Wie Sie Ransomware aufspüren und was Sie dagegen machen können
•
4 j'aime•1,072 vues
Ransomware ist nicht mehr nur ein auf Privatanwender ausgerichtetes Ärgernis, sondern hat sich zu einer ernstzunehmenden Bedrohung für Unternehmen und Regierungseinrichtungen entwickelt. In unserem Webinar können Sie mehr darüber herausfinden, was Ransomware genau ist und wie es funktioniert. Anschliessend zeigen wir Ihnen das Ganze in einer Live Demo mit Daten aus einer Windows Ransomware Infektion. Detailliert zeigen wir Ihnen: - wie Sie mit Splunk Enterprise Ransomware IOCs "jagen" - wie Sie Malicious Endpoint Verhalten aufdecken - Abwehrstrategien
Recommandé
Contenu connexe
Tendances
Tendances (18)
En vedette
En vedette (20)
Similaire à Wie Sie Ransomware aufspüren und was Sie dagegen machen können
Similaire à Wie Sie Ransomware aufspüren und was Sie dagegen machen können (20)
Plus de Splunk
Plus de Splunk (20)
Dernier
Dernier (20)
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
- 1. Ransomware Detection & Prevention Kai-Ping Seidenschnur, Sales Engineer 17 Februar 2017
- 2. Today’s Agenda 1. Intro to ransomware 2. What to instrument? 3. How to Splunk it 4. Demos! 5. Wrap up 6. Q&A 2
- 3. 3 The San Francisco/Bay Area has a light rail system called MUNI.
- 4. 4 On Black Friday Weekend, no fares were collected.
- 6. Detect Attempt at Exploit 6 We don’t know exactly the infection vector at MUNI… but… …you could use Splunk to search wire data for GET requests made to JBOSS server-admin console, and create an alert. (CVE-2015-4852)
- 8. 8 (n.) a crimeware derivative where cyber criminals hold your important data in encrypted form until you pay up.
- 9. 9 Monetize poor security hygiene
- 10. 10 It’s kind of a big deal.
- 11. 11 Attacks have shifted from consumers…
- 13. 13 It is a business… Source: http://www.br.de/nachrichten/spora-ransomware-sonicwall-102.html
- 14. Ransomware Delivery 14 Email: Malicious attachments (PDF, Office, Macros), malicious links Exploit Kits: Angler, Neutrino, Fiesta, Magnitude…. Vulnerabilities • Adobe Flash (CVE-2016-1019, CVE-2015-7645, CVE-2015-1701, CVE-2015-8446, CVE-2015-8651) • Microsoft Silverlight (CVE-2016-0034) • Microsoft Windows (CVE-2015-1701...) • JBoss-SamSam (CVE-2010-0738)
- 15. Obligatory Kill Chain Slide 15 Criminal Syndicate Ransomware Watering Hole /Exploit Kit Malicious Email (Link/Attachment) Vulnerability
- 16. 16
- 17. 17 Why is… ... so great to use for detecting and preventing ransomware?
- 18. A single place to put all security relevant data and search it at scale, in real time. (which is what we’ve done for our demo)
- 19. 19 Ransomware is an endpoint (and sometimes server) focused infection.
- 20. 20 Ergo, to battle ransomware, we must know what our endpoints are doing.
- 21. Scenarios • Detection via Firewall Logs • Detection via IDS Events • Detection via Network Activity • Detection via SMB Events • Forensics via log2timeline • Prevention via Lag Detection • Prevention via Vulnerability Management • Prevention via Backup Activity • Prevention via Automated File Analysis • Office Spawns Unusual Process – Sysmon • Office Spawns Unusual Process – Windows Events • Detection via Statistical Analysis • Detection via Windows Registry • Detection via Shannon Entropy • Detection via Fake Windows Processes and tstats • Detection via File Encryption Events • Detection via DNS Traffic • Detection via Sysmon Comms 21
- 22. Step by step instruction1 Launch instruction video2One click Online Session 3 Splunk Online Experience: Learn Splunk Skills for Security • Use sample data to safely practice security investigation techniques • Embedded help features step-by- step how to guides on finding security problems • Contains data set and tips and tricks for this ransomware webinar for you to learn URL: https://www.splunk.com/en_us/solutions/solution-areas/security-and-fraud/security-investigation.html 22
- 23. Splunk Online Experience: Select contents for your skills • URL: https://www.splunk.com/en_us/solutions/solution-areas/security-and-fraud/security- investigation.html Series 1: • Basic Security Investigations Series 2: • Endpoint: Ransomware 23
- 24. 24 Scripts Perfmon Wire Data Logs Windows Events Registry Sysmon The Splunk Universal Forwarder
- 25. 25 Windows Events Sysmon The Splunk Universal Forwarder
- 26. 26 we8106desk Fortigate NG Firewall 192.168.250.1 Internetsuricata-ids OD-FM-CONF-NA (AWS) splunk-02 wenessus1 192.168.2.50WE9041SRV LAN WESIFTSVR1 WESTOQSVR1 webackupsvr1 Lab From Where the Demo Data Comes From Hi! I’m an endpoint!
