Ransomware threats remain a clear and present danger to organizations of all sizes. With enterprises continuing to expand their cloud footprints, the target-rich territory that ransomware can impact also expands.
Attackers are opportunistic, often exploiting misconfigurations in the cloud, such as publicly available cloud resources, and taking advantage of compromised credentials to gain access to an organization's cloud assets.
Knowing the evolving and costly threat that ransomware presents, most organizations are looking to take a more proactive approach to secure against it. However, the steps that can, and should, be taken to advance against the threat aren’t always obvious. At Mitiga, we contend with ransomware as part of our day-to-day, helping customers expedite response and analysis time. Throughout this experience, we've gleaned several valuable lessons, with one standing out as paramount.
When it comes to combating ransomware, knowledge is power. The more an organization can understand about the genesis and progression of an attack, the better position they are in to make sound decisions and defend against it. Plus, if an organization can identify the initial stages of a ransomware attack quickly, it puts defenders at the advantage. To gain this upper hand, an organization needs to have the correct logging configured prior to the incident.
The Role of Logging
Logging plays a vital role in detecting and responding to ransomware attacks.
To be clear, it's not just about having any logs, or just the default logs either. It's about having the right logs, stored, and pre-processed in a way that they can be easily queried in case of an incident. Without the right logs, you're blind to what's happening in your environment.
Let's take an Amazon Relational Database Service (RDS) instance as an example. If there is a compromise and you haven’t configured your instance with data events or various database level logs, analysis could become extremely limited. This limited visibility could make answering “how” and “what” happened very difficult.
Improving Cloud Logging for Ransomware Recovery and Identification
To better recover from and identify ransomware attacks, organizations should review their current logging abilities and identify detection opportunities for common ransomware attack chains.
Validate log coverage
Don't assume that default logging provides adequate coverage. Just because logging is turned on doesn't mean you'll get what you want or need.
Documentation for cloud logs can be often limited and it is not uncommon for there to be undocumented items such as event names or log fields. An opportunity to overcome this would be to simulate an attack, review the logs, and then decide if you have the visibility adequate for analysis.
Identify detection opportunities
Detection is the next step in maturity after validating that the logs can be leveraged for analysis during an incident response, and in this case, ransomware specifically. Having the correct logging allows for incident responders to identify what actions were taken by a threat actor, but the goal should be to identify the activity before it gets to ransomware. This is where teams should be looking at these logs and creating custom detections for each stage of a ransomware attack, from initial access to exfiltration and impact.
The Importance of Speed in Ransomware Response
Speed is crucial during any incident response, but it is especially important when dealing with ransomware. Before encryption or data destruction, threat actors are going to perform various actions to include initial access, enumeration, lateral movement, collection, and exfiltration. Having the ability to both continuously hunt for these stages and identify them during a response is key to limiting the impact of a ransomware attack.
The Benefits of Automated Forensics
Automated forensic tools can help organizations effectively hunt for and respond to ransomware attacks.
Mitiga's platform and automated forensics understands cloud attack paths. Mitiga has predetermined detections that can run against cloud logs that have been properly collected, validated, and stored over an extended duration of time to find potential ransomware incursions. This allows for Mitiga to continuously hunt for the early stages of ransomware, giving the defenders the upper hand.
Using the power of automated forensics, organizations can quickly identify the scope of the attack, determine what data may have been compromised, and take the necessary steps to recover and prevent future incidents.
By validating log coverage, identifying detection opportunities, and leveraging automated hunting, organizations have the knowledge needed to better detect, respond to, and recover from ransomware attacks in the cloud—measurably increasing business resilience.