Ransomware + SIEM = Pre-detection

by | May 17, 2017 | Security | 0 comments

When companies are hit by ransomware, they are often caught off-guard. Many organizations believe that ransomware attacks are completely at random – with no warning signs. However, with the right tools in place, you can identify the foundation of an attack before the damage is done.

The Stages of a Ransomware Attack

Generally, there are 6 stages of a ransomware attack:

  1. Campaign – a campaign is launched to trick a user into downloading or clicking on a link
  2. Infection – an executable is installed and, almost always, “calls home”
  3. Staging – the ransomware is setup and embeds itself in a system
  4. Scan – the ransomware searches for content to encrypt, both locally and on the network
  5. Encrypt – the victim organization’s files are encrypted
  6. Payday – the ransom note is now generated and delivered to the victim organization

During the 6 stages there are some common steps that are almost always taken at stage 5 or 6. This is detailed in our Ransomware Guide on page 20 “Infected with Ransomware – Next Steps”. What if you could catch the ransomware in advance – maybe during stage 2? Do you think that would buy you enough time to salvage your files from being encrypted? We think it would. So how can a tool like a Security Information and Event Management (SIEM) help prevent or stop the spread of the infection to other directories?

There are a few ways that a SIEM can indicate a pending attack. A SIEM can capture logs, so if you have a firewall that has an Intrusion Detection System (IDS) or an Intrusion Prevention System (IPS) that feeds into a SIEM, the “call home” process with all infections would be captured in these logs. A SIEM would have rules in place that could identify that the “call home” is going to a bad IP address or maybe an abnormal IP address and should alert your Security Operations Center (SOC) immediately.

You can find additional evidence if you feed your anti-virus logs into a SIEM. How would this work? Typically, a ransomware or any malicious file must communicate to the anonymous cyber-criminal. Therefore, it “calls home”. Also, ransomware is known to disable services for anti-virus programs, so if your anti-virus is sending alerts to your SIEM, you will find out that something is not right with machine “X”.

Will a SIEM stop the chaos entirely? NO. The preventative measures that we explained in our Ransomware Guide help reduce the chaos that commonly occurs during a ransomware infection, but the SIEM’s purpose is to notify, offer better visibility, and help you remediate much quicker than you would without it. Without a SIEM, you’re starting from Step 5 or 6 and determining if you need to restore (if the hacker didn’t delete the backups) or pay up to the cyber-criminal.

Our PULSE Alarm Solution (SIEM as a Service) can help you detect this activity before it becomes too late. We also provide additional services within our SIEM as a Service – like Vulnerability Scanning, Environment Health check, and more. If you want to learn more about improving the security of your business, contact our Security Services at info@peters.com for a complimentary consultation.