“Those who cannot remember the past are condemned to repeat it,” is one of several aphorisms attributed to the 20th-century philosopher George Santayana.
A research conducted by security firm Sophos examines global customer data from the first half of 2023 and finds that many assaults, especially those containing ransomware, follow a similar pattern.
Computer logging is similar to writing anything down by hand; it entails preserving details like system alerts, program issues, and account logins in text files.
In Pursuit of Log Files
Log files have been an essential component of computer science and cybersecurity since the year 2000. Without the information they offer, networks would quickly grind to a halt.
Hackers obviously know this, which is why they’ve been going after them for deletions for a while now. Deletion or alteration of a log file renders the defenders unable to determine the point of entry and following activities of the attackers.
Check out the latest CISA notice on the Rhysida ransomware group for further details on the tools they utilized for this. They made a splash in 2023 and have made it their mission to attack this particular file format.
This is hardly a new issue, but a Sophos study indicated that incident investigators lacked the data from log files necessary to understand what occurred during an event at 25% of targeted organizations.
Since many systems produce them, it takes some work to avoid having any pertinent log files. While 42% of assaults used deactivated security software, which would have prevented any logging by those computers, 39% involved log files that had been “cleared” (often deleted totally).
In addition to the fact that many assaults had incomplete or missing logs, the researchers point out that defenders would waste time looking in vain for logs and attempting to determine why they were missing.
“Sophos field CTO, John Shier” adds:
Missing telemetry can generate difficulties that most firms cannot afford to address in the time it takes. This is why thorough and accurate recording is so important, but sadly, many companies don’t have the data needed.
Important Significance
The bad news for ransomware preventionists is that all of this has happened. Data correlation is an important security mechanism against ransomware because it may link apparently unconnected occurrences to make it look like something unusual is happening.
To do this, it is essential to have centralized log files, ideally within an integrated SIEM platform that unifies different logs into one view. However, this will be for naught if no linkage can be established.
The perpetrators of the attack are not entirely to blame. Sometimes businesses avoid collecting endpoint log data altogether out of concern that it will be excessive. Or perhaps they collect stuff but don’t do enough to keep it secure.
Log file evidence is essential for ransomware protection, regardless of the origin. Without it, defending a firm would be like attempting to navigate in the dark without headlights.
