“Those who cannot remember the past are condemned to repeat it,” said philosopher George Santayana in one of the most widely quoted aphorisms of the 20th century.
According to a report from security company Sophos covering global customer data from the first half of 2023, a similar principle is applicable in many cyberattacks, especially those by ransomware.
The computing equivalent of remembering events is logging, through which events are recorded as data in simple text files that list system messages, application errors, and account logins.
Targeting Log Files
Log files have been a feature of computing and cybersecurity since the year dot and networks would quickly grind to a halt without the information they provide.
Cybercriminals, of course, know this, which is why they have long had a habit of targeting them for deletion. Eliminating or tampering with a log file deprives defenders of the ability to understand how attackers gained access to a system and what they did after that.
It’s the first file type ransomware attackers will target with a good topical example being the MO of the Rhysida ransomware group which has been prominent in 2023 (see a recent CISA warning on that group for more details on the tools used to achieve this).
Clearly, this issue is not new and yet Sophos uncovered evidence that a quarter of organizations that had been attacked lacked the log file data needed by incident analysts to understand what happened during an incident.
That’s fairly extraordinary—numerous systems generate relevant log files so to have none at all takes some doing. Separately, in 39% of attacks log files had been “cleared” (mostly by being deleted outright), while in 42% of cases security software had also been disabled which inevitably stops any logging by those systems.
As its researchers point out, it’s not just that logs were missing or incomplete in many attacks but that the defenders would have to waste time looking for them in vain as well as understanding why they were missing in the first place.
Writes Sophos field CTO, John Shier:
“Missing telemetry only adds time to remediations that most organizations can’t afford. This is why complete and accurate logging is essential, but we’re seeing that, all too frequently, organizations don’t have the data they need.”
Correlating Clues
This is all bad news for anyone trying to stop ransomware. One of the most important defenses against ransomware is data correlation, which relates separate events to one another to build a picture that something unusual is happening.
This leans heavily on log files held centrally, ideally inside an integrated SIEM platform that combines multiple logs into a single view. But this becomes moot if there’s nothing to correlate.
Not all of this is down to attackers. Organizations sometimes fear being swamped by log data from endpoints and don’t collect enough of it. Or perhaps they collect it but don’t back it up diligently enough.
Whatever the root cause, trying to defend an organization against ransomware without the evidence of log files is like driving down a dark lane with the car headlights turned off.