Detecting and Responding to Ransomware: How Logging Everything Helps Mitigate Ransomware Risks
This blog was originally published July 28, 2021 on humio.com. Humio is a CrowdStrike Company.
Ransomware attacks, the malicious code that attackers use to encrypt data or lock users out of their devices, have been rampant and are on the rise globally. The largest ransomware payout thus far in 2021 was made by an insurance company at $40 million. A more recent attack occurred in early July and was launched by a group called REvil. The immediate victim was a Florida company, Kaseya, that provides software to companies that manage technology for thousands of smaller firms. By succeeding to get into Kaseya’s supply chain of software, REvil affected not only Kaseya but up to 1,500 companies globally, from grocery chains and pharmacies to railways in Sweden.
Ransomware is not a complicated process. As soon as an end-user clicks the malicious link or downloads the malicious file, the ransomware installs on the device and can begin to execute across the enterprise. It has become clear that companies and governmental infrastructures are increasingly vulnerable. Recently, researchers estimated that a ransomware attack will occur every 11 seconds by the end of 2021. However, if you are logging all of your data, you’ve already established key steps in detecting and mitigating some risk from a ransomware attack.
Logging and monitoring will help you to identify patterns of activity on your networks, which in turn provide indicators of compromise. In the event of incidents, logging data can help to more effectively identify the source and the extent of compromise. – UK National Cyber Security Centre
Logging can be very effective as a strategy in detecting ransomware by aggregating all logs in a centralized location to correlate data. Since logs are ingested in different types, structured, semi-structured, unstructured, and use different data sources, organizations should standardize the information gathered.
A modern logging system can provide a holistic overview of an organization’s infrastructure from a single point of view in terms of its security, network, server, and end point logs. When ransomware attacks can begin encrypting data in seconds, it’s vital to have systems in place to detect the attacks as they are occurring. A system that acts in speed, is able to quickly generate alerts, query anomalies, and help IT infrastructure and Security experts understand the goals of the attack and steps necessary to detect and quickly mitigate risks across the entire infrastructure. Speed is the only currency that organizations have in identifying and quickly mitigating risks.
To effectively detect and respond to ransomware with a log management tool, it is necessary to lay the groundwork.
- Collect all data from all endpoints, servers, computers or any system that connects to the infrastructure
- Search and aggregate all data at real-time speed
- Ensure teams are able to baseline and understand various activity in their environments
- Create trip wire, or lay traps and manage alerts particularly where behavior is unlikely to happen
- Conduct analytics and store data history for further forensics and prepare for the future as the organization scales
Managing log events can become overwhelming at the enterprise level, particularly as employees increasingly connect their personal devices to corporate resources. Collecting log data and aggregating it into a security information and event management (SIEM) system can help streamline the detection process. SIEM tools use centralized logs to store and analyze data and to monitor and correlate events in real-time to identify potential security breaches.
Event correlation allows teams to check whether their network was really compromised or not. Centralized log management is critical in gaining visibility across the organization in one dashboard where they can view threat intelligence data to investigate and identify malicious activity in real time.
Detection of ransomware through log management offers organizations a quick and effective way to protect their systems, networks, devices, and applications for continued data security. Humio’s log management can ingest a wide variety of sources of data giving it enhanced correlation power beyond the abilities of a typical SIEM. Read more about protecting against ransomware and maximizing resilience through log management in a recent Gartner report and learn Humio’s strategies, tactics, and techniques to achieve streaming observability.
- Gartner report: Use Central Log Management for Security Operations Use Cases: Read the report to learn how to protect against ransomware and maximize resilience through log data
- Find threats faster: Log more, spend less: Improve security resilience by removing data blindspots. Find out how removing blindspots in data can save users millions of dollars by reading our report: Find threats faster: Log more and spend less.
- How to Query logs in Humio to remove brute force attacks: Uncover successful brute force login attempts. The query finds at least three failed login attempts followed by at least one successful login attempt.