Charles Leaver – Using Ziften And Splunk Easily Detect WannaCry And Respond

Written by Joel Ebrahami and presented by Charles Leaver


WannaCry has generated a great deal of media attention. It may not have the huge infection rates that we have actually seen with a lot of the previous worms, but in the current security world the amount of systems it had the ability to contaminate in one day was still rather staggering. The objective of this blog post is NOT to provide an in-depth analysis of the threat, but rather to look how the threat behaves on a technical level with Ziften’s Zenith platform and the combination we have with our technology partner Splunk.

WannaCry Visibility in Ziften Zenith

My very first action was to connect to Ziften Labs risk research study group to see exactly what info they could provide to me about WannaCry. Josh Harriman, VP of Cyber Security Intelligence, heads up our research study group and notified me that they had samples of WannaCry presently running in our ‘Red Lab’ to look at the behavior of the danger and perform more analysis. Josh sent me over the information of exactly what he had found when analyzing the WannaCry samples in the Ziften Zenith console. He delivered over those details, which I provide here.

The Red Lab has systems covering all the most common operating systems with various services and setups. There were already systems in the lab that were intentionally vulnerable to the WannaCry threat. Our worldwide threat intelligence feeds used in the Zenith platform are updated in real time, and had no trouble discovering the virus in our lab environment (see Figure 1).

Two lab systems have been recognized running the destructive WannaCry sample. While it is great to see our international risk intelligence feeds upgraded so quickly and identifying the ransomware samples, there were other behaviors that we discovered that would have determined the ransomware risk even if there had actually not been a threat signature.

Zenith agents collect a huge quantity of information on what’s occurring on each host. From this visibility data, we create non signature based detection methods to look at generally malicious or anomalous habits. In Figure 2 shown below, we show the behavioral detection of the WannaCry ransomware.

Examining the Scope of WannaCry Infections

As soon as it has been identified either through signature or behavioral approaches, it is very simple to see which other systems have actually also been contaminated or are exhibiting comparable behaviors.

WannaCry Detections with Ziften and Splunk

After examining this details, I chose to run the WannaCry sample in my own environment on a susceptible system. I had one vulnerable system running the Zenith agent, and in this case my Zenith server was currently configured to integrate with Splunk. This permitted me to look at the exact same data inside Splunk. Let me make it clear about the integration we have with Splunk.

We have two Splunk apps for Zenith. The very first is our technology add-on (TA): its function is to consume and index ALL the raw data from the Zenith server that the Ziften agents produce. As this information arrives it is massaged into Splunk’s Common Information Model (CIM) so that it can be normalized and simply searched in addition to utilized by other apps such as the Splunk App for Enterprise Security (Splunk ES). The Ziften TA also consists of Adaptive Response abilities for acting from actions that are rendered in Splunk ES. The second app is a dashboard for showing our info with all the graphs and charts readily available in Splunk to allow digesting the data a lot easier.

Given that I currently had the information on how the WannaCry threat acted in our research lab, I had the advantage of knowing what to look for in Splunk utilizing the Zenith data. In this case I had the ability to see a signature alert by using the VirusTotal integration with our Splunk app (see Figure 4).

Hazard Searching for WannaCry Ransomware in Ziften and Splunk

But I wanted to put on my “event responder hat” and investigate this in Splunk using the Zenith agent information. My very first thought was to browse the systems in my laboratory for ones running SMB, since that was the preliminary vector for the WannaCry attack. The Zenith data is encapsulated in different message types, and I understood that I would most likely find SMB data in the running process message type, nevertheless, I used Splunk’s * regex with the Zenith sourcetype so I might browse all Zenith data. The resulting search appeared like ‘sourcetype= ziften: zenith: * smb’. As I expected I got one result back for the system that was running SMB (see Figure 5).

My next action was to utilize the very same behavioral search we have in Zenith that searches for common CryptoWare and see if I might get outcomes back. Once again this was really easy to do from the Splunk search panel. I used the same wildcard sourcetype as in the past so I might search throughout all Zenith data and this time I added the ‘delete shadows’ string search to see if this habit was ever provided at the command line. My search looked like ‘sourcetype= ziften: zenith: * delete shadows’. This search returned results, shown in Figure 6, that revealed me in detail the procedure that was developed and the complete command line that was performed.

Having all this info inside of Splunk made it really easy to figure out which systems were vulnerable and which systems had actually already been jeopardized.

WannaCry Remediation Using Splunk and Ziften

Among the next steps in any type of breach is to remove the compromise as quick as possible to prevent additional destruction and to act to prevent other systems from being jeopardized. Ziften is among the Splunk founding Adaptive Response members and there are a number of actions (see Figure 7) that can be taken through Spunk’s Adaptive Response to mitigate these dangers through extensions on Zenith.

In the case of WannaCry we actually could have used practically any of the Adaptive Response actions presently offered by Zenith. When aiming to reduce the effect and avoid WannaCry initially, one action that can happen is to shut down SMB on any systems running the Zenith agent where the variation of SMB running is known vulnerable. With a single action Splunk can pass to Zenith the agent ID’s or the IP Address of all the susceptible systems where we wished to stop the SMB service, therefore preventing the exploit from ever happening and allowing the IT Operations team to get those systems patched prior to beginning the SMB service once again.

Avoiding Ransomware from Spreading out or Exfiltrating Data

Now in the case that we have currently been compromised, it is crucial to prevent additional exploitation and stop the possible exfiltration of delicate information or company intellectual property. There are really three actions we might take. The first two are comparable where we might kill the harmful process by either PID (process ID) or by its hash. This is effective, however given that many times malware will just generate under a brand-new procedure, or be polymorphic and have a various hash, we can use an action that is ensured to prevent any incoming or outgoing traffic from those infected systems: network quarantine. This is another example of an Adaptive Response action offered from Ziften’s integration with Splunk ES.

WannaCry is already decreasing, however hopefully this technical blog shows the value of the Ziften and Splunk integration in dealing with ransomware threats against the endpoint.