You could argue that ransomware (e.g., Locky and CryptoLock) is just another form of malware, but there are some critical distinctions between ransomware and the other most dangerous form of malware—what I call mal-agents used by persistent attackers trying to steal data.
If you don't understand these differences and account for them in your security strategy, it can really hurt. So what makes ransomware different?
It isn't so much about technical differences in the malware. Ransomware agents and APT agents use many of the same techniques. In fact, ransomware is currently a lot less advanced than the stuff that persistent data thieves are using.
The first big difference is the type of attack and risk. Data breaches like Target and the ones before and after are about confidentiality. Ransomware is about denial of service — or the availability side of the security triad (confidentiality, availability and integrity). The attackers of Target, the IRS and others were trying to remain hidden for months and permanently if possible. They wanted secrets, valuable data that they could sell and nothing else.
The recent ransomware attack against hospitals are totally different. They don't want a copy of the data. They just want to deny the organization access to their information and network until a ransom is paid. It's comparable to putting new locks on your place of business and not letting employees in to begin work until you pay up.
This has a big impact on the necessary time-to-detection. With persistent data thieves, we've been talking about the need to reduce time-to-detection in order to catch attackers before they get far enough along the lateral kill chain to reach the data they're after. So sure, we want to detect bad guys as soon as they successfully infect the very first endpoint. But you still have time at that point to head off the attack. If your network has multiple layers of defense and doesn't have one big soft and gooey inside, then you likely have days or even weeks to disrupt the attack before data is stolen and real damage occurs.
With ransomware attacks, it can be very different. Ransomware doesn't necessarily require attackers to gain access to your confidential databases or privileged access to your infrastructure. It's just a matter of spreading to enough endpoints to reach a critical mass for denial of service. This can happen within minutes. In my next webinar, I'll show you some of the ways ransomware can spread that quickly.
So if we though time was of the essence before—ransomware takes it to a whole new level.
And that's where your SIEM comes in. The only way to defend against todays attacks (and that certainly includes ransomware) is through the use of multiple layers and technologies including whitelisting, file integrity monitoring, endpoint security and sensors, traffic analysis, next-gen firewalls and so on. Few organizations have all of those technologies, but most have at least few. The challenge is that they are typically monitored by different teams. This can lead to missed opportunities similar to the intelligence failures that allowed terrorist attacks in the past.
In this real training for free ™ webinar SIEM expert, Nathaniel “Q” Quist, will join me to discuss how to leverage SIEM technology to catch and respond—even automatically within seconds—to ransomware to prevent it from spreading and reaching the critical mass that creates a state of emergency. To do this, your SIEM needs more than raw logs. Your SIEM should be your top security intelligence hub that allows you to see security events from every aspect of your network including
- Operating systems
- Databases
- Applications
- Security products: AV, IPS, NGFW, endpoint security, etc.
To stop malware, you need to correlate indicators from all these levels and security silos. And when you see something suspect, you need to immediately isolate that endpoint, investigate and then clear or remediate it before re-connecting it to your network. We'll show you how our sponsor, LogRhythm, does this, but we'll also point out opportunities you have with your existing technology.
Using your SIEM the way it's intended, as a central security intelligence hub, creates synergistic value. Your investments in your SIEM and other security technologies suddenly reap another level of return and value because they are working together synergistically.
We will also share some cool technical tips for creating signature-based rules for catching specific ransomware and explore and an idea I have for behavioral rules for detecting late stage ransomware on a given endpoint.
Join us for this technical, insightful event. Please register now.