Scenario: A user in your organization turns on his Windows desktop one morning and is greeted by a message claiming that files on the system have been encrypted and payment must be made to get the files back. As a security analyst, it is your goal to investigate the ransomware by attempting to reconstruct the events that led to the system being infected. You also want to understand the full scope of the security breach and prevent additional systems from becoming infected.
How Splunk software can help
You can use Splunk software to investigate programs or binaries that executed on the infected system, examine connections the infected machine had to other network devices, construct a timeline of events, and create traffic flow diagrams to help visualize what happened.
What you need
The following technologies, data, and integrations are useful in successfully implementing this use case.
The best person to implement this use case is a security analyst who is familiar with network data sources and endpoint data. This person might come from your team, a Splunk partner, or Splunk onDemand Services.
A ransomware investigation using Splunk software can last from hours to months. For example, if you have only a single impacted machine that is backed up, you might decide to reimage the machine and more on. The further the reach of the attack, the longer the investigation will take, especially if you need to involve law enforcement.
The following technologies, data, and integrations are useful in successfully implementing this use case:
- Splunk Enterprise or Splunk Cloud
- Data sources onboarded
- Splunk Stream
How to use Splunk software for this use case
There are many searches you can run with Splunk software in the event of a ransomware attack. You can investigate the origin of the attack using these searches:
- FQDN associated with an IP address
- MD5 hash of an uploaded file
- Threat signatures used to investigate a cyberattack
- Files downloaded to a machine from a website
- Suspicious domains visited by a user
- Suspicious scripts in the command line
- Removable devices connected to a machine
- Files added to the system through external media
You can scope the impact of the attacking using these searches:
- IP address identification based on host name
- Connections between network devices and an individual machine
- Files that belong to a network user
- Files a user uploaded to a network file share
- Time elapsed between two related events
Other steps you can take
To maximize their benefit, the how-to articles linked in the previous section likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case:
- Notifying law enforcement and all other authorities relevant to your industry
- Implementing your security incident response and business continuity plan
- Filing cyber insurance claims with your provider
These additional Splunk resources might help you understand and implement this use case:
- E-book: Ransomware, Malware and Cyberthreats
- Webinar: Detection of Ransomware and Prevention Strategies
- Blog: Operationalize Ransomware Detections Quickly and Easily with Splunk
How to assess your results
Measuring impact and benefit is critical to assessing the value of security operations. The following are example metrics that can be useful to monitor when implementing this use case:
- Time to detection: The time from when the source of the ransomware was downloaded to the user’s machine and when the user received the ransomware notice
- Time to complete the investigation: The time from when the user reported the ransomware to when the investigation was completed