SECURITY

Identifying KRACK Attack Vulnerable Devices with Splunk

What is KRACK Attack?

Most modern wireless networks use encryption to protect communications. KRACK Attack is a technique against the WPA2 wireless security protocol. By using this technique, an attacker can read information that was supposed to be encrypted. As a consequence, chat messages, photos, credit card numbers and other sensitive information can be stolen without your knowledge.

Why it Matters to Your Organization

Simply put, just about every device that uses WPA2 is at risk—including mobile devices, laptops, and routers. It’s important to highlight that the KRACK Attack technique exploits a flaw in the WPA2 protocol. This is not a vendor specific flaw.

What Should You Do

  • Identify vulnerable devices.
  • Patch your devices as quickly as reasonable.
  • Use additional security controls - SSL for web browsing or a VPN.
  • DO NOT disable WPA2. DO NOT go back to WEP

Using Splunk for Identifying Vulnerabilities

Splunk has integrations with leading vulnerability scanning technologies, which you can find on Splunkbase.

IMPORTANT

Before running the scans, please ensure that you update your vulnerability scanner signatures. Otherwise, you might end up missing vulnerable systems.

If you use Splunk Enterprise, you can do string searches against your scan data. In this example, we will look for the nessus scan data using the ‘sourcetype=nessus:scan’. You can replace this part with the scan sourcetype of your choice. If you use a different scan engine, please verify that you have fields called, cve, hostname, signature.

sourcetype=nessus:scan  (cve = cve-2017-13077 OR cve = cve-2017-13078 OR
cve = cve-2017-13079 OR cve = cve-2017-13080 OR cve = cve-2017-13081 OR
cve = cve-2017-13082 OR cve = cve-2017-13083 OR cve = cve-2017-13084 OR
cve = cve-2017-13085 OR cve = cve-2017-13086 OR cve = cve-2017-13087 OR
cve = cve-2017-13088) | bucket _time span=1d | stats values(cve) as CVEs by hostname, signature

If you are a Splunk Enterprise Security customer, you can use the Vulnerability dashboards. E.g. below is a screen shot of the Vulnerability Center—it gives you an overview of all the scans.

If you are looking for a specific vulnerability in ES, you can use the Vulnerability search dashboard. E.g. in the screenshot below you can see the results from a windows task scheduler vulnerability.

To search for multiple CVE numbers, you can use the search below. Here, we use the Vulnerability datamodel to look for the CVE numbers. Please ensure that the Vulnerability datamodel is populated in your Splunk Enterprise Security Instance.

| tstats `summariesonly` dc(Vulnerabilities.signature) as vuln_count from
datamodel=Vulnerabilities.Vulnerabilities where (Vulnerabilities.cve=cve-2017-13077 OR
Vulnerabilities.cve=cve-2017-13078 OR Vulnerabilities.cve=cve-2017-13079 OR
Vulnerabilities.cve=cve-2017-13080 OR Vulnerabilities.cve=cve-2017-13081 OR
Vulnerabilities.cve=cve-2017-13082 OR Vulnerabilities.cve=cve-2017-13083 OR
Vulnerabilities.cve=cve-2017-13084 OR Vulnerabilities.cve=cve-2017-13085 OR
Vulnerabilities.cve=cve-2017-13086 OR Vulnerabilities.cve=cve-2017-13087 OR
Vulnerabilities.cve=cve-2017-13088) by Vulnerabilities.dest, Vulnerabilities.signature,
Vulnerabilities.cve

Recommendations

Once you have identified the vulnerable systems, add them to a watch list (or equivalent) to track the associated activities while your IT team rolls out the patch.

For more information, contact a Splunk security expert.

References

The original disclosure by Mathy Vanhoef: https://www.krackattacks.com/

Cisco advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa

Vendor responses to the vulnerability:
https://github.com/kristate/krackinfo
https://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4

Microsoft Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-13080

Thanks to Rico Valdez, Splunk Research and the Splunk team.

Monzy Merza
Posted by

Monzy Merza

Monzy Merza serves as the head of security research at Splunk. With over 15 years of cybersecurity leadership in government and commercial organizations, Monzy is responsible for helping advise and implement strategic security programs for Splunk’s cybersecurity customers, working hand-in-hand with executives across the Fortune 500 to develop modern security architectures. Monzy is also responsible for leading the Splunk Cyber Research team, which arms Splunk customers with actionable threat intelligence to combat advanced threats. A noted international speaker, Monzy frequently presents at government and industry events on topics such as nation state threat defense and machine learning. His current security research is focused on integrated approaches to human-driven and automated responses to targeted cyberattacks

Join the Discussion