Mitiga Announces $30M Series B Led by SYN Ventures READ THE NEWS

Ransomware threats remain a clear and present danger to organizations of all sizes. With enterprises continuing to expand their cloud footprints, the target-rich territory that ransomware can impact also expands.

Attackers are opportunistic, often exploiting misconfigurations in the cloud, such as publicly available cloud resources, and taking advantage of compromised credentials to gain access to an organization's cloud assets.

Knowing the evolving and costly threat that ransomware presents, most organizations are looking to take a more proactive approach to secure against it. However, the steps that can, and should, be taken to advance against the threat aren’t always obvious. At Mitiga, we contend with ransomware as part of our day-to-day, helping customers expedite response and analysis time. Throughout this experience, we've gleaned several valuable lessons, with one standing out as paramount.

When it comes to combating ransomware, knowledge is power. The more an organization can understand about the genesis and progression of an attack, the better position they are in to make sound decisions and defend against it. Plus, if an organization can identify the initial stages of a ransomware attack quickly, it puts defenders at the advantage. To gain this upper hand, an organization needs to have the correct logging configured prior to the incident.

The Role of Logging

Logging plays a vital role in detecting and responding to ransomware attacks.

To be clear, it's not just about having any logs, or just the default logs either. It's about having the right logs, stored, and pre-processed in a way that they can be easily queried in case of an incident. Without the right logs, you're blind to what's happening in your environment.

Let's take an Amazon Relational Database Service (RDS) instance as an example. If there is a compromise and you haven’t configured your instance with data events or various database level logs, analysis could become extremely limited. This limited visibility could make answering “how” and “what” happened very difficult.

Improving Cloud Logging for Ransomware Recovery and Identification

To better recover from and identify ransomware attacks, organizations should review their current logging abilities and identify detection opportunities for common ransomware attack chains.

Validate log coverage

Don't assume that default logging provides adequate coverage. Just because logging is turned on doesn't mean you'll get what you want or need.

Documentation for cloud logs can be often limited and it is not uncommon for there to be undocumented items such as event names or log fields. An opportunity to overcome this would be to simulate an attack, review the logs, and then decide if you have the visibility adequate for analysis.

Identify detection opportunities

Detection is the next step in maturity after validating that the logs can be leveraged for analysis during an incident response, and in this case, ransomware specifically. Having the correct logging allows for incident responders to identify what actions were taken by a threat actor, but the goal should be to identify the activity before it gets to ransomware. This is where teams should be looking at these logs and creating custom detections for each stage of a ransomware attack, from initial access to exfiltration and impact.

The Importance of Speed in Ransomware Response

Speed is crucial during any incident response, but it is especially important when dealing with ransomware. Before encryption or data destruction, threat actors are going to perform various actions to include initial access, enumeration, lateral movement, collection, and exfiltration. Having the ability to both continuously hunt for these stages and identify them during a response is key to limiting the impact of a ransomware attack.

The Benefits of Automated Forensics

Automated forensic tools can help organizations effectively hunt for and respond to ransomware attacks.

Mitiga's platform and automated forensics understands cloud attack paths. Mitiga has predetermined detections that can run against cloud logs that have been properly collected, validated, and stored over an extended duration of time to find potential ransomware incursions. This allows for Mitiga to continuously hunt for the early stages of ransomware, giving the defenders the upper hand.

Using the power of automated forensics, organizations can quickly identify the scope of the attack, determine what data may have been compromised, and take the necessary steps to recover and prevent future incidents.

By validating log coverage, identifying detection opportunities, and leveraging automated hunting, organizations have the knowledge needed to better detect, respond to, and recover from ransomware attacks in the cloud—measurably increasing business resilience.

LAST UPDATED:

May 22, 2024

Don't miss these stories:

Cyber Trends for 2024: What Security Leaders Should be Executing Next

As we hurtle into this new year, it’s already clear that there is an evolving set of cyber risks that organizations will need to contend with successfully to manage threats and grow their organizational resilience in 2024. Below, I’ll outline three of the biggest ones, sharing recommendations and execution checklists that can help enterprises enhance their threat readiness and elevate security postures as the threat landscape continues to evolve.

How to Protect Your Business From the Most Dangerous Cyberthreats

Ransomware attacks are on the rise, and it now more important then ever to be prepared. Be prepared by having an up-to-date incident response plan. Learn more.

Stop Ransomware Attackers From Getting Paid to Play Double-Extortionware Games

In the past, many companies relied on backups to get back to business quickly if they were attacked. Reliable, secure backups separated from the primary environment made it much more difficult for an attacker to access and encrypt them. That long-standing process no longer deters double-extortionware actors — instead, today’s attackers not only encrypt the data but also exfiltrate it.

SEC Cyber Disclosure Rule FAQ: What Leaders are Asking Us

The U.S. Securities and Exchange Commission (SEC) recently implemented a new rule mandating stringent cybersecurity incident reporting and disclosure requirements for public companies.

Log4Shell - identify vulnerable external-facing workloads in AWS

Cloud-based systems should be thoroughly searched for the new Log4j vulnerability (CVE-2021-44228). But this is a daunting task, since you need to search each and every compute instance, from the biggest EC2 instance to the smallest Lambda function. This is where Mitiga can help.

For Incident Response, Give Peacetime Value a Chance

As an IR vendor, it is important to keep your customers up to date and prepared between breach attempts. Learn how to increase your peacetime value now.