Using Splunk Enterprise Security and Booz Allen Cyber4Sight for Splunk for Advanced Threat Detection and Mitigation

Security teams continue to look for flexibility to detect and mitigate advanced threats and malware such as ransomware, and Splunk provides exactly that.

Get started by using the free Splunk Security Essentials for Ransomware app with Splunk Enterprise, or use Splunk Enterprise Security (ES) to manage risk and response to WannaCry and similar types of ransomware. The app provides a starting point you can customize to work in your specific environment and includes more than a dozen use cases that allow you to measure how effectively you're reducing the risk of exploits, as well as searches which can help detect the effects of ransomware within your enterprise.

Splunker Anthony Tellez has shared how easy it is to use Splunk Enterprise Security and its Threat Intelligence framework for ransomware detection. You can learn more from Splunk documentation on how to add a ransomware threat feed to Splunk Enterprise Security.

Now, with the general availability of Booz Allen Cyber4Sight for Splunk and its human-curated threat intelligence service, Splunk ES customers have another option to detect and mitigate ransomware.

How Cyber4Sight Could Have Protected Against the Petya Outbreak?

In early July 2017, a relatively run-of-the-mill ransomware called Petya was bundled with a highly sophisticated server message block (SMB) exploit called ETERNALBLUE and delivered to various enterprises as a compromised update to a Ukrainian tax software called M.E.Doc. ETERNALBLUE—an exploit thought to have been developed by a highly sophisticated hacking unit known as the Equation Group—had been leaked months earlier by an apparent hacktivist group, albeit one potentially acting on behalf of the Russian government calling itself the Shadow Brokers. Over 300,000 computers within organizations all over the globe from small offices to hospitals were impacted by WannaCry, causing loss of important data and a major expenditure of resources only to happen again with Petya.

Security professionals everywhere should be asking themselves a very important question: How can we ensure this type of thing doesn’t happen to us again?

Customers of Cyber4Sight would have been able to rest easy—they were able to get early warning of these attacks, as well as mechanisms to protect themselves to ensure that even if infected there would be no mechanism to propagate, and also a means to detect any discrete instances of infection in near real-time.

Booz Allen Cyber4Sight® is a threat intelligence solution drawing on the expertise of a diverse group of analysts to provide intelligence monitoring services and tactical and strategic analysis culled from 170,000 targeted sources from the open and closed internet. The Cyber4Sight team—in close partnership with Splunk—have developed a premium content offering Cyber4Sight for Splunk, designed to empower security analysts and threat hunters with actionable threat intelligence. The new offering combines cyber insights and security intelligence from Booz Allen’s Cyber4Sight® threat intelligence solutions with analytics-driven security insights from Splunk® ES.

Beginning as early as 2016—when Cyber4Sight first began tracking the Petya ransomware through a series of evolutions to ransomware in general (some of which Cyber4Sight predicted), all the way up to the emergence of the ETERNALBLUE and its use first in the WannaCry ransomware and then again in the Petya outbreak—Cyber4Sight customers have had all the intelligence they needed to avoid being affected by these threats.

The timeline below outlines what Cyber4Sight reported on that would have aided in prevention and detection of these outbreaks.

On the bottom, Cyber4Sight Reports on the top Petya Major Events

In March 2016, Cyber4Sight reported on a strain of ransomware called Samas—which leveraged a legitimate Windows utility called PSExec—that criminals and state-sponsored hackers often use to move laterally on the networks of their victims. At the time, it was initially believed that the presence of PSExec in ransomware suggested that adversaries were using ransomware to scorch the earth, so to speak, after stealing information. Nevertheless, the bundling of PSExec with Samas caught our attention, primarily because whatever PSExec was designed to do, it meant that the people operating Samas weren't interested in attacking consumers; they wanted to hit enterprises.

In May 2016, Cyber4Sight began reporting (providing indicators and context) on an emerging commodity ransomware called Mischa/Petya, a bundling of two strains of ransomware designed to gather administrative credentials or otherwise encrypt files on infected machines. 

C4S For Splunk's Daily Intel Brief

Security operations center analysts and incident responders would have seen this report in the Cyber4Sight for Splunk “Daily Intel Brief” (as shown above) that provides security professionals a continuous stream of “What’s Happening” both within their enterprise and in the world. Below is an example report that was accessible in May of 2016.

This report was also coupled with a listing of “Indicators of Compromise” or IOCs, the fingerprints and evidence that could indicate the presence of malicious activity. These IOCs are automatically loaded into Splunk ES, and used by the Cyber4Sight premium content offering combined with Splunk’s Threat Intelligence Framework to discover these in near real-time within your environment if they exist. This information could also be used to take preventative action, enabling organizations to proactively implement enterprise security protection mechanisms such as specific application blacklisting, IP firewall, and DNS blocks.

A clipping from the above Cyber4Sight report within Splunk ES showing related IOCs

Splunk Enterprise Security’s “Incident Review Dashboard” detecting a Petya Indicator of Compromise

Cyber4Sight for Splunk provides a unique capability to pivot from within Splunk ES directly to the related report for the indicator being alerted on.

Pivot Directly from Events to Related Reports for Context

With Cyber4Sight, customers would have used reports on the evolution of the Petya ransomware throughout 2016—most notably in December 2016 and then again in January 2017—updating the associated indicators and providing additional context.

In the meantime, Cyber4Sight released our annual predictions report. By this time in December 2016, our thinking on the Samas-PSExec bundle had evolved. Generally, Cyber4Sight analysts (along with much of the security world) had become increasingly concerned about the use of lateral movement tools as a means to spread ransomware around enterprise networks. More specifically, Cyber4Sight analysts followed this concern to its logical end and began warning our clients about the potential of ransomware operators using wormable-exploits to spread their malware.

In April 2017, Cyber4Sight informed clients of a sophisticated, wormable exploit called ETERNALBLUE, providing indicators and information about how clients can protect themselves against this exploit.

In May 2017, the WannaCry ransomware outbreak occured, validating our concerns about ETERNALBLUE in particular, and wormamble ransomware in general.

In late June 2017, just before the NotPetya outbreak, Cyber4Sight issued a technical report on the Sorebrect ransomware, which spreads via SMB and PSExec—a report that effectively laid out the blueprint for the impending Petya outbreak.

Finally, the NotPetya outbreak occurred in July 2017, initially infecting machines through updates for a Ukrainian tax software called M.E.Doc and then spreading on the network via PSExec and ETERNALBLUE.

With Cyber4Sight, customers were uniquely prepared and provided with ample warning about the dangers of ransomware in combination with ETERNALBLUE and PSExec. Beyond that, we've been sounding the alarm on the dangers of poisoned updates for years. If the affected organizations had been Cyber4Sight clients, they'd have had sufficient information to place controls on the use of PSExec on their networks; they'd have patched ETERNALBLUE; and they might have even had the requisite indicators to block any initial Petya infections.

Even if Petya got in through the poisoned M.E.Doc update, these would have only infected the machines that had M.E.Doc installed on them, as the information from our report stream would have encouraged them to close off the SMB vulnerability that ETERNALBLUE exploited.

Contact us if you have any questions. Hope to hear from you!

Girish Bhat
Director, Security Product Marketing
Matthew Wycoff
Product Manager, Booz Allen Cyber4Sight for Splunk

Girish Bhat

Posted by