LockBit, APT und SIEM – Schutz vor fortgeschrittenen Angriffen mit COCUS

LockBit, APT and SIEM – Protection against advanced attacks with COCUS

Today, we’ll explain what to look for in cybersecurity and how you can protect yourself and your business with Security Information and Event Management (SIEM) systems.

LockBit has struck again- this time it has hit automotive supplier Continental: the attackers were able to extract 40 TB of partially sensitive data. There is a threat of full publication of the data by the blackmailers. Continental was apparently lucky in this respect: the attack was detected before the cybercriminals could encrypt or delete the data at Continental.

LockBit is an example of increasingly advanced attacks

LockBit is just one variant of constantly evolving ransomware attacks in a long line of extortion cyberattacks. “Ransomware-as-a-service” models allow cybercriminals to rent complete ransomware attack infrastructures and use them to attack enterprises. LockBit is thus just one example of the increasingly professional attacks being carried out, including by non-governmental organizations. Cybercriminals and so-called “Advanced Persistent Threats (APT)” operate in a highly organized manner and are constantly on the lookout for new ways to break into companies.

10-15 years ago, viruses and spyware were the biggest cybersecurity concern for enterprises. Antivirus (AV) solutions entered the market to scan suspicious files and check for virus signatures. Over time, additional phishing and malware attacks emerged. Again, using a similar approach to antivirus, email filters can scan for phishing attempts or compromised links to prevent attackers from succeeding.

As time passed and the number of attacks increased, the attacks became more targeted. Cybercriminals learned to act more and more professionally as they constantly search for new ways to break into companies. Advanced Persistent Threats (APTs) are advanced attacks by organized groups that penetrate a network in multiple phases, systematically spreading throughout the enterprise while evading detection. Their overarching goal is to steal, manipulate, encrypt, or delete information for commercial or political gain.

Protection against advanced attacks through detection

In order to protect against any kind of attack, it is still essential to take preventive measures in the area of cybersecurity. Security tools such as virus scanners are hygiene factors in the area of cybersecurity. The application of design principles such as security-by-design or zero trust also help to defend against attacks.

However, prevention is not enough due to increased complexity and the human factor. Studies such as Mandiant’s M-Trends Report show that advanced attacks are difficult to detect:

  • • In nearly every advanced attack examined, valid user credentials spied out during the course of the attack were used

  • • Attackers spread across 40 systems on average

  • • It took a median of 101 days for an attack to be detected

The exclusive use of preventive security tools makes it difficult to prevent such attacks. Especially when attacks are carried out with the help of stolen user accounts or through vulnerabilities in unpatched software, such security measures can be circumvented.

SIEM systems as the nerve center in the Security Operations Center

Security Information and Event Management (SIEM) systems are an important tool for detecting and dealing with APT. The core functionality of SIEM systems is to collect log files or other machine data from the IT landscape and to search and report very timely traces of unusual or potentially harmful activities. This correlates the data and provides an overall picture for processing by a security operations team.

Attack detection patterns must be continuously maintained so that new attack tactics and techniques are also detected. Modern and powerful SIEM systems support this by regularly updating new threat detection patterns or by using artificial intelligence.

Another important component is providing ways to analyze and handle detected incidents, ideally using automation.

Our partner Splunk therefore also refers to the SIEM as the nerve center for cybersecurity in a company, which aggregates information from a wide variety of areas, puts it together to form an overall picture and then – automated or manually – enables an appropriate and rapid response to incidents.

COCUS and Splunk - a strong partnership also for SIEM systems

To counter the increased threat level, we at COCUS decided to invest in a SIEM system as a medium-sized company. Here we rely on the market leader Splunk. As a long-standing partner of Splunk, we are fully convinced of the solution’s performance and can rely on our experienced Splunk engineers and security experts during implementation.

COCUS can provide your company with a broad range of expert knowledge in the IT security field as an external supporter for the establishment and expansion of a customized, effective security system. Talk to us before it’s too late!
We offer you full protection when it comes to the security of your business.

Share this post