Ransomware + SIEM = Pre-detection

When companies are hit by ransomware, they are often caught off-guard. Many organizations believe that ransomware attacks are completely at random – with no warning signs. However, with the right tools in place, you can identify the foundation of an attack before the damage is done.

The Stages of a Ransomware Attack

Generally, there are 6 stages of a ransomware attack:

  1. Campaign – a campaign is launched to trick a user into downloading or clicking on a link
  2. Infection – an executable is installed and, almost always, “calls home”
  3. Staging – the ransomware is setup and embeds itself in a system
  4. Scan – the ransomware searches for content to encrypt, both locally and on the network
  5. Encrypt – the victim organization’s files are encrypted
  6. Payday – the ransom note is now generated and delivered to the victim organization

During the 6 stages there are some common steps that are almost always taken at stage 5 or 6. This is detailed in our Ransomware Guide on page 20 “Infected with Ransomware – Next Steps”. What if you could catch the ransomware in advance – maybe during stage 2? Do you think that would buy you enough time to salvage your files from being encrypted? We think it would. So how can a tool like a Security Information and Event Management (SIEM) help prevent or stop the spread of the infection to other directories?

There are a few ways that a SIEM can indicate a pending attack. A SIEM can capture logs, so if you have a firewall that has an Intrusion Detection System (IDS) or an Intrusion Prevention System (IPS) that feeds into a SIEM, the “call home” process with all infections would be captured in these logs. A SIEM would have rules in place that could identify that the “call home” is going to a bad IP address or maybe an abnormal IP address and should alert your Security Operations Center (SOC) immediately.

You can find additional evidence if you feed your anti-virus logs into a SIEM. How would this work? Typically, a ransomware or any malicious file must communicate to the anonymous cyber-criminal. Therefore, it “calls home”. Also, ransomware is known to disable services for anti-virus programs, so if your anti-virus is sending alerts to your SIEM, you will find out that something is not right with machine “X”.

Will a SIEM stop the chaos entirely? NO. The preventative measures that we explained in our Ransomware Guide help reduce the chaos that commonly occurs during a ransomware infection, but the SIEM’s purpose is to notify, offer better visibility, and help you remediate much quicker than you would without it. Without a SIEM, you’re starting from Step 5 or 6 and determining if you need to restore (if the hacker didn’t delete the backups) or pay up to the cyber-criminal.

Our PULSE Alarm Solution (SIEM as a Service) can help you detect this activity before it becomes too late. We also provide additional services within our SIEM as a Service – like Vulnerability Scanning, Environment Health check, and more. If you want to learn more about improving the security of your business, contact our Security Services at info@peters.com for a complimentary consultation.

By |2018-12-18T12:14:50-05:00May 17th, 2017|Security Solutions|Comments Off on Ransomware + SIEM = Pre-detection

About the Author:

Galaxia Martin is the Director of Support Services and she is responsible for support and security services operations within the support desk. Galaxia has worked in the IT industry for over 15 years in Financial, Accounting, and Software Development businesses. She has designed and led organizational innovations, as well as optimized and increased growth within support operations. She understands the complexity of business operations and has experience with aligning business initiatives with cost reduction solutions. As an Information Technology expert, Galaxia continues to research and study the latest technology, cyber risks, and industry trends to help educate our clients. Galaxia has a Master’s degree in Information Systems with additional studies in marketing and arts. She is an active board member for a non-profit organization called WordsonWheels that helps infants and toddlers to increase early literacy skills in high risk communities.