A recent study reveals that cyberattacks cost the world economy more than $1 trillion, a more than 50 percent increase from 2018. Damage to companies also includes downtime, brand reputation, and reduced efficiency.
Besides installing anti-malware software to protect against cyberattacks, however, there is other security software to consider. One option is a SIEM (Security Information and Event Management) solution. SIEMs provide centralized management for security information and events, detecting and managing security incidents, and correlating data from multiple sources.
In one of our recent webinars, we reviewed in detail which cybersecurity solutions to consider:
Cyberattacks and Their Impact on the Companies
If proper countermeasures are not taken in case of an attack, the company is likely to lose not only valuable information but also a huge amount of money.
This makes cybersecurity software very important for protecting and maintaining the company’s data.
The best way to counter cyberattacks is by using sophisticated SIEM solutions, which help you gain 360-degree monitoring over all the processes, and achieve full data integrity. A good SIEM software can provide the information needed to find the cause of a cyberattack and take immediate action to defend the company data.
Some of the ways in which SIEM software successfully defends company data are:
- Automated Incident Response (AIR): thanks to an automated response, the IT department is able to quickly detect and respond to threats more efficiently.
- Automated Incident Management: the lack of incident response resources makes organizations susceptible to breaches. To overcome these challenges, security teams need orchestration and automation for more effective collaboration and response across the environment. If automated response features are in place, the team of experts is responsible for responding only to those threats that are truly out of the ordinary. This way they can respond quickly and resolve any incident in real-time without having to be physically present.
Automation is critical for managing high volumes of end-users and end-points in order to keep the whole infrastructure up and running. That’s why it’s crucial to consider NextGen SIEM software. SIEM is designed to gather, analyze, and store the security and compliance-related information that is generated during incidents. This helps the system to detect anomalies even more accurately in time, leveraging machine learning and AI.
Top 3 cybersecurity attacks in 2021 and how to prevent them
Ransomware is a type of malware that can lock your computer and then demand a ransom for its release. Usually, ransomware infection occurs as follows:
- A malicious software gains access to the device.
- Depending on the type of the ransomware attack, either the entire operating system or individual files get encrypted
- The attacker requests a ransom to decrypt the files.
Advanced ransomware attacks use sophisticated evasion techniques that help them to slip through the security radar undetected. They can easily bypass traditional antivirus software. Depending on the speed of the computer, it can take from a few hours to few days to completely encrypt all files. When it comes to critical infrastructure, healthcare, the financial sector, or the government – this event can occur critical to the whole society. And the recent Colonial Pipeline Attack proves that.
In the last two years, ransomware attacks have drastically increased, and their impact on the organization has become bigger. Bitdefender reports that ransomware attacks increased by 485% in 2020. For the last two months alone the most massive ransomware attacks to date happened – The Kaseya Ransomware Attack in July and JBS Ransomware attack in June.
The two main reasons for this unusually rapid increase, according to cybersecurity specialists, are:
- Cryptocurrencies – Cryptocurrency networks open up the ability to exchange payment without an authoritative third party. With cryptocurrencies such as Bitcoin and Ethereum, cybercriminals can anonymously receive payments that are nearly impossible to track;
- The pandemic – As companies quickly pivot to the cloud to enable remote work at scale, they often leave security gaps and opportunities for cyberattacks.
The cost of ransomware attacks has also massively increased. While the average cost of ransom per incident in 2018 was $4.300, it almost doubled in 2020. Another concerning fact is that 20% of the ransomware victims are SMEs, which can’t afford costly security solutions and big security teams to mitigate the security risks.
How To Tell You Have a Ransomware: Warning Signs
- Suspicious Emails – Phishing and social engineering through emails are some of the most common ways that ransomware attacks begin. Hackers usually send social engineering emails where the sender is claiming to represent a legitimate company, sending a malicious attachment or link. Once the receiver clicks on the link or the attachment, it gives hackers a toe-hold in the network and they’ll begin moving laterally. End-user training can give employees the knowledge and awareness to detect a certain email is a phishing one or not. To test how good you are at spotting phishing emails, you can take Google’s Phishing Quiz.