- 27. DEMO 27
- 28. DETECTION: Windows events, stream, sysmon, registry, firewall….
- 29. Detection: What Did We Learn? • Many ways to detect unusual endpoint behavior that could indicate ransomware infection. • Make your searches look for general, abnormal behavior – not “specific” or you’ll never keep up. • You don’t have to turn on everything we showed to get some value – but the more you have the more confident you can be. Windows events are a bare minimum! • The earlier you detect, the better chance you have at stopping the spread. 29
- 30. 30 PREVENTION: • Infection “Lag” • Backups, backups, backups, backups, backups • Patches, patches, patches, patches and patches • Automated analysis
- 31. DEMO 31
- 32. Prevention: What Did We Learn? • Do what you can about implementing policy to harden your endpoints. • Back everything up always and verify. • Scan your systems, patch your systems, use asset and identity info. • Perform automated analysis to know when bad stuff is arriving. • Leverage infection lag built into ransomware variants to “take action” before the darkness. 32
- 33. Start Investigating Ransomware 33 • Try it Now – Splunk Ransomware Online Experience @ www.splunk.com – Clickable link will be sent via follow-up email after the webinar • Online materials – Splunk Blog – Ransomware Prevention Techniques pointers to more ransomware materials – “Splunking the Endpoint” 2-hr session from Splunk users’ conference – .conf2016 focus on ransomware – “Splunking the Endpoint” 2-hr session from Splunk users’ conference – .conf2015 malware and deep dive into Universal Forwarder, etc. – “Wrangling Ransomware with Splunk” session from .conf2016 even more ransomware techniques
- 34. Q&A Time!
- 35. Thank you.
Notes de l'éditeur
- Thanks for joining me today. This session is going to give you a very brief introduction to Ransomware. Then we’re going to talk about how you could instrument your environment using Splunk to better detect ransomware, and to ensure that your preventitive measures are in place. We’ll give a number of different demos against data from a real Ransomware infection. Then we will wrap up with questions. My goal is really two things – the first is to convince you that Splunk is an extremely valuable platform with which to detect and defend against ransomware, and to encourage you to learm more about Splunk for this and other security use cases from your local account teams. We will point you to some relevant information at the end.
- As you may know Splunk is based in San Francisco. The light-rail system in the area is called MUNI.
- Over thanksgiving weekend the payment systems at MUNI were hacked by a ransomware variant called Mamba.
- Mamba encrypted the hard drives on the farecard machines and on systems that displayed train status – these systems were disabled with a “You’ve been hacked” warning as you can see in the photo here. The SFMTA lost about $560K per day until they were back up and running, which luckily only took a few days because they had backups of most of the affected systems. But what would have happened if the systems didn’t have backups, or what if these systems had performed train control/routing tasks? The impact could have been much more severe.
- There has not been clear attribution nor official description of the methods the MUNI attacker used for the MUNI ransomware attack. BUT – based on research of his/her techniques, one method is to try and exploit known JBOSS vulnerabilities and gain a foothold in that way, and then laterally move and spread ransomware. One of the related CVEs here is 2015-4852. If you’re splunking your JBOSS logs or wire data in front of your JBOSS servers, you can easily find evidence of this happening with Splunk.
- What is ransomware? Important to know these days, because according to the Department of Justice there are over 4,000 ransomware attacks per day, which is up from 1,000 last year.
- Ransomware is a form of malware that actually helps crimnals extort fees from victims. It encypts data so that the only way to decrypt the data is to pay. There’s no guarantee that the bad actors will actually send you a working decryptor either – although it is certainly in their best interest to do so.
- From the criminal’s perspective, an organization with poor security hygiene can be a source of revenue. Good security hygiene – including patching, blocking certain emails, backups – are critical but you also need to be good at detecting adversaries in the environment, because if an adversary gets in, they may try to find something of value to exfiltrate and sell – e.g., patient or credit card info – but if they can’t, ransomware provides a way for them to get you to pay up, in a much easier and lucrative way – some organizations are paying 10s of thousands of dollars to restore their systems.
- And according to google trends, ransomware didn’t capture much attention until less than a year ago, back in Feb/Mar of this year,
- when the shift occurred from consumer
- to businesses as ransomware targets – businesses can pay out much more, as evidenced by the following sampling of headlines from this year.
