Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Wie Sie Ransomware aufspüren und was Sie dagegen machen können


Published on

Ransomware ist nicht mehr nur ein auf Privatanwender ausgerichtetes Ärgernis, sondern hat sich zu einer ernstzunehmenden Bedrohung für Unternehmen und Regierungseinrichtungen entwickelt.

In unserem Webinar können Sie mehr darüber herausfinden, was Ransomware genau ist und wie es funktioniert. Anschliessend zeigen wir Ihnen das Ganze in einer Live Demo mit Daten aus einer Windows Ransomware Infektion.

Detailliert zeigen wir Ihnen:

- wie Sie mit Splunk Enterprise Ransomware IOCs "jagen"
- wie Sie Malicious Endpoint Verhalten aufdecken
- Abwehrstrategien

Published in: Technology
  • Be the first to comment

Wie Sie Ransomware aufspüren und was Sie dagegen machen können

  1. 1. Ransomware Detection & Prevention Kai-Ping Seidenschnur, Sales Engineer 17 Februar 2017
  2. 2. Today’s Agenda 1. Intro to ransomware 2. What to instrument? 3. How to Splunk it 4. Demos! 5. Wrap up 6. Q&A 2
  3. 3. 3 The San Francisco/Bay Area has a light rail system called MUNI.
  4. 4. 4 On Black Friday Weekend, no fares were collected.
  5. 5. 5 Ransomware!
  6. 6. Detect Attempt at Exploit 6 We don’t know exactly the infection vector at MUNI… but… …you could use Splunk to search wire data for GET requests made to JBOSS server-admin console, and create an alert. (CVE-2015-4852)
  7. 7. 7 What is Ransomware?
  8. 8. 8 (n.) a crimeware derivative where cyber criminals hold your important data in encrypted form until you pay up.
  9. 9. 9 Monetize poor security hygiene
  10. 10. 10 It’s kind of a big deal.
  11. 11. 11 Attacks have shifted from consumers…
  12. 12. …to corporations.
  13. 13. 13 It is a business… Source:
  14. 14. Ransomware Delivery 14 Email: Malicious attachments (PDF, Office, Macros), malicious links Exploit Kits: Angler, Neutrino, Fiesta, Magnitude…. Vulnerabilities • Adobe Flash (CVE-2016-1019, CVE-2015-7645, CVE-2015-1701, CVE-2015-8446, CVE-2015-8651) • Microsoft Silverlight (CVE-2016-0034) • Microsoft Windows (CVE-2015-1701...) • JBoss-SamSam (CVE-2010-0738)
  15. 15. Obligatory Kill Chain Slide 15 Criminal Syndicate Ransomware Watering Hole /Exploit Kit Malicious Email (Link/Attachment) Vulnerability
  16. 16. 16
  17. 17. 17 Why is… ... so great to use for detecting and preventing ransomware?
  18. 18. A single place to put all security relevant data and search it at scale, in real time. (which is what we’ve done for our demo)
  19. 19. 19 Ransomware is an endpoint (and sometimes server) focused infection.
  20. 20. 20 Ergo, to battle ransomware, we must know what our endpoints are doing.
  21. 21. Scenarios • Detection via Firewall Logs • Detection via IDS Events • Detection via Network Activity • Detection via SMB Events • Forensics via log2timeline • Prevention via Lag Detection • Prevention via Vulnerability Management • Prevention via Backup Activity • Prevention via Automated File Analysis • Office Spawns Unusual Process – Sysmon • Office Spawns Unusual Process – Windows Events • Detection via Statistical Analysis • Detection via Windows Registry • Detection via Shannon Entropy • Detection via Fake Windows Processes and tstats • Detection via File Encryption Events • Detection via DNS Traffic • Detection via Sysmon Comms 21
  22. 22. Step by step instruction1 Launch instruction video2One click Online Session 3 Splunk Online Experience: Learn Splunk Skills for Security • Use sample data to safely practice security investigation techniques • Embedded help features step-by- step how to guides on finding security problems • Contains data set and tips and tricks for this ransomware webinar for you to learn URL: 22
  23. 23. Splunk Online Experience: Select contents for your skills • URL: investigation.html Series 1: • Basic Security Investigations Series 2: • Endpoint: Ransomware 23
  24. 24. 24 Scripts Perfmon Wire Data Logs Windows Events Registry Sysmon The Splunk Universal Forwarder
  25. 25. 25 Windows Events Sysmon The Splunk Universal Forwarder
  26. 26. 26 we8106desk Fortigate NG Firewall Internetsuricata-ids OD-FM-CONF-NA (AWS) splunk-02 wenessus1 LAN WESIFTSVR1 WESTOQSVR1 webackupsvr1 Lab From Where the Demo Data Comes From Hi! I’m an endpoint!
  27. 27. DEMO 27
  28. 28. DETECTION: Windows events, stream, sysmon, registry, firewall….
  29. 29. Detection: What Did We Learn? • Many ways to detect unusual endpoint behavior that could indicate ransomware infection. • Make your searches look for general, abnormal behavior – not “specific” or you’ll never keep up. • You don’t have to turn on everything we showed to get some value – but the more you have the more confident you can be. Windows events are a bare minimum! • The earlier you detect, the better chance you have at stopping the spread. 29
  30. 30. 30 PREVENTION: • Infection “Lag” • Backups, backups, backups, backups, backups • Patches, patches, patches, patches and patches • Automated analysis
  31. 31. DEMO 31
  32. 32. Prevention: What Did We Learn? • Do what you can about implementing policy to harden your endpoints. • Back everything up always and verify. • Scan your systems, patch your systems, use asset and identity info. • Perform automated analysis to know when bad stuff is arriving. • Leverage infection lag built into ransomware variants to “take action” before the darkness. 32
  33. 33. Start Investigating Ransomware 33 • Try it Now – Splunk Ransomware Online Experience @ – Clickable link will be sent via follow-up email after the webinar • Online materials – Splunk Blog – Ransomware Prevention Techniques  pointers to more ransomware materials – “Splunking the Endpoint” 2-hr session from Splunk users’ conference – .conf2016  focus on ransomware – “Splunking the Endpoint” 2-hr session from Splunk users’ conference – .conf2015  malware and deep dive into Universal Forwarder, etc. – “Wrangling Ransomware with Splunk” session from .conf2016  even more ransomware techniques
  34. 34. Q&A Time!
  35. 35. Thank you.