New cybersecurity research supports use of log file intelligence for ransomware protection, says OmniIndex
October 2024 by Simon Bain, CEO and founder of OmniIndex
As new research reveals new ways to identify ransomware variants, log file encryption and intelligence has never been more important. The JPCERT Coordination Center – the first computer security incident response team established in Japan – recently published new research that has uncovered methods to detect human-operated ransomware attacks through Windows event logs.
According to the researchers, different ransomware variants leave distinct traces in Windows Event Logs. This means that researchers were able to use log files - specifically application logs, security logs, system logs and setup logs - to identify ransomware belonging to certain criminal groups and better understand how they work.
Being able to accurately distinguish between different types of ransomware means that it becomes easier to identify the criminals responsible. Using shared information on previous attacks conducted by the same groups can lead to quicker incident response and recovery.
The researchers go as far as making recommendations to organisations around the collection and analysis of log files as well as creating custom detection rules based on known ransomware behaviours.
According to Simon Bain, CEO at OmniIndex, log file intelligence is a crucial part of cyber defence and adequate protection of log files is an integral part of their use as a tool for ransomware prevention.
Bain explains: “Traditional methods of identifying attack groups based on encrypted file extensions or ransom notes have become less reliable. Instead, efforts should have been focused on log files that contain vast arrays of information we can use to uncover exactly what has happened in a system.
“Log files are a gold mine for attackers, containing vast arrays of critical information. They can be used to track a user’s activity, steal their credentials, access an organisation’s internal systems and do whatever they want with the data. But they can also be a goldmine for organisations, providing data on access attempts, data exfiltration, SQL injection attacks, and attempted privilege abuse.
“In short, they are incredibly valuable and as such should be protected at all times. Adequate protection will reduce the risk of ransomware altogether. Going one step further, when protected, available and accessible to those that need them, their value intensifies, and they become a huge asset in your security strategy.
“The researcher’s recommendations fail to point out that log files can be collected and stored in real-time in a tamper-proof and isolated environment. Using OpenTelemetry, for example, is just one way to manage the collection of this large-scale log file data and one that can crucially integrate with various backends such as Postgres.
“When it comes to storage, blockchain technology is ideal for storing log files immutably and reducing the risk of attack significantly. The decentralised nature of blockchain means that in the event of a failure, data can be restored from the last available node.”
Bain argues that with the right technology, encrypting log files doesn’t mean that you can’t use them to your advantage whenever you need to.
“Protecting and encrypting log files is just the start. Making use of the data available from log files will set your cybersecurity strategy apart from the rest of the market. Technology such as homomorphic encryption can be used to perform analytics on encrypted data and glean all the necessary insights while keeping it safe. Crucially, access is only granted to analyse the encrypted logs on a least privilege basis meaning that a strict zero-trust security policy is maintained.