EO, EO, It’s Off to Work We Go! (Protecting Against the Threat of Ransomware with Splunk)

Authors and Contributors: As always, security at Splunk is a family business. Mick Baccio, James Brodsky, Tamara Chacon, Drew Church, Shannon Davis, Marcus LaFerrerra, Dave Herrald, Ryan Kovar and John Stoner.

On June 2nd, 2021, the White House released a memo from Anne Neuberger, Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology. The subject? “What We Urge You To Do To Protect Against The Threat of Ransomware.” It outlines several recommendations on how to protect your organization from ransomware. The memo was a follow-up to President Biden’s May 12th Executive Order on Improving the Nation’s Cybersecurity Order (EO14028).

While the memo contains a series of recommendations that some may see as common sense, we URGE (like the subject of the memo) you to:

  • Read this blog
  • Read the memo
  • Read the Executive Order
  • Follow the recommendations if you haven’t already done so

And, hey… if you didn’t have time for anything after “Read this Blog,” don’t worry. We read the memo and EO in-depth, and this blog is designed to provide you with the information and takeaways to start acting immediately. So if your boss asks you: “Hey, how are we going to meet those EO requirements?” You can say: “No worries, Splunk already figured it out for us.” Or cut the word “Splunk” and put your name in… we won’t tell anyone if you don’t.

What You Need to Know About the May 12th Executive Order

We’ve distilled the best practices and recommendations from both the Executive Order and the memo below for easier consumption. A fact sheet from the White House is also available that provides a high-level overview of the Executive Order.

The 5 Best Practices Called Out in the Executive Order Are:

  1. Implement multi-factor authentication (MFA)
  2. Implement endpoint detection and response in support of proactive detection, cyber hunting, containment, remediation, and incident response
  3. Encrypt your data
  4. Employ a skilled and empowered security team
  5. Share and incorporate threat intelligence

The 5 Recommendations From the Ransomware Memo Are:

  1. Backup your data
  2. Promptly patch your systems and applications
  3. Test your incident response plan
  4. Validate your security team’s work (pen testing/red teaming)
  5. Segment your network

Let’s take a brief look at each of these ten recommendations and best practices.

Implement Multi-Factor Authentication

Multi-factor authentication relies on having more than just a username and password to access an application, system, or network. Generally, a token of some sort is used because it is something a valid user can provide. And even if their password is compromised, adversaries would be less likely to also have that token, thus raising the bar to authenticate as a legitimate user.

Wherever possible, you should be implementing multi-factor authentication (sometimes called two-factor authentication or 2FA, there’s no shortage of names or acronyms). But how can you ensure it stays configured and that your users are using it? Most authentication providers that send events to Splunk will provide the details in the logs of how your users are authenticating - are they using multi-factor? Here, we’ve ingested Okta authentication data into Splunk:

OKTA Implement Multi-Factor Authentication

We can see lots of great data here, including the multi-factor authentication method (this one is SMS) as well as the username, the IP address the request came from, and the application being accessed (Salesforce). We can also see the user agent of the machine being used (a Macbook running Chrome).

With this data, we can configure some simple dashboards to show multi-factor activity. If there is a significant increase in non-multi-factor authentication in your environment, that’s something to alert against and mitigate.

Splunk MFA Details

Implement Endpoint Detection and Response

The executive order directed agencies to deploy an Endpoint Detection and Response initiative “to support proactive detection of cybersecurity incidents within Federal Government infrastructure, active cyber hunting, containment and remediation, and incident response.” Having good visibility at the endpoint is critical to understanding what is transpiring because the endpoint is closest to the user and where much of the data is being accessed. At Splunk, we partner with several endpoint solutions that can provide visibility into actions occurring on the endpoint. By ingesting this data into Splunk and correlating it with systems, users, vulnerability, and network data, organizations gain proactive detection and threat hunting capabilities. 

While some endpoint tools have response capabilities built into them, a more comprehensive response across an organization is often needed, and utilizing an orchestration and automation platform to provide containment and remediation can be used to streamline this broader effort. Identifying an attack on one system and being able to automate a response to mitigate the impact of that attack to all other systems in seconds is key to containment.

