This article is more than 1 year old

Ransomware more efficient than ever, and baddies are still after your logs

Trying times for incident responders who battle fastest-ever ransomware blitz as attackers keep scrubbing evidence clean

Organizations are still failing to implement adequate logging measures, increasing the difficulty faced by defenders and incident responders to identify the cause of infosec attacks.

In 42 percent of incident response (IR) cases analyzed by Sophos, organizations didn't have the requisite telemetry logs needed to properly analyze an event.

The security company reckons that in 82 percent of these cases, cybercriminals were at fault after disabling or wiping telemetry and logging capabilities. The primary goals of attackers when wiping logs include evading detection, identification, and attribution, and maintaining access within a system.

In nearly a quarter of cases, organizations experiencing a security incident didn't have appropriate logging available for incident responders to start with. 

"This was due to a variety of factors, including insufficient retention, re-imaging, or lack of configuration," Sophos says in its latest report. "In an investigation, not only would this mean the data would be unavailable for examination, but the defenders would have to spend time figuring out why it wasn't available."

When organizations lack adequate logging measures, it's often due to resource constraints, and limited IT and data capabilities generally, Peter Mackenzie, director incident response at Sophos, told The Register.

These entities are often small to medium-sized businesses and those that aren't in IT-focused sectors, he added. The absence of logs can also indicate possible efforts from the organization to cover up the attack.

"Time is critical when responding to an active threat; the time between spotting the initial access event and full threat mitigation should be as short as possible," John Shier, Sophos field CTO, says in the report.

"The farther along in the attack chain an attacker makes it, the bigger the headache for responders. Missing telemetry only adds time to remediations that most organizations can't afford. This is why complete and accurate logging is essential, but we're seeing that, all too frequently, organizations don't have the data they need."

Logging is widely seen in the security industry as a necessity for businesses that aim to build a strong security posture and an incident response plan that enables fast recovery from attacks. 

In cases of security breaches, logs allow incident responders to see where and when it all started, how the attacker was able to get in, where their IP address points to, what user account executed a specific task, and more.

"Logs provide crucial insights into network and system activities, aiding in the detection, investigation, and understanding of security incidents," says Mackenzie in the report.

They are also a hugely valuable resource for defenders and those whose roles are outside of or adjacent to cybersecurity too. They can help investigate performance issues, determine which systems can access certain resources, and provide alerts for events such as storage disks approaching full capacity, for example.

Organizations that look for ways to prevent logs from being wiped should implement strict access controls and ensure regular backups are made and stored securely, Shier told The Reg.

Having SIEM systems up and running for real-time monitoring and implementing immutable logs are also good ideas.

Sophos said there's little excuse for organizations to not have a logging system in place, especially given that as of September this year, Microsoft made logging free for customers even on its basic licenses.

Away from Microsoft, the US' Cybersecurity and Infrastructure Security Agency (CISA) took over the reins of Logging Made Easy, a free and open SIEM solution for organizations that lack logging capabilities.

Originally pioneered by the UK's National Cyber Security Agency (NCSC) but retired by GCHQ's cyber arm in April, CISA now runs the project and makes it free for all via GitHub

"LME's self-install design uses free, publicly available software to drive performance and transparency," said CISA last month. 

"But being free and open does not mean it's unprotected. LME is tested, secure, and reliable. It is also backed by a legacy of high performance, exemplified by its prior iteration's positive reception under NCSC oversight."

Ransomware is speedier than ever

Logs can be especially useful when investigating ransomware, being able to reveal what systems have and haven't been accessed by an account the logs can show is compromised.

Sophos' data backs up that of Secureworks in October which revealed ransomware attacker dwell times are now measured in hours rather than days. 

Ransomware attacks that take longer than five days are now considered 'slow attacks', Sophos' report says, with 62 percent of all incidents falling into this realm. 

The other 38 percent are considered 'fast' and take place in fewer than five days. In some instances of supply chain attacks, Sophos' fire fighters saw ransomware deployments within six hours of each other.

According to Secureworks, the typical time between an attacker making the initial intrusion into an organization and deploying ransomware has fallen to 24 hours. In ten percent of cases, ransomware was deployed within five hours.

In the Sohpos report, Shier says attackers are unlikely to change their tactics until they stop working entirely. This should be welcome news for defenders because despite the decrease in time to compromise, without attacker innovation it means defensive strategies don't need to change drastically.

"The key is increasing friction whenever possible – if you make the attackers' job harder, then you can add valuable time to respond, stretching out each stage of an attack," he says.

"For example, in the case of a ransomware attack, if you have more friction, then you can delay the time until exfiltration; exfiltration often occurs just before detection and is often the costliest part of the attack. 

"We saw this happen in two incidents of Cuba ransomware. One company (Company A) had continuous monitoring in place with MDR, so we were able to spot the malicious activity and halt the attack within hours to prevent any data from being stolen. 

"Another company (Company B) didn't have this friction; they didn't spot the attack until a few weeks after initial access and after Cuba had already successfully exfiltrated 75GB of sensitive data. They then called in our IR team, and a month later, they were still trying to get back to business as usual." ®

More about

TIP US OFF

Send us news


Other stories you might like