The Role of GroundWork Monitor in Security Monitoring
July 13, 2021
The GroundWork team has reviewed industry analysis of the recent Kaseya VSA incident, and while details are still being revealed, there are some useful take-aways we want to share. In particular, certain aspects of preparedness and indicators of active compromise can be monitored. We also want to talk a little bit about where GroundWork Monitor fits into security monitoring as a whole.
What we know so far about the attack is that most of the security features were disabled on the VSA servers, allowing malicious code to be uploaded, then pushed out to endpoints (other systems) which were then encrypted. The encrypted data was then ransomed back for ~$70 million. The attack affected around 1500 companies. This is of course, simplifying things.
So as this event unfolds, what should we be doing to better prepare for this type of situation? Is there something we can monitor for? In this case, while we can monitor the very specific indicators of compromise, it’s not as useful as you might think. After all, these attacks run very fast and there’s a good chance that, like with many security monitoring systems, you will be alerted only after the fact when the breach has already happened. Still, good practices in monitoring can enable us to better prepare ourselves for the event of a breach.
Backup, Backup of Backups, Monitor Backups
One of the most important things is having a good backup strategy with multiple backups at different sites, and physical air-gapped copies. That’s not enough, though. You also need to be monitoring that the backups are actually there (and restorable). Receiving an alert that a backup failed is great, because then you can correct it and ensure you get a good one. But what if it was successfully created and then deleted?
Deleting backups can be one of the first steps an attacker takes during a ransomware attack, so a key part of being prepared to respond is knowing you have good backups available, and getting alerted when they are not.
Monitor Security Logs
Another common indicator is the attacker disabling security measures such as Windows Defender. In the Kaseya incident, this was done so that the encrypted payload was not detected and quarantined. These disabling events are visible in the Windows Event Viewer – the Windows Defender log – and monitorable using the windows_eventlog service in GroundWork Monitor. Just point to the Windows Defender log for event ID 5007. If this happens as an attack precursor, you may have time to react by re-enabling the defences, or taking more drastic actions like shutting down access.
The Role of GroundWork Monitor
GroundWork Monitor is a Unified Monitoring tool, with a lot of capabilities for infrastructure monitoring. Our focus is not security monitoring, though we do have a role to play as an aggregator of indicators from other systems and applications, including security-oriented systems. There are plenty of security-oriented tools that do a great job of detecting vulnerabilities and evidence of compromise, and we do not intend to replace them. Rather, we offer Unified Monitoring features that incorporate multiple avenues of detection, both native in GroundWork Monitor like the examples above, and from external sources. GroundWork Monitor can be the place where multiple tools send their updates and metrics, and, using aggregation features like Business Service Monitoring and the alerting features of GroundWork Messenger, GroundWork Monitor can give you actionable alerts from detections that occur across multiple sources.
If you need any assistance in connecting your security monitoring systems to GroundWork Monitor, setting up monitoring of backups, event logs or anything else, feel free to contact GroundWork Support for assistance. We can help you add the value of GroundWork Monitor to your security monitoring toolset.