SPLUNK Ransomware – wie kann ich mich schützen?
Angelo Brancato | Security Specialist, EMEA © 2017 SPLUNK INC. Who am I?
Angelo Brancato Security Specialist THREATS NOT CLOSING SECURITY TO ARE MORE THE SKILLS GAP ENABLE BUSINESS COMPLEX AND AND THE MISSION FAR REACHING © 2017 SPLUNK INC. Enterprise Machine Data Fabric
Application Security DIFFERENT Development & Operations People Delivery
ASKING DIFFERENT Splunk Internet of Things Questions
OF THE Business Analytics IT Same Data Operations © 2017 SPLUNK INC. The Ransomware Trend
Ransomware Discoveries
https://fatsecurity.com/article/ransomware-protection-guide © 2017 SPLUNK INC. The Ransomware Trend
Santy Bolgimo Worm Discoveries Ransomware Discoveries Caribe Blaster Netsky Welchia/ Nachi MyDoom
SQL Slammer Bagle Zobot Brontok Boobface Daprosy 2003 2004 2005 2012 … 2017 & Sobig L10n Nyxem Storm Conficker Duqu Worm Ransom Stration Stuxnet Swen Witty Ware Sasser Sober
Rugrat Agobot
https://en.wikipedia.org/wiki/Timeline_of_computer_viruses_and_worms https://fatsecurity.com/article/ransomware-protection-guide (0-Day) Exploit © 2017 SPLUNK INC. The Ransomware Trend
DOUBLEPULSAR Backdoor ETERNALBLUE WANNACRY Remote Exploit DOUBLEPULSAR Ransomware Backdoor ETERNALBLUE RATs Remote Exploit Remote Access Trojans DOUBLEPULSAR Backdoor ETERNALBLUE Remote Exploit ADYLKUZZ DOUBLEPULSAR Bitcoin Miner Backdoor ETERNALBLUE UIWIX Remote Exploit Ransomware
Ransomware Bitcoin Miner Bot-Net (DDoS, Spam) Remote Access Trojan (Targeted Attacks) etc. © 2017 SPLUNK INC. Ransomware Kill Chain
Criminal Syndicate Watering Hole /Exploit Kit
Malicious Email Ransomware (Link/Attachment)
Vulnerability
Command and Actions on Reconnaissance Weaponization Delivery Exploitation Installation Control (C2) Objectives © 2017 SPLUNK INC. Analytics-Driven Security
Human-driven and Supervised ML-driven Analytics Analytics Driven SIEM Unsupervised ML-driven Analytics
Ransomware
Anti-Fraud Security CIS Top 20 Essentials Family Cyber Security Critical Security Controls Investigator
DGA App
Splunk App for Splunk Machine Learning PCI Compliance Stream Toolkit
Add-Ons etc.
Developer Platform (REST API, SDKs)
Enterprise On-Premise, Cloud, Hybrid © 2017 SPLUNK INC. Analytics-Driven Security
Human-driven and Supervised ML-driven Analytics 3 Analytics Driven SIEM Unsupervised ML-driven Analytics 1 Ransomware
Anti-Fraud Security CIS Top 20 Essentials Family Cyber Security Critical Security Controls 2 Investigator
DGA App
Splunk App for Splunk Machine Learning PCI Compliance Stream Toolkit
Add-Ons etc.
Developer Platform (REST API, SDKs)
Enterprise On-Premise, Cloud, Hybrid © 2017 SPLUNK INC. Analytics-Driven Security
Human-driven and Supervised ML-driven Analytics Analytics Driven SIEM Unsupervised ML-driven Analytics 1 Ransomware
Anti-Fraud Security CIS Top 20 Essentials Family Cyber Security Critical Security Controls Investigator
DGA App
Splunk App for Splunk Machine Learning PCI Compliance Stream Toolkit
Add-Ons etc.
Developer Platform (REST API, SDKs)
Enterprise On-Premise, Cloud, Hybrid © 2017 SPLUNK INC. 1 Splunk CIS* Top 20 (Best Practice) Critical Controls https://splunkbase.splunk.com/app/3064/
Splunk CIS Top 20 Critical Security Controls
CIS Top 20 controls improve risk posture against real-world threats
The control areas grew out of an international consortium
Splunk can monitor PCI compliance and generate Alerts for non-compliance
In case of non-compliance Splunk can carry out recommended actions
40+ Dashboards
*CIS: Center of Internet Control https://www.cisecurity.org/controls/ https://www.cisecurity.org/controls/ © 2017 SPLUNK INC. Splunk CIS* Top 20 (Best Practice) Critical Controls https://splunkbase.splunk.com/app/3064/
Splunk CIS Top 20 Critical Security Controls © 2017 SPLUNK INC. Analytics-Driven Security
Human-driven and Supervised ML-driven Analytics Analytics Driven SIEM Unsupervised ML-driven Analytics
Ransomware
Anti-Fraud Security CIS Top 20 Essentials Family Cyber Security Critical Security Controls 2 Investigator
DGA App
Splunk App for Splunk Machine Learning PCI Compliance Stream Toolkit
Add-Ons etc.