Encrypt Your Data

Ms. Neuberger succinctly reminded us to make our organization’s data unusable for extortion via encryption. Encryption of data at rest is a familiar concept, but it can be challenging to implement and even more difficult to ensure it's applied uniformly across your organization. If you’re struggling with this and do not have a solution in place today, consider leveraging our DB Connect app on Splunkbase to run SQL-based checks to ensure you’re protecting your data. For example, Microsoft SQL Server implements Transparent Data Encryption (TDE) to help with this data at rest problem. The example below demonstrates a query of the encryption status from the SQL Server and brings that into Splunk.

| dbxquery query="SELECT * FROM \"sys\".\"databases\" where is_encrypted=0" connection="DB" 
| fields name, is_encrypted

From here, analysts can create alerts, dashboards, or Enterprise Security notable events to initiate corrective action. Most common database technologies support some version of TDE and should be able to be queried in a similar fashion. Enlist the help of your friendly neighborhood DBA for your specific database vendor; they’d love to help.

Employ a Skilled and Empowered Security Team

If you’re a people leader reading this blog, we hope you’ll take a moment and consider your teams’ professional development. There’s never a good time to have someone away from the critical work they need to do to secure your organization. Still, you’ll be thankful for their skillful contributions during the next security incident.

There are several different resources available, both from Splunk and some amazing security organizations. Splunk offers a comprehensive catalog of courses designed to get you and your team up to speed on Splunk’s offerings. If you want some practical and free Splunk security training, check out our popular blog series: "Hunting with Splunk: The Basics." We also offer a variety of security workshops focused on the analyst and blue team focused capture the flag (CTF) events (BOTS at .conf21 anyone?) designed to deliver hands-on learning to teams through realistic data sets and scenarios. Check out our Events page for a schedule or reach out to your account team. Don’t forget to tell them we sent you!

Looking outside of Splunk, we want to call your attention to some other security training resources. SANS represents the gold standard in security training. In particular, Splunk endorses the SANS Blue Team training offerings for building a solid foundation of defensive security skills and knowledge. We know security training can be expensive, but there are high-quality, reasonably priced options out there. Consider the course library offered by Chris Sanders. This acclaimed series includes topics such as investigation theory, threat hunting, packet analysis, and more. Chris also provides an entirely free introduction to the world of information security, The Cuckoo’s Egg Decompiled Course.

Share and Incorporate Threat Intelligence

Sharing and leveraging threat intelligence is a great step forward in helping to reduce the risk to your organization. The benefits go beyond just ransomware. We’ve blogged extensively in the past on how to leverage threat intelligence, from COVID-19 scams to more recent events such as SUNBURST, HAFNIUM, and Pulse Connect Secure (CISA 21-03). Now that TruSTAR is part of the Splunk security family, it’s even easier to share and incorporate threat intelligence into your defensive capabilities. Check out the shiny new TruSTAR Unified app on Splunkbase, which works with both Splunk Enterprise as well as Splunk Enterprise Security. You’ll be able to curate your threat intelligence needs and easily incorporate threat intelligence from other trusted parties. 

Using another source for your threat intelligence? No problem there either. There are many ways to integrate your threat intelligence process into Splunk. Need a quick way to get started? Just take a look at some of the apps currently available in Splunkbase or, better yet, check out John Stoner’s .conf20 presentation, "ES Biology IV: Integrating a Threat Intelligence Platform," or Ryan Kovar and Dave Herrald’s talk at the SANS CTI Summit.

Backup Your Data

While backing up your data won’t protect you from the latest double extortion ransomware schemes, it’s still a critical step in recovering from a ransomware attack, and experts suggest you follow the “3-2-1” rule. But how can Splunk help, exactly? Most modern, centralized backup solutions have an operations log that you can bring into Splunk. Or, if your solution is decentralized, you can always pull in the operations logs from endpoints themselves. In both cases, the Splunk Universal Forwarder is the recommended method to get these logs into Splunk.

We happen to have a few searches in our Splunk Security Essentials app (see below) to allow you to monitor successful and unsuccessful backups. Two are usable as-is, and two of them are part of the Monitor Backup Solution analytic story in ESCU. Too many unsuccessful backups on the servers or workstations that keep your crown jewels, and that’s something you’ll want to remediate.

Splunk Security Essentials - monitor successful and unsuccessful backups

Patch Your Systems and Applications

"Patch your stuff!" It's a common admonishment, regularly heard wafting lazily from one security industry ivory tower or another. The truth is that patching is a vast topic. The process never ends, and security teams are often not directly responsible for executing it. Difficult as it may be, we can't afford to ignore patching. Splunk is not a patch management system, but if you are in the trenches fighting to keep systems and apps up to date, we can help in a couple of different ways. 

First, you need to know what you have before you can patch it. And it's even better if you know the criticality of these assets relative to one another. This knowledge allows you to make better choices when establishing patching processes, selecting technology, and prioritizing your efforts. The Splunk Asset & Identity Framework (a feature of Splunk Enterprise Security) is a powerful tool to keep track of the systems, applications, and users in your environment. 

