Like most of us around the world, I’ve been shocked by the current situation in Ukraine. I’m saddened by the images of families being torn apart and fleeing their homes. This brings to mind the story of my own grandmother, who had to leave her native country of Austria, with nothing more than a small bag and my infant mother in her arms. It feels trivial for me to write a corporate blog about the invasion unfolding before our eyes, but we’ve received a number of questions from customers and the community about the increased risk of cyberattacks during the conflict.
I want to make sure I address this very real concern they have – and one that we’re qualified to help with. Splunk has been closely monitoring developments related to the Russian invasion and we wanted to share an overview of our tools, guidance and support of organizations during this crisis as they are advised to adopt a heightened security posture. Splunk is working closely with our partners and government agencies to share the latest information about emerging threats along with detections and recommended mitigations. We plan to update this blog with further guidance as the situation evolves.
We’ve also taken action to enhance our cyber resiliency:
- The Splunk Security team continually monitors and evaluates security risks reported in the industry, and the news.
- We are continuously monitoring our environment for indications that may highlight increased threats or potential attacks against our networks.
- We continue to confirm that possible patches and security protocols are in place.
Defending Against Potential Cyberattacks
If you are a Splunk customer who is concerned about attacks on your environment in this time of heightened risk, please consider reviewing the information below.
High Value Data Sources for Advanced Persistent Threat Hunting
- Endpoint Detection and Response (EDR): Host based logs provide maximum fidelity to the hunter. EDR logs such as Crowdstrike or VMWare/CB ingested into Splunk can provide visibility into actions on endpoints.
- Microsoft Sysmon: A no-cost option that can provide feedback on process creation, registry, WMI, file deletion, and more. It was recently updated to support major Linux-based distributions.
- Windows Event Logging: If EDR or Sysmon are not an option, Windows event logging of event codes like 4688 with command line auditing enabled is an excellent option in addition to authentication events like 4624 and other event codes associated with group creation and manipulation. Splunk customers may use the Windows Event Code Security Analysis App written by a former Splunker to identify specific Event IDs of interest.
- DNS Events: From a network perspective, DNS logs identify “A records'' for suspicious sites that can help determine outlier behavior. Network data from platforms like Zeek can provide considerable visibility into protocols like SSL/TLS, SMTP, SMB, and HTTP. Customers can also utilize Stream for Splunk.
- Authentication Logs: CISA cites enabling multi-factor authentication (MFA) as a key first step to protect your organization. By hunting through authentication logs, you can identify non-MFA logons and work with stakeholders to take corrective actions. You can also apply traditional threat hunting concepts to authentication logs to look for anomalous or first-time seen behavior to prove or disprove a hypothesis.
The image below shows our coverage across MITRE ATT&CK.
Customers who use core Splunk or Splunk Enterprise Security (ES) can reference the following Splunk blogs:
Index of tips and tricks for hunting across numerous data sources:
Additional components of sysmon that are available to hunt:
Hunting with Commercial Cloud Providers (AWS and Azure):
Azure AD: https://www.splunk.com/blog/2018/08/31/i-azure-you-this-will-be-useful.html
AWS VPC: https://www.splunk.com/blog/2018/09/24/go-with-the-flow-network-telemetry-vpc-data-in-aws.html
Threat Advisory: STRT-TA02 - Destructive Software
This threat advisory focuses on WhisperGate, the destructive malware that targeted Ukrainian organizations: https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html
SA-Investigator: A free Splunk app that is designed to sit on top of Splunk Enterprise Security and can be used to hunt and investigate assets, identities, file hashes, and file/process names. In deployments that do not use Enterprise Security but have a Common Information Model (CIM), you may still receive some value from hunting across data models like Network Traffic, Endpoint, Authentication, and much more.
OT Security Add-on for Splunk: Customers with operational technology (OT) such as SCADA and industrial control systems (ICS) may find the OT Security Add-on to Enterprise Security to be especially helpful. CISA has explicitly called out cyber threats to U.S. critical infrastructure such as power and water utilities.
Workshops: Splunk Solution Engineers offer tailored workshops that are delivered live online or in-person.
Boss of the SOC (BOSS) Platform: For the last four years, Splunk security experts with experience in nation state hunting have developed scenarios in our Boss of the SOC (BOTS) competition and training to mimic the tactics, techniques, and procedures used by Russian APT groups. These training exercises can be found on the BOSS platform, at https://bots.splunk.com.
Resources from CISA
Splunk is working closely with CISA as a member of the agency’s Joint Cyber Defense Collaborative. CISA's catalog of free cybersecurity services and tools can help organizations shift from being reactive to proactive in their cyber defense. The list includes Splunk’s Synthetic Adversarial Log Objects (SALO) framework, Splunk Attack Detection Collector, and Splunk Attack Range. In addition, CISA has linked to a number of alerts and advisories on their “Shields Up” webpage with the latest information regarding Russia-linked cyber threats along with recommended mitigation measures.