- Network Scanners – Network scanners can be a form of malware that is designed to attack, find, and exploit various weaknesses in a network. Note that cybercriminals will often start their attack by gaining access to one computer and then scanning for more vulnerable network devices. One way for a cybercriminal to do this is by installing a network scanning tool like Advanced Port Scanner or AngryIP. From there, they’ll do some digging into their surroundings to find the best way to send the virus. Make sure there is a server or other network device that is not being scanned by a network scanner to store your backup data, or else you risk that a possible ransomware attack can have a high impact on your company. Of course, a network scanner can be a legitimate tool, too. Make sure to check out with your IT team if anyone is using a network scanner — if they’re not, then it might be time to raise a red flag.
- Active Directory Access – At the same time as installing network scanning software, a hacker is also likely to try to infiltrate your company’s Active Directory (AD) and gain domain access through tools like BloodHound and AD Find. For example, BloodHound uses an investor called SharpHound, which comes in the form of a command-line .exe or PowerShell script. Its purpose is to map paths to gather information about AD users, groups, and computers and forward privileges to domain administrators. Notorious ransomware strains like Ryuk used Microsoft Remote Desktop Protocol (RDP) to hack AD servers and then insert the ransomware into the AD login script. This affected everyone who logged into that AD server.
- MimiKatz / Microsoft Process Explorer – The presence of MimiKatz should always be a red flag; It is one of the most widely used hacker tools. MimiKatz is used by cybercriminals to steal passwords and credentials. It is often used with Microsoft Process Explorer, a legitimate tool that can dump LSASS. exe, a Windows process responsible for implementing the security system. Penetration testing (or ethical hacking) can prevent attackers from accessing your systems with MimiKatz. Some hackers use more subtle approaches to stealing credentials that are harder to identify than MimiKatz. For example, Cobalt Strike is a platform that uses multiple methods to evade detection by antivirus software and sometimes mimics common tools like Gmail and Bing, while collecting login information, leaving little trace on an infected system. A cloud-based SIEM such as LogSentinel can detect such malicious tools on your network, including MimiKatz and Cobalt Strike, and instruct you on what to do to prevent an attack.
- Uninstalling Software – Once the attacker has gained administrative rights, the next step is usually to uninstall or disable security software such as antivirus protection. They will usually do this using legitimate software uninstallers such as IOBit Uninstaller, GMER, PC Hunter, and Process Hacker. A logging solution that is leveraging AI and machine learning, such as LogSentinel SIEM, will detect the presence of these tools and will recognize that an anomalous activity is happening. When you discover these malicious tools, you must be wondering why and how did they suddenly appear. It is important to remember that software removal programs are the next warning signs of ransomware; they usually indicate that hackers have gained privileged access. If you find that the software has been removed, act quickly – in 15 minutes or less – to prevent the ransomware from running.
- Small Scale Test Attacks – Hackers often run simulations of a ransomware attack through small-scale dry runs aimed at finding vulnerabilities on your network or endpoints. They attack a small number of network devices to test whether they can successfully distribute the ransomware. If not, they try a different approach. Security software such as LogSentinel SIEM or endpoint detection and response tools can catch smaller attacks before they cause something much worse.
- Ransomware Notice – If you receive a ransomware notification, it’s probably too late and you’ve already fallen victim to ransomware. A message will appear informing you that your data is encrypted and that you must pay the ransom to get your data back. This can be frustrating, but it’s the first sign that you’re in trouble
If your computer has no signs of ransomware, don’t wait until ransomware hits it. One way to prevent ransomware from entering the computer is by installing security software with features that ensure ransomware protection. It’s the security software that will take care of ransomware when it attempts to attack the computer. Never hesitate to invest in the best security software because that means safety against ransomware.
- Look out for the common warning signs: nowadays, ransomware attacks tend to move quickly (sometimes as fast as 12 hours), but there are still signs that IT and security teams can look out for to minimize the damage of ransomware or even stop it in its tracks. Warning signs include the emergence of network scanning, Mimikatz, password sprayings, unauthorized remote access, and software removals tools like IObit Uninstaller and GMER.
