Detect and Investigate Malware
Detecting malware and investigating malware-infected hosts is common task for a security operations team that helps improve the security posture of their organization. Traditional anti-malware products can be effective in detecting known malware, but they can fail when faced with new or evolving malware types.
In this use case, we use Splunk Enterprise Security (ES) with Splunk Enterprise to detect malware-infected hosts. An analyst can quickly detect malware across the organization using domain-specific dashboards, correlation searches and reports included with Splunk Enterprise Security.
Use log data from an endpoint security product and web proxy servers. Data from endpoint systems is vital to maintain an accurate view of malware infections in your environment.
Configure and install a Splunk platform instance (version 6.3) or later with Splunk Enterprise Security (version 4.0 or later). Verify that logs from the data sources identified above are indexed on the Splunk platform instance.
Enterprise Malware Security Workflow
Start with the Security Posture dashboard, which represents a summary of all notable event activity. In this use case, the Notable Events Over Time has a spike in endpoint activity, representing suspicious activity on the hosts. A high number of Host With A Recurring Malware Infection notable events indicates an ongoing issue.
Infected Host Details
Click and review the details of one of the Host With A Recurring Malware Infection events and continue the investigation with destination IP address of the event on the Asset Investigator dashboard.
The Malware Attacks swimlane shows a large number of Malware Attacks attributed to this host. By focusing on the host with unknown malware signature and pivoting to the search view gives more details about the infected host and determining if the malware-infected host downloaded suspicious content after becoming infected.
Determine the Spread of Malware
The destination IP associated with the malware event on the host is a web proxy server, and the traffic is recognized to be an executable file downloaded from a website. By conducting a new search, you can determine if similar downloads were made by other hosts from the same domain, locate another host that downloaded executable files from the same domain and take action to quarantine the host.
Initiate Remedial Activity
Quarantining the infected host limits the adverse impact from the malware. Probing deeper into the logs provided additional valuable information such as the domain being used to download the suspicious files, allowing you to identify other potentially infected hosts. Now, you can create a report of those hosts, export it, and share it with the endpoint administrator for further investigation and malware removal.
Using data from the endpoint systems and proxy server logs, Splunk Enterprise Security identified notable events when hosts were infected with malware and requested downloads from a suspicious domain. The notable events provided the starting point for the investigation and an analyst can use additional dashboards and detail to locate the entry point for the malware infection. After analyzing the data and pivoting to search results, an analyst could can identify the hosts that requested downloads from a suspicious domains.
Using the information surfaced from by Splunk Enterprise Security, an analyst can take the critical steps to act on the threat of a malware outbreak by quarantining and cleaning infected hosts, blacklisting the suspicious domain, and identifying the suspicious files that delivered the malware payload.
For additional details, please refer to the Splunk Enterprise Security Use Case Documentation.