Ransomware - the new season. Episode 3: Optimization after analysis

Ransomware - the new season. Episode 3: Optimization after analysis

In the previous episodes, we showed the analyst's approach to an incident. Now we take a look at how the analyst intervenes in the situation and what happens after the incident. Because a SIEM and SOC must be continuously improved.

The analysis made it possible to collect the identification features for the incident:

  • The IP addresses and domains involved in the data exchange.
  • The entry point of the malware.
  • The information on which computers and accounts the malware was active on.

Within the organization, the analyst can now use these findings to search for the spread of the malware:

  • The initial infestation: Are the characteristics of the initial infestation also visible on other computers or in connection with other users? If so, should these also be classified as vulnerable?
  • Lateral movement: Did infected systems communicate with other systems over the network? Critical processes would be, for example, when password changes, mailings, software installations or the use of other user accounts can be detected from an infected system.
  • The exfiltration of data: Have infected systems read from a file server? Or have they uploaded to the Internet?

A Managed SOC has the advantage that when an incident occurs in several organizations, the findings from the different analyses can be correlated and a better action plan can be formulated through the more resolved facets.

Based on these findings, control over the incident (mitigation) and the removal of the infestation (remediation) can now be assumed. As a rule, the analyst must call on additional personnel for this purpose: Thus, the support of system administrators of the organization is usually necessary.

There is often the impression that the incident can be remedied by simply reinstalling a system. This may sometimes be correct, but in principle more complex considerations have to be made:

  • Can the intervention in the affected system lead to collateral damage?
  • Has the attacker received the passwords from employees and can he use them for another attack?
  • Did the attacker leave any traces other than the malware?
  • Can the manipulation of data be reversed or must a loss of data be assumed?
  • Do you want to trap the attacker in order to trace back to him?
  • Is it necessary to collect evidence for a court case?
  • Is it possible to re-infect at a later date?
  • Can stolen data or passwords already be found in Darknet?

How to proceed exactly and in which order depends on many factors. Each action of the attacker usually leads to a reaction in the remediation and mitigation of the incident. It is often not possible to proceed according to a ready-made schedule, which is why the experience of an SOC analyst provides valuable services.

Security Monitoring Cycle

With remediation and mitigation, the incident is not yet complete: security is an ongoing process and adjustments and improvements are important factors for the reliability of an SOC and SIEM. Based on the findings of the incident, longer-term measures must therefore also be defined and the expectations of security monitoring refined.

This is why terreActive has developed Security Monitoring Cycle as part of the Cyber Defense Methode,which deals with review and conceptual adjustments. The analysts of terreActive meet regularly with the customers for SOC meetings.

What if... you wouldn't have security monitoring?

Imagine as a thought experiment that the data shown in the example (endpoint, registry, network) would not have been available. In such a case the analyst is blind:

  • Without the endpoint monitoring, it would not have been possible to see which files and macros were executed.
  • It would hardly have been comprehensible that the infection was triggered by a USB stick. Also, it would not be possible to proactively alert when the same stick becomes visible again in the environment.
  • The network connections opened by the Ransomware would not have been visible. The analyst cannot find out which connections to the Internet have been opened or whether the ransomware has attempted to spread to other systems.

SOC workshops

A basis for the analyst's work is the clean planning of the environment. To this end, workshops with the client are suitable to ensure that all relevant log sources have been integrated and that SIEM is able to exploit its full potential.

Of course, not everything is always perfect at the start: the workshop may also have defined that certain sources are not to be included. Or that you had an incomplete picture of the IT landscape in the workshop. That's why the SOC meetings and reviews with the customer are important: You can continuously optimize or correct errors so that they are not committed again.

It is also conceivable that a conceptual weakness in the customer's IT environment could lead to incidents. In this case, terreActive can not only support the customer in optimizing the SIEM and the processes, but can also fundamentally improve the infrastructure.

In addition to the analysts, engineers and consultants also participate in the managed SOC service and the handling of incidents:

  • Evaluate Managed SOC Incident Reports and identify optimization potential
  • Identifying risks and proposing procedures to minimise them
  • In-depth knowledge of the products of different manufacturers and of different standards
  • Technical consulting

Thanks to the close cooperation of the three job profiles - Analyst, Engineer and Consultant - new findings resulting from the incident analysis are quickly incorporated into the daily SOC/SIEM operation and thus ensure continuous improvement of corporate security.