- How do you get it? Normally it isn’t that hard. Often, ransomware comes in via a malicious attachment or a malicious link. This attachment or malicious link contains components of an exploit kit, which will target known vulnerabilities in your system or on your network in which to gain a foothold and install ransomware. Some of the vulnerabilities have been around for years but have never been patched.
- Here’s our obligatory kill chain build. You can’t have a security presentation without saying Kill Chain, so we just did. We’ll keep it real simple. Bad actors create ransomware - either something generic or something targeted to you. They figure out a way of delivering it, often via email or a watering hole attack. Then you get ransomware, and hopefully in order to get your files back, you send lots of dollars in Bitcoin to the perpatrators. By the way – that’s one reason you shouldn’t pay the ransom if you can at all avoid it – the actors may not actually give you a way to decrypt, or they may ask for more money. Regardless the act of paying them encourages – so best to stop this before you get infected.
- After you get ransomware, your stuff is encrypted and it’s pretty much game over. Sometimes it happens within minutes, or maybe within hours – and that lag is something we can leverage in Splunk by the way. And unless you have a backup, or the ransomware you have has been publicly decrypted and you can get your hands on the decrypting tools, you’re in for a rough ride.
- How can Splunk help with the detection, and ultimate prevention of ransomware? Well –the more you know about how things are getting in and executing, the better.
- The reason Splunk is a good platform for ransomware detection? It’s the same reason that Splunk is a de-facto standard for modern security organizations and beyond. We provide a place for you to put all of your security relevant data, and then search it all, at scale, in real-time. So if you’re under attack from ransomware, you’re going to be able to search all relavant data – from firewalls, IDS, vulnerability, wire data, email data, threat intelligence, asset and identity data, your backup systems, and endpoint data to include event logs and registry data – and we will see a lot of that in the demo. Let’s start there.
- In our demo we have a lot of different data sources. One of the most important is endpoint data. Ransomware almost always infects an endpoint – a laptop or a desktop, most often running Windows. Yes, there are some variants that target alternative operating systems, and servers, and mobile devices but traditionally this is a windows endpoint problem.
- If it is mostly an endpoint problem, then in order to get a handle on it, we need to have more information about what our endpoints are doing at any given time. Note that sometimes, the vulnerability targeted is not on the endpoints themselves – the SF MUNI appeared to have targeted a vulnerability in a Primavera project management system that was Oracle based. Attacker got in that way and from there moved laterally and spread the ransomware to networked computers.
- There are many ways that we can detect and ultimately prevent ransomware infection via Splunk. Many of these detection techniques are endpoint-focused – both data that comes directly off the endpoints themselves and from sources of data that passively observe what the endpoints are doing. We have extensive demo scenarios to cover this, but due to time limits are only going to cover a few today.
- How do we monitor endpoints using Splunk? For those that don’t know, Splunk provides a free-to-install technology called the Universal Forwarder. This is a stripped-down, lightweight version of Splunk that runs on every major operating system. It primarily reads in log files in real time (on Windows, that would be Windows events) but it can gather a lot of other things – like we can see here on this slide. We can capture information about running processes and apps. We can provide basic file integrity monitoring against native logs. We can monitor the windows registry for changes. We can run scripts and capture the output. We can capture any perfmon values at variable granularity. We can capture wire data using Splunk Stream. And we can tie into rich data sources like Microsoft Sysmon.
- How do we monitor endpoints using Splunk? For those that don’t know, Splunk provides a free-to-install technology called the Universal Forwarder. This is a stripped-down, lightweight version of Splunk that runs on every major operating system. It primarily reads in log files in real time (on Windows, that would be Windows events) but it can gather a lot of other things – like we can see here on this slide. We can capture information about running processes and apps. We can provide basic file integrity monitoring against native logs. We can monitor the windows registry for changes. We can run scripts and capture the output. We can capture any perfmon values at variable granularity. We can capture wire data using Splunk Stream. And we can tie into rich data sources like Microsoft Sysmon.
- Here’s a very simple diagram of the lab that I created back in September with a few colleagues, in order to conduct some ransomware infection testing and data gathering. I used a standard Windows 7 laptop as my victim, and found a malcious Word document to put onto a USB drive and load up the word document on the system. The system was loaded with the Splunk UF, and collecting windows events and microsoft Sysmon, and also collecting network wire data via Splunk Stream. Other systems existed in the lab too – in order to capture stuff like IDS alerts from Suricata, firewall traffic from a Fortinet firewall, Nessus vulnerability data, and forensic data from Stoq. All of this data got sent up in into an instance of Splunk running in AWS. And we have a copy of that dataset with which to experiment today.