Ransomware ist nicht mehr nur ein auf Privatanwender ausgerichtetes Ärgernis, sondern hat sich zu einer ernstzunehmenden Bedrohung für Unternehmen und Regierungseinrichtungen entwickelt.
In unserem Webinar können Sie mehr darüber herausfinden, was Ransomware genau ist und wie es funktioniert. Anschliessend zeigen wir Ihnen das Ganze in einer Live Demo mit Daten aus einer Windows Ransomware Infektion.
Detailliert zeigen wir Ihnen:
- wie Sie mit Splunk Enterprise Ransomware IOCs "jagen"
- wie Sie Malicious Endpoint Verhalten aufdecken
- Abwehrstrategien
6. Detect Attempt at Exploit
6
We don’t know exactly the infection vector at MUNI… but…
…you could use Splunk to search wire data for GET requests made to JBOSS
server-admin console, and create an alert. (CVE-2015-4852)
20. 20
Ergo, to battle ransomware,
we must know what our
endpoints are doing.
21. Scenarios
• Detection via Firewall Logs
• Detection via IDS Events
• Detection via Network Activity
• Detection via SMB Events
• Forensics via log2timeline
• Prevention via Lag Detection
• Prevention via Vulnerability
Management
• Prevention via Backup Activity
• Prevention via Automated File
Analysis
• Office Spawns Unusual Process –
Sysmon
• Office Spawns Unusual Process –
Windows Events
• Detection via Statistical Analysis
• Detection via Windows Registry
• Detection via Shannon Entropy
• Detection via Fake Windows
Processes and tstats
• Detection via File Encryption Events
• Detection via DNS Traffic
• Detection via Sysmon Comms
21
22. Step by step instruction1
Launch instruction video2One click
Online Session
3
Splunk Online Experience:
Learn Splunk Skills for Security
• Use sample data to safely practice
security investigation techniques
• Embedded help features step-by-
step how to guides on finding
security problems
• Contains data set and tips and tricks
for this ransomware webinar for you
to learn
URL: https://www.splunk.com/en_us/solutions/solution-areas/security-and-fraud/security-investigation.html
22
23. Splunk Online Experience:
Select contents for your skills
• URL: https://www.splunk.com/en_us/solutions/solution-areas/security-and-fraud/security-
investigation.html
Series 1:
• Basic Security Investigations
Series 2:
• Endpoint: Ransomware
23
29. Detection: What Did We Learn?
• Many ways to detect unusual endpoint behavior that could indicate
ransomware infection.
• Make your searches look for general, abnormal behavior – not “specific” or
you’ll never keep up.
• You don’t have to turn on everything we showed to get some value – but
the more you have the more confident you can be. Windows events are a
bare minimum!
• The earlier you detect, the better chance you have at stopping the spread.
29
32. Prevention: What Did We Learn?
• Do what you can about implementing policy to harden your endpoints.
• Back everything up always and verify.
• Scan your systems, patch your systems, use asset and identity info.
• Perform automated analysis to know when bad stuff is arriving.
• Leverage infection lag built into ransomware variants to “take action”
before the darkness.
32
33. Start Investigating Ransomware
33
• Try it Now – Splunk Ransomware Online Experience @ www.splunk.com
– Clickable link will be sent via follow-up email after the webinar
• Online materials
– Splunk Blog – Ransomware Prevention Techniques
pointers to more ransomware materials
– “Splunking the Endpoint” 2-hr session from Splunk users’ conference – .conf2016
focus on ransomware
– “Splunking the Endpoint” 2-hr session from Splunk users’ conference – .conf2015
malware and deep dive into Universal Forwarder, etc.
– “Wrangling Ransomware with Splunk” session from .conf2016
even more ransomware techniques
Thanks for joining me today. This session is going to give you a very brief introduction to Ransomware. Then we’re going to talk about how you could instrument your environment using Splunk to better detect ransomware, and to ensure that your preventitive measures are in place. We’ll give a number of different demos against data from a real Ransomware infection. Then we will wrap up with questions.
My goal is really two things – the first is to convince you that Splunk is an extremely valuable platform with which to detect and defend against ransomware, and to encourage you to learm more about Splunk for this and other security use cases from your local account teams. We will point you to some relevant information at the end.
As you may know Splunk is based in San Francisco. The light-rail system in the area is called MUNI.
Over thanksgiving weekend the payment systems at MUNI were hacked by a ransomware variant called Mamba.
Mamba encrypted the hard drives on the farecard machines and on systems that displayed train status – these systems were disabled with a “You’ve been hacked” warning as you can see in the photo here. The SFMTA lost about $560K per day until they were back up and running, which luckily only took a few days because they had backups of most of the affected systems. But what would have happened if the systems didn’t have backups, or what if these systems had performed train control/routing tasks? The impact could have been much more severe.
There has not been clear attribution nor official description of the methods the MUNI attacker used for the MUNI ransomware attack. BUT – based on research of his/her techniques, one method is to try and exploit known JBOSS vulnerabilities and gain a foothold in that way, and then laterally move and spread ransomware. One of the related CVEs here is 2015-4852. If you’re splunking your JBOSS logs or wire data in front of your JBOSS servers, you can easily find evidence of this happening with Splunk.
What is ransomware? Important to know these days, because according to the Department of Justice there are over 4,000 ransomware attacks per day, which is up from 1,000 last year.
