWare and the fact that the malware tends to point to one-time use domains that may only be live for a short period, and that the email content changes etc how would you guys approach the building of a correlation rule to provide early warning that a potential email RansomWare campaign is being targeted at your company.
I guess for us we are looking at campaigns that are reportedly from the likes of a postal service or federal police (speeding fine type campaigns). We know it's generally a whack-a-mole game because by the time those bad IPs hit things like GTI they have probably been closed down already.
Trying to find a trade off for correlating events for this type of threat and not end up triggering on loads of FP's!