SIEM Detection and Incident Response Measures Monitoring
Again it happened, this time at 11 companies in Weiden – ransomware-again paralyzed IT systems, again ransom demands and again a phishing e-mail seems to have been the cause. The infection of a company by a misguided click on an e-mail is sufficient to infect the IT system. Then the infection jumps to connected IT systems from other companies such as contractors or partners and encrypts valuable data there as well. Phishing emails that come from the hacked company can then take IT systems hostage and spread the malware from there. In the worst case, this triggers a chain reaction. The companies concerned are currently under investigation.
Christian Have, CTO at LogPoint explains:
Christian Have, CTO at LogPoint
“Stopping ransomware is not an easy task. The economic power behind the groupings is considerable. Many active groups have proper corporate structures, with roles and responsibilities built like a software development company. These criminal organizations are well funded and highly motivated – their sources of income do not begin and end with the victims paying a ransom. There is an entire ransomware ecosystem that capitalizes on successfully executed attacks, such as ransomware-as-a-service, brokers that deploy teams of highly specialized developers who can program and deploy malware, or groups that do not actively disrupt operations or demand ransom. Some even sell access to the victims so that other groups can capitalize on it.
The groups are successful only because IT departments don’t care enough about the basics, patching, secure configurations, or following best practices. Unfortunately, this is a pattern repeated in many of the recent attacks. It is not without reason that all security experts formulate patching and basic configurations as some of the first recommendations for companies to strengthen their cybersecurity efforts. So why don’t companies just patch everything, implement the zero trust model, and enforce multi-factor authentication everywhere?
The IT operation is already difficult enough. The security operations team, IT operations team, and enterprise risk management team often think in silos and have different goals. Aligning activities and goals across departments is undoubtedly part of the problem.
The problems in tracking the current incidents in Weiden are further evidence that law enforcement agencies need to work together across borders to target ransomware groups. Silos within organizations need to be broken down and teams for cybersecurity, IT operations, and risk management need to be made to speak the same language and align expectations.
LogPoint can help companies coordinate detection and incident response measures. SIEM software records log data that security experts can use to easily detect ransomware variants such as FiveHands, Egregor, or Ryuk. By reading in log data, specially trained security analysts can query the systems for more information about known problems, such as identified vulnerabilities, deviations from best practices, or company policies. By combining log data with vulnerability data, configuration compliance, and an advanced query of the system, the unknown problems can be revealed by formulating more accurate risk assessments of the infrastructure and its components.“