- Don’t pay the ransom. There are no guarantees that companies will get their data back, even if they do pay the ransom. Plus, paying the ransom fuels cybercriminals and could result in compliance violation fees.
- Implement controls like backups and security monitoring. One of the biggest challenges for IT and security teams is a lack of visibility, which can lead to not catching suspicious activity from hackers. Security teams should implement an incident detection and response solution that monitors the entire IT environment and alerts them of potential security incidents. IT teams should also implement backup solutions that can restore the environment if a ransomware attack does occur.
- Leverage a honeypot – honeypots can be used to detect lateral movements. If ransomware tries to spread across the network, you may be able to catch it while it spreads, if it lands on your honeypot as well.
- Leverage phishing detection tools – to prevent phishing attacks on a company level, consider leveraging SIEM software with a phishing detection feature.
- Leverage ransomware detection tools – with LogSentinel SIEM you are alerted of all aspects of ransomware as soon as they try to infect a computer. You can then stop all attempts of the ransomware to get in and spread and thus prevent any significant damage.
Malware, short of malicious software, is a term used to describe viruses or harmful programs which have a purpose to disrupt, damage, or gain unauthorized access to sensitive information from a computer system, mobile device, or an IoT device.
Malware can steal sensitive information from your computer, gradually slow it down, or even send fake emails from your email account without your knowledge.
- 71% of organizations experienced malware activity that spread from one employee to another
- 51% of organizations experienced a ransomware attack that led to partial disruption of business operations
- 3000+ malware-infected websites were detected weekly between January and March 2020
How to Detect and Prevent Malware Across Your Company
- Keep your security software updated across the enterprise network – make sure that your employees update the security software on their computers. With so many people working from home, it’s getting harder to track, so it’s vital to familiarize your staff with why updating security software locally is so important
- Use a non-administrator account whenever possible – employees who have access to privileged user accounts often tend to use them as a primary account. This is not a good practice, because it makes it easier for malware to get installed on your computer and making company-wide changes. We recommend using an account with limited rights in your everyday work unless it’s necessary to use an admin one.
- Think twice before clicking links or downloading files – hackers often use social engineering to make you download malicious software. They can send you a link or file via the infected account of your friend, and the link/file could even contain your name. Always double-check that this is not malicious software, especially when it comes to downloading it on a computer with access to company data. To check out a link’s safety, you can use Google Safe Browsing
- Be careful about opening email attachments or images – email attachments or images may also contain malware. Be sure that the email you have received is not a malicious one. To test how good you are at spotting phishing emails, you can take Google’s Phishing Quiz. To prevent phishing attacks on a company level, consider leveraging SIEM software with a phishing detection feature.
- Blocking popups on a company level – even if you trust the website, they might get compromised by malicious actors, so always make sure that the pop-ups asking you to download software are actually what you have requested from this page. You can learn how to limit popups locally here, but if you are a security expert, make sure to take proper security measures on a company level as well.
- Limit your file-sharing company-wide – limit external device connections, and cloud sharing as much as possible. If you’re already using SIEM software, make sure to set up rules alerting for unusual upload/download activity. This will help you prevent data leakage before it’s too late
- Use firewall, antivirus & SIEM – an antivirus protects your device by finding, analyzing, and destroying potentially harmful data, preventing malware from opening on your computer, and blocking outside users from operating your keyboard and screen. A SIEM software helps detect anomalous activities in case antivirus and firewall haven’t stopped it.
- Use VPN for WFH security – a VPN can make your employees’ online activity safer and more secure while working from home. To find out more about WFH security measures, download our free e-book: SIEM for Work From Home Security
Malicious Insiders / Man in the middle
In short, malicious intrusions refer to an automated attack made to your system by an illegal agent. It is usually done in a hidden way so that it’s hard to be detected.
Man-in-the-middle is a general term for when a cybercriminal positions himself in a conversation between the transmitter of the information and the receiver in order to intercept or to impersonate one of the parties, making it appear as a normal exchange of information is underway.