Developer Platform (REST API, SDKs)
Enterprise On-Premise, Cloud, Hybrid © 2017 SPLUNK INC. Security Essentials for Ransomware https://splunkbase.splunk.com/app/3593/ Security Essentials for Ransomware
17 Use Case Suggestions Detection Methods Detect Journal Clearing Office Spawns Unusual Process Detect Lateral Movement With WMI Detection via Statistical Analysis Detect Log Clearing With wevtutil Detection via Windows Registry Fake Windows Processes Detection via Shannon Entropy Malicious Command Line Executions Detection via Fake Windows Processes Monitor AutoRun Registry Keys Detection via File Encryption Events Monitor Successful Backups Detection via DNS Traffic Monitor Successful Windows Updates Detection via Sysmon Logs Monitor Unsuccessful Backups Detection via Firewall Logs Monitor Unsuccessful Windows Updates Detection via IDS Events Ransomware Extensions Detection via Network Activity Ransomware Note Files Detection via SMB Events Detection via Deletion of Shadow Ransomware Vulnerabilities Copies SMB Traffic Allowed Forensics via log2timeline Spike in SMB Traffic Prevention via Lag Detection TOR Traffic Prevention via Vulnerability Windows Event Log Clearing Events Management Prevention via Backup Activity Prevention via Automated File Analysis © 2017 SPLUNK INC. Security Essentials for Ransomware https://splunkbase.splunk.com/app/3593/ Security Essentials for Ransomware
17 Use Case Suggestions Detection Methods Detect Journal Clearing Office Spawns Unusual Process Detect Lateral Movement With WMI Detection via Statistical Analysis Detect Log Clearing With wevtutil Detection via Windows Registry Fake Windows Processes Detection via Shannon Entropy Malicious Command Line Executions Detection via Fake Windows Processes Monitor AutoRun Registry Keys Detection via File Encryption Events Monitor Successful Backups Detection via DNS Traffic Monitor Successful Windows Updates Detection via Sysmon Logs Monitor Unsuccessful Backups Detection via Firewall Logs Monitor Unsuccessful Windows Updates Detection via IDS Events Ransomware Extensions Detection via Network Activity Ransomware Note Files Detection via SMB Events Detection via Deletion of Shadow Ransomware Vulnerabilities Copies SMB Traffic Allowed Forensics via log2timeline Spike in SMB Traffic Prevention via Lag Detection TOR Traffic Prevention via Vulnerability Windows Event Log Clearing Events Management Prevention via Backup Activity Let’s take a quick look at this… Prevention via Automated File Analysis © 2017 SPLUNK INC. © 2017 SPLUNK INC. Let’s build the SPL Step-by-Step…
Windows PC Sysmon Event Data Event Code 1 = start of a process © 2017 SPLUNK INC. Let’s build the SPL Step-by-Step…
Calculate the length of each command line command used by a process after it starts © 2017 SPLUNK INC. Let’s build the SPL Step-by-Step…
calculate the standard deviation for each host calculate the average length of command lines © 2017 SPLUNK INC. Let’s build the SPL Step-by-Step…
stats on the calculated fields © 2017 SPLUNK INC. Let’s build the SPL Step-by-Step…
Filter on hosts with 10x standard deviation à these are probably infected! © 2017 SPLUNK INC. Splunk Online Experience Try it out! Learn Splunk Skills for Security • Use sample data to safely practice security investigation techniques
• Embedded help features step-by- step how to guides on finding 1 Step by step instruction security problems
• Contains data set and tips and tricks for this ransomware webinar for you to learn 2 Launch instruction video One click Online Session 3
https://www.splunk.com/en_us/form/security-investigation-online-experience-endpoint.html © 2017 SPLUNK INC. Analytics-Driven Security
Human-driven and Supervised ML-driven Analytics 3 Analytics Driven SIEM Unsupervised ML-driven Analytics
Ransomware
Anti-Fraud Security CIS Top 20 Essentials Family Cyber Security Critical Security Controls Investigator
DGA App
Splunk App for Splunk Machine Learning PCI Compliance Stream Toolkit
Add-Ons etc.
Developer Platform (REST API, SDKs)
Enterprise On-Premise, Cloud, Hybrid © 2017 SPLUNK INC. Analytics-Driven Security
SOC Playbooks
Tier 1 - Alert Analyst Tier 2 - Incident Responder Tier 3 - SME / Hunter Adaptive Response People Process Technology Machine Data Monitor Detect Investigate Respond
Schema-On-Read Universal Indexing
Enterprise Security
Enterprise
On-Premise, Cloud, Hybrid http://detect-respond.blogspot.de/2013/03/the-pyramid-of-pain.html © 2017 SPLUNK INC. Enterprise Security Adaptive Response Framework
Ransomware Runbook with Adaptive Response Actions SECURITY NERVE CENTER Network
Web Proxy Threat Intelligence Firewall
WAF & App Orchestration Security
Cloud Endpoints Security
Identity and Access © 2017 SPLUNK INC. Visit us @10.0-116 THANK YOU