Ransomware is a form of malware that actually helps crimnals extort fees from victims. It encypts data so that the only way to decrypt the data is to pay. There’s no guarantee that the bad actors will actually send you a working decryptor either – although it is certainly in their best interest to do so.
From the criminal’s perspective, an organization with poor security hygiene can be a source of revenue. Good security hygiene – including patching, blocking certain emails, backups – are critical but you also need to be good at detecting adversaries in the environment, because if an adversary gets in, they may try to find something of value to exfiltrate and sell – e.g., patient or credit card info – but if they can’t, ransomware provides a way for them to get you to pay up, in a much easier and lucrative way – some organizations are paying 10s of thousands of dollars to restore their systems.
And according to google trends, ransomware didn’t capture much attention until less than a year ago, back in Feb/Mar of this year,
when the shift occurred from consumer
to businesses as ransomware targets – businesses can pay out much more, as evidenced by the following sampling of headlines from this year.
How do you get it? Normally it isn’t that hard. Often, ransomware comes in via a malicious attachment or a malicious link. This attachment or malicious link contains components of an exploit kit, which will target known vulnerabilities in your system or on your network in which to gain a foothold and install ransomware. Some of the vulnerabilities have been around for years but have never been patched.
Here’s our obligatory kill chain build. You can’t have a security presentation without saying Kill Chain, so we just did. We’ll keep it real simple. Bad actors create ransomware - either something generic or something targeted to you. They figure out a way of delivering it, often via email or a watering hole attack. Then you get ransomware, and hopefully in order to get your files back, you send lots of dollars in Bitcoin to the perpatrators. By the way – that’s one reason you shouldn’t pay the ransom if you can at all avoid it – the actors may not actually give you a way to decrypt, or they may ask for more money. Regardless the act of paying them encourages – so best to stop this before you get infected.
After you get ransomware, your stuff is encrypted and it’s pretty much game over. Sometimes it happens within minutes, or maybe within hours – and that lag is something we can leverage in Splunk by the way. And unless you have a backup, or the ransomware you have has been publicly decrypted and you can get your hands on the decrypting tools, you’re in for a rough ride.
How can Splunk help with the detection, and ultimate prevention of ransomware? Well –the more you know about how things are getting in and executing, the better.
The reason Splunk is a good platform for ransomware detection? It’s the same reason that Splunk is a de-facto standard for modern security organizations and beyond. We provide a place for you to put all of your security relevant data, and then search it all, at scale, in real-time. So if you’re under attack from ransomware, you’re going to be able to search all relavant data – from firewalls, IDS, vulnerability, wire data, email data, threat intelligence, asset and identity data, your backup systems, and endpoint data to include event logs and registry data – and we will see a lot of that in the demo. Let’s start there.
In our demo we have a lot of different data sources. One of the most important is endpoint data. Ransomware almost always infects an endpoint – a laptop or a desktop, most often running Windows. Yes, there are some variants that target alternative operating systems, and servers, and mobile devices but traditionally this is a windows endpoint problem.
If it is mostly an endpoint problem, then in order to get a handle on it, we need to have more information about what our endpoints are doing at any given time. Note that sometimes, the vulnerability targeted is not on the endpoints themselves – the SF MUNI appeared to have targeted a vulnerability in a Primavera project management system that was Oracle based. Attacker got in that way and from there moved laterally and spread the ransomware to networked computers.
There are many ways that we can detect and ultimately prevent ransomware infection via Splunk. Many of these detection techniques are endpoint-focused – both data that comes directly off the endpoints themselves and from sources of data that passively observe what the endpoints are doing. We have extensive demo scenarios to cover this, but due to time limits are only going to cover a few today.
How do we monitor endpoints using Splunk? For those that don’t know, Splunk provides a free-to-install technology called the Universal Forwarder. This is a stripped-down, lightweight version of Splunk that runs on every major operating system. It primarily reads in log files in real time (on Windows, that would be Windows events) but it can gather a lot of other things – like we can see here on this slide. We can capture information about running processes and apps. We can provide basic file integrity monitoring against native logs. We can monitor the windows registry for changes. We can run scripts and capture the output. We can capture any perfmon values at variable granularity. We can capture wire data using Splunk Stream. And we can tie into rich data sources like Microsoft Sysmon.
How do we monitor endpoints using Splunk? For those that don’t know, Splunk provides a free-to-install technology called the Universal Forwarder. This is a stripped-down, lightweight version of Splunk that runs on every major operating system. It primarily reads in log files in real time (on Windows, that would be Windows events) but it can gather a lot of other things – like we can see here on this slide. We can capture information about running processes and apps. We can provide basic file integrity monitoring against native logs. We can monitor the windows registry for changes. We can run scripts and capture the output. We can capture any perfmon values at variable granularity. We can capture wire data using Splunk Stream. And we can tie into rich data sources like Microsoft Sysmon.
Here’s a very simple diagram of the lab that I created back in September with a few colleagues, in order to conduct some ransomware infection testing and data gathering. I used a standard Windows 7 laptop as my victim, and found a malcious Word document to put onto a USB drive and load up the word document on the system. The system was loaded with the Splunk UF, and collecting windows events and microsoft Sysmon, and also collecting network wire data via Splunk Stream. Other systems existed in the lab too – in order to capture stuff like IDS alerts from Suricata, firewall traffic from a Fortinet firewall, Nessus vulnerability data, and forensic data from Stoq. All of this data got sent up in into an instance of Splunk running in AWS. And we have a copy of that dataset with which to experiment today.