- MitM attacks were involved in 35% of exploitations – More than one-third of exploitation of inadvertent weaknesses involved MitM attacks, according to IBM’s X-Force Threat Intelligence Index 2018.
Man-in-the-middle (MitM) attacks come in two forms, one involving physical proximity to the targeted victim, and the other involving malicious software. The unauthorized third party gains access to an unsecured Wi-Fi router, often located in public areas with free Wi-Fi hotspots or even in some users’ homes. A successful man-in-the-middle attack doesn’t end with an interception. The victim’s encrypted data must be decrypted so that the cybercriminal can read and act on it.
How to Prevent MitM attacks
- Implement a stronger WEP/WAP encryption on your access points – a weak encryption mechanism can allow attackers to brute-force a network and launch man-in-the-middle attacks. Applying stronger encryption reduces the risk of a potential MITM violation.
- Change router login credentials – people often tend to forget to change the default credentials of the router. This is known to malicious actors and they first try “shortcuts” to access your systems. Make sure your default router login details have been changed. Not just your Wi-Fi password, but also your corporate router credentials. If an attacker finds your router’s credentials, they can replace your DNS servers with their malicious ones or infect your router with malware. Don’t let this happen.
- Leverage a virtual private network ( VPN) especially for those working from home – VPNs use key-based encryption to create an extra layer of security. This way, even if an attacker enters a shared network, they cannot decrypt the traffic on the VPN.
- Enforce the use of HTTPS on corporate computers – HTTPS can be used to securely communicate over HTTP using a public-private key exchange. This prevents an attacker from using the sniffed data in any way. Websites should only use HTTPS and not provide HTTP alternatives. Users are recommended to install browser plugins to always use HTTPS in requests.
- Public key pair-based authentication – man-in-the-middle attacks often involve falsifying something. Public key pair-based authentication like RSA can be used at different layers of the stack to make sure what you’re communicating is actually what you want to communicate.
- Leverage code scanning tools to prevent formjacking – website formjacking (or Magecart) attacks are becoming mainstream resulting in loss of revenue, reputation, and regulatory penalties. In these attacks, malicious actors manage to inject scripts that scrape credit card and login information from your website. LogSentinel SIEM has a dedicated integrity monitoring module that alerts you for any script change without the need to modify your website. Get your site protected from form jacking at reduced operational cost and minimal effort on audit and forensics.
How does SIEM software help detect cyber threats in real-time?
In recent years, we have been facing new types of cyberattacks – attacks that are being discovered and reported daily. Nowadays, every company, even an SME, is a target to cybercriminals, hence they’re trying to stay up against such attacks. They can easily mitigate the security risk by deploying a next-gen SIEM solution to detect all threats in the network, however, it’s often assumed that SIEM software is not affordable for SMEs. We recently explained how Mid-Market companies and SMEs can benefit from affordable SIEM solutions, and debunked myths and misconceptions about using SIEM, proving that SIEM software can be a good security solution fitting even SMEs’ budget.
But there is one more challenge. What is the best way to detect such threats? How to find them in real-time and in a dynamic environment? The answer lies in the deployment of a NextGen SIEM solution that allows real-time threat detection and response. Because, in a dynamic environment, we need real-time and dynamic threat detection capabilities, and the right SIEM software helps us to achieve this.
There are two types of threats in the network – real-time threats and dynamic threats. Real-time threats exist instantaneously and dynamically, and they can cause severe damages to a company. In contrast, they are hard to detect on their own and they require deep analysis to be detected and resolved as fast as possible – not only to counter them by leveraging SIEM software but also to prevent them to take the damage. Dynamic threats exist over long periods of time, which makes them easier to detect. For example, they may be detected as low-risk “normal” network activity. But they can still cause serious damages if they manage to escalate, or they are hard to detect on their own.
SIEM software use cases for preventing cyberattacks
When it comes to preventing cyberattacks, SIEM software solutions are crucial for any organization – from big enterprises to small and medium businesses. A SIEM will help your company mitigate the risk of a cyberattack, being able to automatically detect, analyze and respond to the presence of a wide range of threats from both – internal and external malicious actors. The software ensures that the most essential tasks are handled with a single point of action. As a result, system security is greatly improved and the cost of cyberattacks is reduced while ensuring that our organization remains at the leading edge of cyber hygiene.
