Ransomware attacks aggressively target virtual infrastructure like ESXi and vCenter, exploiting vulnerabilities to encrypt data and disrupt operations. Veeam’s advanced monitoring capabilities empower organizations to detect threats early and respond swiftly, safeguarding critical data before backups are compromised. By configuring precise alarms and integrating with SIEM tools such as CrowdStrike Falcon, Palo Alto XSIAM, Rapid7, Microsoft Sentinel, Splunk, etc., Veeam ensures comprehensive security visibility.
Below are the top 10 alarms, each mapped to the appropriate MITRE ATT&CK Tactic to fortify your defenses against evolving cyberthreats.
- EDR Services Disabled or Stopped – MITRE ATT&CK Tactic: Defense Evasion (TA0005)
Threat actors often disable endpoint detection and response (EDR) services to evade detection. Veeam’s guest OS services alarm triggers alerts if critical defenses, like antivirus or EDR tools (e.g., CrowdStrike, Defender, etc.), are stopped, catching evasion attempts early. This prevents ransomware from spreading undetected. Forwarding alerts to SIEM platforms centralizes incident tracking, ensuring rapid response within existing workflows.
- vCenter Server Brute Force Alarm – MITRE ATT&CK Tactic: Initial Access (TA0001)
45% of cyber incidents Coveware by Veeam responded to in 2024 were targeted at virtual infrastructure. Veeam’s “Bad vCenter Server Username Logon Attempts” alarm detects suspicious login patterns, flagging credential-stuffing attempts that could grant unauthorized access. Sending alerts to incident response platforms enables real-time correlation, strengthening defenses against initial access.
- ESXi Host Brute Force Alarm – MITRE ATT&CK Tactic: Initial Access (TA0001)
ESXi hosts are vulnerable to misconfigurations or exploits, making them attractive social engineering targets. Veeam’s ESXi monitoring alerts unauthorized access and weak setting configurations.
- Suspicious Ransomware Activity Alarm – MITRE ATT&CK Tactic: Impact (TA0040)
Veeam’s suspicious ransomware activity alarm monitors production workloads before backups, a unique feature. It detects anomalies like unusual file changes or encryption attempts (e.g., workload activity spikes), flagging ransomware in real time. Integrating these alerts with threat intelligence enables swift isolation of compromised systems.
- Attempted Backup Deletions – MITRE ATT&CK Tactic: Impact (TA0040)
Ransomware often targets backups to block recovery. Veeam’s alarm, based on Event ID 41800, “Backup Deletion Attempt Detected,” triggers when unauthorized deletions are attempted. This protects recovery points, maintaining SLA compliance rates.
- Suspicious File Activity Alarm – MITRE ATT&CK Tactic: Defense Evasion (TA0005)
Ransomware may modify files to prepare for encryption. Veeam’s alarm, tied to Event ID 42402, “Suspicious File Activity Detected,” flags unusual file modifications in workloads. This catches subtle attack indicators. Forwarding these alerts enhance correlation, enabling containment before ransomware spreads.
- Unauthorized Access Alarm – MITRE ATT&CK Tactic: Privilege Escalation (TA0004)
Unauthorized changes to security policies weaken defenses. Veeam’s alarm, linked to Event ID 42402, “Four-Eyes Authorization Event Created,” detects attempts to bypass four-eyes authorization, requiring dual approval for critical actions. Alerts forwarded ensure oversight, preventing attackers from disabling safeguards.
- MFA Attempts Exceeded Alarm – MITRE ATT&CK Tactic: Initial Access (TA0001)
Excessive multi-factor authentication (MFA) attempts to signal probing for access. Veeam’s alarm, based on Event ID 40206, “MFA Attempts Exceeded,” triggers when login attempts exceed thresholds. This identifies threats targeting MFA-protected accounts. Alerts forwarded help block unauthorized access promptly.
- Lateral Movement Alarm- MITRE ATT&CK Tactic: Lateral Movement (TA0008)
Attackers use lateral movement to escalate privileges, targeting backup servers to disrupt recovery. Veeam’s event-based rule for Event ID 4625, “An Account Failed Logon Attempt,” monitors suspicious logon activity on backup servers. It is best to set the condition to alert after three failed logon attempts to limit false positives. This alert ensures rapid investigation and containment.
- Immutability Change Attempt Alarm – MITRE ATT&CK Tactic: Impact (TA0040)
Attackers may alter immutability settings or infrastructure to undermine recovery. Veeam’s alarm, based on Event ID 28100, “Configuration Change Detected,” flags unauthorized changes to backup immutability or infrastructure settings. Alerts forwarded ensure monitoring of sabotage attempts.
Integration and Actionable Insights
These alarms align with MITRE ATT&CK tactics — Initial Access, Defense Evasion, Privilege Escalation, Lateral Movement, and Impact — covering critical attack stages. All integrate seamlessly with syslog or SIEM tools, including CrowdStrike Falcon, Palo Alto XSIAM, Rapid7, Microsoft Sentinel, Splunk, etc. For example, an attempted backup deletion (T1490) can trigger a Splunk investigation, while lateral movement alerts (T1078) prompt CrowdStrike Falcon to isolate servers, minimizing attacker opportunities.
Veeam Data Platform ensures comprehensive protection, detecting everything from initial brute force attempts to final impact efforts like data encryption. Enhance accuracy by fine-tuning rules to reduce false positives, including building a permitted list whitelisting known admin accounts. Stay vigilant and let Veeam be your frontline defense against cyberthreats.
Additional Resources
Akira Attacks in a Nutshell: Understanding and Detecting the Threat
Top 5 TTPS Targeting Enterprise Cybersecurity
Learn more about Veeam Data Platform
The post 10 Critical Alarms to Stop Ransomware and Protect Your Business Continuity appeared first on Veeam Software Official Blog.
from Veeam Software Official Blog https://ift.tt/PhpQmX9
Share this content: