.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition
2 likes15,504 views
The document outlines a presentation by Dimitri McKay and James Brodsky about ransomware, highlighting the evolution of ransomware types from 2013 to 2016 and discussing detection strategies through endpoint monitoring and forensic analysis. It emphasizes the necessity of backups, patching, and proper security policies to prevent infections, while also warning of the unpredictability of their statements and the potential for misinformation. The talk includes practical hands-on elements and encourages audience engagement with real-world examples and exercises.
.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition
- 3. Disclaimer 3 During the course of this presentation, we may make ridiculous statements regarding Splunk features that may or may not be true. This is not reflective of Splunk as a company. We caution you that such statements reflect our own personal lack of intelligence and you should lower your expectations based on the fact that we’re not all that bright. By we, we mean Dimitri. Actual features or functions and their explanation of which may differ from reality. For Splunk Search Language questions, Dimitri’s answers will probably not be the truth, as such, actual results will differ greatly from those contained in Splunk documentation. If you record this presentation, you are giving up your right to vote, right to bare arms (i.e. no tank tops), and rights to your first born male child. The forward-looking statements made in this presentation are being made up as we go along. If reviewed after its live presentation, this content may not contain current or factual information. Please do not assume any legal obligation to our comments or statements as frankly, if you tattle, we will deny everything. In addition, information in this presentation is subject to change at any time without notice based on how much trouble we could potentially be in. This presentation is for educational informational entertainment purposes only. Do not hold Splunk accountable for anything that we might say or do, as frankly, the biased opinions and poor decisions we are about to make here are our own. Thanks, and enjoy the show.
- 4. 4
- 5. 5
- 8. 8
- 9. > Dimitri McKay | Senior Security Architect | CISSP | CCSK| LOLZ | WTF q 20 years of net/system security experience. q 2nd place, 2016 Defcon Beard Competition q Former pentester, corporate security slacker for a search engine and plus sized hand model. q Enjoys making poor decisions, breaking things and disappointing my parents. q Current role on the Security Practice team focuses on security strategy for the fortune 50, evangelism and asking dumb questions. q Currently interested in machine learning for home home automation products which will eventually become self aware and kill us all. 9 Minster of Swagger @dimitrimckay
- 10. > Dimitri McKay | Senior Security Architect | CISSP | CCSK| LOLZ | WTF q 20 years of net/system security experience. q 2nd place, 2016 Defcon Beard Competition q Former pentester, corporate security slacker for a search engine and plus sized hand model. q Enjoys making poor decisions, breaking things and disappointing my parents. q Current role on the Security Practice team focuses on security strategy for the fortune 50, evangelism and asking dumb questions. q Currently interested in machine learning for home home automation products which will eventually become self aware and kill us all. 10 Minster of Swagger @dimitrimckay
- 11. 11
- 15. 15
- 16. 16
- 17. 17
- 18. Ransomware Evolution 18 2013 2014 2015 2016 RANSOMLOCK URAUSY CRYPTOLOCKER CRYPTODEFENSE CRYPTOWALL REVETON LOCKDROID TESLACRYPT CTB-LOCKER LOCKSCREEN VIRLOCK TOX TESLACRYPT 2.0 TORRENTLOCKER 73V3N DMALOCK CHIMERA LOCKY SAMSAM KERANGER POWERWARE PETYA TESLACRYPT 3 & 4 CERBER JIGSAW ROKKU HYDRACRYPT …
- 19. 19
- 21. Today 21
- 23. 23
- 24. 24
- 28. 28
- 33. @MGM Las Vegas
- 36. 36 Scripts Perfmon Wire Data Logs Process/Apps/FIM Registry Sysmon The UF: It’s more than you think
- 48. vs.
- 49. 49
- 50. 50
- 51. 51
- 52. 52
- 54. OR
- 56. Newbie Path
- 58. Ninja Path
- 59. Ninja Path
- 60. What have we here? Our learning environment consists of: • 31 publically-accessible single-instance Splunk servers • Each with ~700K events, from real environment.
- 63. 63 attribution.
- 74. DETECTION - We learned that: 74 Many ways to detect unusual endpoint behavior that could indicate ransomware infection. Make your searches look for general, abnormal behavior – not “specific” or you’ll never keep up. You don’t have to turn on everything we showed to get some value – but the more you have the more confident you can be. Windows events are a bare minimum! The earlier you detect, the better chance you have at stopping the spread.