Next, you can track the status of updates (patches) on the systems in your environment using the Update Center Dashboard and Update Search Dashboard in Splunk Enterprise Security. These dashboards show an overview of systems that are not updated, top updates needed. They also allow you to search by individual system, patch id (e.g. Microsoft KB number), and update status. Because these dashboards are driven by the Splunk Common Information Model (CIM), they automatically display data about all systems properly configured to send their patch status logs to Splunk. 

Test Your Incident Response Plan

NIST 800-61 is a fantastic place to start when developing an incident response plan, and we would highly recommend starting there. That said, a plan is only good if everyone understands it and can execute it. Take the time to test and retest your incident response plan. Utilize the tools that you have deployed and determine if the tools are helping or there are gaps in coverage in your network. A failure during a test isn’t the end of the world, it is an opportunity to make improvements before putting the incident response plan into action.

If you’re not sure that your Splunk deployment is quite up to the task of handling the next security incident, Splunk can help! We have put together a specific services offering to help you respond, using our products. This Breach Response Readiness service helps you get the right data into Splunk, implement best-practice detections against the data, and ultimately helps speed your response to the next ransomware (or other security) event.

Validate Your Security Team’s Work

Utilizing a 3rd party to validate your security controls is always a good idea. Even with great internal red team capabilities, having a set of eyes from outside your organization can provide great insight into how well you are protected.

One such company that we’ve worked with is Counter Hack. Founded by Ed Skoudis, Counter Hack provides a broad range of services such as penetration testing and secure architecture reviews.

But engaging a company to assist in this area is only half the battle. If you don’t implement their findings then what was the point of engaging them in the first place?

Segment Your Network

Network segmentation is commonly recommended as a great way to prevent ransomware from spreading broadly across an organization. If the adversary can’t easily move laterally, it makes achieving their objectives more difficult. Who knows, they may decide to move to another target. Even if ransomware executes and spreads, network segmentation can contain and mitigate the impact of the attack, hopefully far away from your most important assets.

The best part about network segmentation is that it doesn’t require anything fancy. Ingesting network telemetry from things like Splunk Stream, Zeek, or even Netflow provides visibility into communication paths, and alerts can be raised when abnormal communication is occurring between hosts, or if a host is communicating in a manner that is unexpected.

Using Splunk Enterprise Security for Ransomware Detection

Know thyself

We have just shared many best practices and recommendations on how to be effective in handling cybersecurity threats, with a specific focus on ransomware. Now you may be thinking, ok, thanks for the tips, but can you help me with some methods to detect this stuff?

Fear not, we have a number of detections already available to share. Not only do we have analytic stories, which are a set of detections for a specific threat actor or event, but we have them for a few of the more notable ransomware outbreaks like SamSam, Ryuk and Clop, we also have additional detections within Splunk Security Essentials (SSE) and Enterprise Security Content Updates (ESCU) that address a number of the items that we discussed above. For example, detections around Okta user lockout events and other Okta detections are available to address multi-factor authentication. If you have ESCU running today, you already have some great coverage available to you!

Ransomware Posture Dashboard

On top of the searches outlined above, we’ve put together a sample dashboard. This dashboard shows how you could report on some of the recommendations made in the memo and executive order. We have built the dashboard with the following data:

  • Failed MFA Authentications
  • Unencrypted Databases
  • EDR/Sysmon Installation Status
  • Unsuccessful Backups
  • Unsuccessful System Updates

Code for the dashboard can be found here. Searches may need to be modified to reflect the data sources you have available. This idea could be expanded upon further to provide a view into Ransomware posture that is executive-focused, as well, so that your company leadership has a single place to go to understand how well you’re doing against the EO and memo guidance.


The recommendations and best practices outlined in the June 2nd, 2021 memo, “What We Urge You To Do To Protect Against The Threat of Ransomware,” can have immediate as well as long-term impact to the cybersecurity of your organization if implemented. We realize that ransomware is a significant risk and hope that you’ve taken many or all of these steps already. If not, there’s no better time than now to start. It can take time to properly implement, depending on the size of your organization and the complexity of infrastructure. Hopefully, the searches and our analysis will allow you to generate greater visibility into your environment and any malicious activity that you might be experiencing. If they don’t work perfectly, think of them as “SplunkSpiration.” :-)

Shannon Davis
Posted by

Shannon Davis

Security practitioner, Melbourne, Australia via Seattle, USA.