Ransomware Vulnerability Assessment

We know it's important to patch our environments, and we know that basic security hygiene can help us prevent damage and minimize the risk and impact to the business. The recent outbreak of the WannaCry ransomware attack again proves that much of the damage could have been reduced by having better basic security hygiene. Specifically, minor things like ensuring patches are up to date on all endpoints could've saved many organizations worldwide from significant loss and hardship.

When you're trying to stop the spread of malware, it's critical to have clear visibility of all endpoints in your network and the current patch status. But being able to clearly see the up-to-date patching status of all endpoints can be challenging. There's the complex structure of assets across our on prem and cloud in many organizations, and there's many variants of operating systems and legacy endpoint incidences that still exist.

So we get it. You know you need to patch, but you can't patch everything. So let me tell you what you can do right now with Splunk. If you are centrally collecting vulnerability scan data sources from tools like Nexus, you can quickly identify which of your endpoints are vulnerable to ransomware. In this demo, we will show you how to assess the safety of all endpoints in your environment using data collected from Nessus vulnerability scanner and how to quickly assess the hosts that are vulnerable to ransomware attacks such as WannaCry.

Here we are looking at the vulnerability status of all endpoints. We are seeing a number of endpoints that are not patched with the latest critical vulnerabilities. In the detailed table, you can clearly see which endpoints are missing patch updates. These endpoints are vulnerable to ransomware like WannaCry.

Now let us show you how you can dynamically assess and analyze vulnerability status of your environment so you get ready for the next storm of malware. First we search vulnerability scan Nessus events with already published common vulnerability exposure codes such as CVE2017-0146, CVE2017-0147, or search for plugins related to MS1-010. This searches for all endpoints with existing SMB V1 vulnerability found endpoints.

Remember, though, while these specific vulnerabilities can be exploited by WannaCry, it's the same technique that you'll use to identify endpoint vulnerability for any type of ransomware or malware on your endpoints or in your network on an ongoing basis. Next, we will select some relevant fields to look at. These fields include source, CVE, plug-in name, first found, last found, last fixed if the vulnerability has been patched. This builds a table showing us the information we need to analyze patch status.

Notice there are empty cells in the last fixed column. These devices with null values are not patched. And those that are already patched, there are timestamps on when those hosts were last patched. Using the stats command by last fixed, we can quickly create a view that shows which hosts were not patched.

Now, by searching for last fixed with empty hosts, meaning not patched, we can create alerts as hosts not patched for SMB V1 vulnerability, and from within Splunk, create actions to either quarantine host or open tickets to update patches. This is step one in understanding your posture as it relates to ransomware.

Now you know how to build a report to gain visibility into the vulnerability of your environment so you can remediate quickly and mitigate your risk. Now that you've built this report, you can use it on an ongoing basis to always have a view into vulnerability of your environment as new malware or ransomware variants inevitably emerge. Stay tuned for our next segment, where we'll show you how you can further analyze ransomware activities across your environment to fully scope your risk. Or if you haven't seen our previous security investigation series and need more information on Splunk, be sure to check those out.

Don't be crying. Be splunking.