Splunk SURGe recently released a whitepaper, blog and video that outline the encryption speeds of 10 different ransomware families. The outcome of this research was that it is unlikely that a defender will be able to do anything once the encryption has started. Ransomware today is also mostly “human-operated” where many systems are sought out and compromised before any encryption activities occur and, once they do, the encryption is just too fast to meaningfully affect the damage done.
Depressing as this might sound, there are actions you as a defender can take to protect yourself. Defense activities should focus on prevention, detection and mitigation “left of boom” where boom refers to the encryption, exfiltration and destruction of data. There are plenty of attacker activities that need to happen long before the “boom” actually occurs. For instance, there is always a stage of consolidation and preparation where the attacker moves laterally via command and control activities to get access to as many systems as possible. Each one of those activities offers you, as a defender, an opportunity to disrupt the attack. Luckily, many of the defense activities are actions that you are probably already doing, or have the ability to do today.
What can we as a company do to help our customers and the wider cyber security community with these defense activities? Looking at the lifecycle of a ransomware attack, as presented beautifully by CERT NZ in this online guide, we see that many of the steps in a ransomware attack are similar to other types of intrusions and attacks. Hence, Splunk users already have the capability and the relevant security content to do something about this problem. We just need to make this content searchable and available as well as “framing” it in a ransomware context.
The outcome is an online environment where the user can interact with all the stages and phases of an attack and highlight existing security content that deal with this specifically. The idea is to provide help in the form of specific content dealing with practical things you can do as a defender to disrupt the attack. Instead of re-inventing the wheel, we used the great work done by CERT NZ to visualize the ransomware lifecycle. The types of content mapped out in this interactive environment includes, detections from our Splunk Threat Research Team (STRT), blog posts and .conf talks by Splunk experts and customers, video tutorials and more.
Authors and Contributors: As always, security at Splunk is a family business. Credit to authors and collaborators Johan Bjerke and Alex Salesi.