In February 2021, an Australian university was hit with a ransomware attack. The university quickly shut down its network to identify the infiltration, contain the breach and conduct a proper investigation. As a result, critical operations were offline, new enrolments were suspended and the university could not pay casual staff. A few days later, the university fully restored its IT systems and confirmed there was no evidence to suggest a data breach had occurred.
This could happen to any organisation; Australian organisations across all sectors are targets for cyber attacks. Cyber criminals are very determined and the number of cyber attacks is continuously increasing. The ACSC revealed that cyber attacks have increased by nearly 13 percent in FY20/21 from the previous financial year. The increase equates to one cyber attack every 8 minutes compared to one every 10 minutes last financial year.
In this blog post I will highlight what organisations should do to minimise the time required to investigate cyber security incidents, reduce their impact and restore their systems as quickly as possible.
Effective Incident Response
Every organisation should have an incident response plan. An incident response plan enables organisations to respond decisively to a cyber security incident, limit its impact and support recovery.
When an incident occurs, the incident investigator will collect data from numerous sources within the organisation to determine whether or not there is a security incident. The investigator will request audit logs, transaction logs, intrusion logs, connection logs, system performance records and above all, User activity logs from firewalls, intrusion detection/prevention systems, routers, switches, servers, desktops, mainframes, business applications, databases, anti-virus, VPNs and any other system with a CPU.
This is a process that, if done manually, takes time and effort, causing days worth of delays before responding to the incident. This manual process will potentially increase the organisation’s downtime and subsequently the impact of the attack.
For effective incident response, every organisation should have a centralised collection of all the logs generated within its environment. The incident investigator can only draw a picture of what has happened after examining the logs, including how the malicious actor has gained access to the environment and what key data and assets the attacker got access to.
Furthermore, by quickly examining the logs, the incident investigator can efficiently recommend the best course of action for a rapid response to contain the attack and minimise the impact.
How to store logs centrally
A central log repository is a software solution that aggregates logs from many different resources across the entire environment and empowers the organisation’s security team to analyse them when required. This software is called SIEM: Security information and event management.
Blind spots are the enemy of every organisation; a SIEM eliminates these by consolidating silos of data into one datastore. The SIEM will enable organisations to correlate logs from multiple data sources and identify patterns beyond single messages. For example, a user connecting via VPN out of working hours may not be a concern. However, suppose it happens at the same time as repeated failed attempts to connect to a production database as an administrator. In that case, it is alarming and it may mean someone has compromised the user’s VPN access and is trying to steal the company’s data.
The starting point to deploy a SIEM capability is to develop an event logging policy that covers events to be logged, logging facilities to be used, event log retention periods and how event logs will be protected.
After developing the policy, the organisation needs to select the right software and the right deployment option. There are multiple SIEM solutions in the market that can be deployed on-premise or in the cloud and each has its own features. The organisation must analyse its requirements carefully and design a solution that scales as its business does.
Then comes deployment. At this stage, the logs from different sources need to be collected and there are three main ways to do that.
- Configuring a centralised log collecting agent to pull the logs from the devices
- Installing agents on the endpoints and pushing the logs to the centralised repository
- Configuring the devices to push the logs directly to the centralised repository.
Once the logs reach the SIEM, they are ready to be used when required. It’s highly recommended that organisations select software that can process the data and normalise it against a standard data model to make it easy to analyse.
Unrealized gains of having a SIEM
A SIEM is not only useful in assisting an investigation following a security breach. There is a significant unrealised gain from having a SIEM; that’s the ability to continuously monitor the environment to detect potential security incidents by correlating events within the SIEM.
The SIEM comes typically with a detection engineer with built-in rules that search the logs against predefined criteria to identify malicious activities. The rules in the detection engine can be customised based on the business needs. Furthermore, additional custom detections can be developed to monitor the organisation’s most critical assets.
Advanced SIEM solutions come with a machine learning module that implements algorithms to spot abnormal behaviour or activity to aid the detections and provide better monitoring coverage.
Recent industry advances have introduced the concept of combining SIEM and EDR functionality (for more details about EDR, refer to my previous blog post) while adding more advanced log analysis capabilities. This often integrates cloud-based analysis of host-based sensor telemetry to link disparate alerts to detect compromises of systems and provide better visibility.
SIEM is important
I can’t stress enough how important it is to prepare the logs for use if an incident occurs. This is, in my opinion, even more important than your insurance policy. In the case of an incident, both the insurance company and the government regulator will look for evidence that you have done the right things and taken active measures to ensure the security of the sensitive data you hold. No logs, no evidence.
Even the Australian Cyber Security Centre (ACSC) has added a recommendation to the Essential 8 for organisations to use a SIEM to centrally log and analyse system behaviour to detect compromises and facilitate incident response.
The university’s ability to quickly detect, investigate and respond to the cyber attack has been crucial to minimise the impact on its operations, maintain its reputation and protect its sensitive data. They were ready to provide the investigators with the data they needed when they needed it.
Good visibility of what is happening in an organisation’s environment is essential for conducting an effective investigation. It also aids incident response efforts by providing critical insights into the events relating to a cyber security incident and reduces the overall cost of responding to them.
Unfortunately, many Australian organisations have insufficient visibility of the activity occurring on their network, workstations and servers. This has been confirmed by the Australian Cyber Security Centre (ACSC) while performing recent investigations.
Gaining sufficient visibility for an organisation doesn’t have to be expensive nor complex. And it is worth the money. Remember, remediation costs for a cyber security incident can be far greater than early and ongoing investment in being ready for one.
Click here for more information on cyber security in the education sector.
Author: Mouaz Alnouri