Ransomware Vulnerability Assessment

We know it's important to patch our environments. And we know that basic security hygiene can help us prevent damage and minimize the risk and impact to the business. The recent outbreak of the WannaCry ransomware attack again proves that much of the damage could have been reduced by having better basic security hygiene.

Specifically, minor things like insuring patches are up to date on all end points could have saved many organizations worldwide from significant loss and hardship. When you're trying to stop the spread of malware, it's critical to have the clear visibility of all end points in your network and the current patch status. But being able to clearly see the up to date patching status of all endpoints can be challenging.

There's the complex structure of assets across or on prem in cloud in many organizations. And there's many variants of operating systems and legacy endpoint instances that still exist. So we get it. You know you need to patch, but you can't patch everything. So let me tell you what you can do right now with Splunk.

If you are centrally collecting vulnerability scan data sources from tools like Nessus, you can quickly identify which of your end points are vulnerable to ransomware. In this demo, we will show you how to assess the safety of all endpoints in your environment using data collected from Nessus' vulnerability scanner and how to quickly assess the hosts that are vulnerable to ransomware attacks, such as WannaCry.

Here, we are looking at the vulnerability status of all endpoints. We are seeing a number of points that are not patched with the latest critical vulnerabilities. In the detailed table, you can clearly see which endpoints are missing patch updates. These endpoints are vulnerable to ransomware like WannaCry. Now, let us show you how you can dynamically assess and analyze vulnerability status of your environment so you get ready for the next storm of malware.

First, we search vulnerability scan Nessus events with already published common vulnerability exposure codes, such as CVE 2017, dash 0146, CVE 2017 dash 0147 or search for plug-ins related to MS 17 dash 0 1 0. This searches is for all endpoints with existing SMB v-1 vulnerability found endpoints.

Remember, though, while these specific vulnerabilities can be exploited by WannaCry, it's the same technique that you'll use to identify end point vulnerability for any type of ransomware or malware on your end points or in your network on an ongoing basis. Next, we will select some relevant fields to look at.

These fields include source, CVE, plug-in name, first found, last found, last fixed, if the vulnerability has been patched. This builds a table showing us the information we need to analyze patch status. Notice there are empty cells in the last fixed column. These devices with null values are not patched.

In those that are already patched, there are time stamps on when those hosts were last patched. Using the stats command by last fixed, we can quickly create a view that shows which hosts were not patched. Now, by searching for last fixed with empty hosts, meaning not patched, we can create alerts as hosts not patched for SMB v-1 vulnerability and from within Splunk create actions to either quarantine host or open tickets to update patches.

This is step one in understanding your posture as it relates to ransomware. Now, you know how to build a report to gain visibility into the vulnerability of your environment so you can remediate quickly and mitigate your risk. Now that you've built this report, you can use it on an ongoing basis to always have a view into vulnerability of your environment as new malware or ransomware variants inevitably emerge.

Stay tuned for our next segment where we'll show you how you can further analyze ransomware activities across your environment to fully scope your risk. Or if you haven't seen our previous security investigation series and need more information on Splunk, be sure to check those out. Don't be crying, be Splunking.