Below, we discuss how to use SIEM in an effective way in order to:
The information security management process starts with effective management of the security environment, which will provide you with all the necessary tools, resources, and people in the field of information protection and security. This type of management ensures that information security in your organization is maintained and updated with necessary changes and updates and minimizes the probability of information security breaches.
A comprehensive SIEM software will create security awareness and detection across all the connected devices in your organization. It will provide security alerts and advisories on your desktops, servers, printers, and external networks for monitoring and analyzing the threats to your information.
Informations Security Auditing
Informed by the events we have learned about in previous chapters, we use information security auditors and the information security management process to get a detailed picture of how we perceive and manage information security risks and vulnerabilities. This means that by using SIEM software you will be able to ensure that information security risks are fully captured and analyzed.
Phishing is the number one attack vector against organizations and no amount of training can eliminate the risk. A single click on a malicious email can damage the entire organization.
With LogSentinel SIEM connected to your exchange/email server, you get instant notification and automated response to phishing attacks using sophisticated detection techniques. Reduce your phishing attack risk and minimize effort on audit and forensics.
Website Integrity Monitoring
Website formjacking (or Magecart) attacks are becoming mainstream and result in revenue and reputation loss and regulatory fines. In those attacks, malicious actors manage to inject scripts that scrape credit card and credential data from your website.
LogSentinel SIEM has a dedicated integrity monitoring module that alerts you for any script change without the need to modify your website. Get your site protected from formjacking at reduced operational cost and minimal effort on audit and forensics.
ActiveDirectory Security Monitoring
ActiveDirectory is at the core of many organizations, holding up-to-date information about all employees and their access privileges. As such it has become a prime target for attackers that try to abuse leaked credentials and escalate their privileges.
With LogSentinel SIEM you have a unified dashboard for real-time control and insight from your Active Directory and you can detect and respond to malicious activities. Get security and compliance at reduced operational cost and minimal effort on audit, forensics, and fraud detection.
Antivirus Collaboration: Log Collection and Analysis
Antivirus software is ubiquitous. But collecting and correlating the antivirus activity is important for detecting organization-wide attacks.
With LogSentinel SIEM you have a unified dashboard for real-time control and insight across all aspects of your antivirus software. Get improved security at reduced operational cost and minimal effort on audit, forensics, and fraud detection.
In recent years, ransomware has been a significant issue for many organizations, especially smaller ones that could not afford comprehensive security tools.
Ransomware makes all organization data unusable until a ransom is paid, which can (and often does) destroy the target organization – in terms of cash, disrupted operations, and reputation.
While regular backups are an important measure to protect against the effects of ransomware, they are not a bulletproof solution and additional measures are required.
Antivirus software is often lagging behind newly spawn ransomware and that leaves many organizations at risk.
With LogSentinel SIEM you are alerted of all aspects of ransomware as soon as they try to infect a computer. You can then stop all attempts of the ransomware to get in and spread and thus prevent any significant damage.
Securing Work From Home
“Work from home” and “work from anywhere” are on the rise – not only because of the pandemic but due to a globalizing world.
Remote work, however, is a significant change from traditional perimeter security. The corporate network is now the internet and that makes adequate security monitoring paramount for the security of each organization.
LogSentinel SIEM lets you protect your data and services by comprehensive security monitoring tailored to a work-from-anywhere environment.
Utilizing a Honeypot
There’s an unwritten rule that every machine that becomes visible on the internet is under attack in under 5 seconds.
LogSentinel SIEM Honeypot is a useful addition to our threat intelligence capabilities and allows for detecting early threats as well as collecting malicious actor behavior data.
Denitsa Stefanova is a Senior IT Business Analyst with solid experience in Marketing and Data Analytics. She is involved in IT projects related to marketing and data analytics software improvements, as well as the development of effective methods for fraud and data breach prevention. Denitsa supports her IT-related experience by applying her skills into her everyday duties, including IT and quality auditing, detecting IT vulnerabilities, and GDPR-related gaps.