No More WannaCry With Ziften And Splunk – Chuck Leaver

Written by Joel Ebrahami and presented by Chuck Leaver


WannaCry has actually produced a lot of media attention. It may not have the huge infection rates that we have actually seen with much of the older worms, but in the current security world the amount of systems it had the ability to contaminate in a single day was still rather incredible. The objective of this blog is NOT to supply a detailed analysis of the threat, but rather to look how the threat acts on a technical level with Ziften’s Zenith platform and the combination we have with our technology partner Splunk.

WannaCry Visibility in Ziften Zenith

My very first action was to connect to Ziften Labs hazard research group to see what info they might offer to me about WannaCry. Josh Harriman, VP of Cyber Security Intelligence, heads up our research study group and notified me that they had samples of WannaCry presently running in our ‘Red Laboratory’ to look at the behavior of the threat and perform further analysis. Josh sent me over the details of what he had found when analyzing the WannaCry samples in the Ziften Zenith console. He sent over those information, which I provide in this post.

The Red Lab has systems covering all the most typical operating systems with different services and setups. There were currently systems in the lab that were deliberately vulnerable to the WannaCry exploit. Our international risk intelligence feeds utilized in the Zenith platform are upgraded in real time, and had no trouble identifying the infection in our lab environment (see Figure 1).

Two laboratory systems have been identified running the destructive WannaCry sample. While it is fantastic to see our worldwide hazard intelligence feeds upgraded so quickly and determining the ransomware samples, there were other behaviors that we spotted that would have recognized the ransomware hazard even if there had not been a threat signature.

Zenith agents gather a vast quantity of information on what’s occurring on each host. From this visibility information, we create non signature based detection methods to take a look at usually harmful or anomalous habits. In Figure 2 shown below, we reveal the behavioral detection of the WannaCry infection.

Investigating the Scope of WannaCry Infections

As soon as it has been discovered either through signature or behavioral methods, it is really simple to see which other systems have also been infected or are displaying similar behaviors.

WannaCry Detections with Ziften and Splunk

After evaluating this information, I decided to run the WannaCry sample in my own environment on a vulnerable system. I had one susceptible system running the Zenith agent, and in this example my Zenith server was currently configured to integrate with Splunk. This enabled me to look at the same data inside Splunk. Let me elucidate about the integration we currently have with Splunk.

We have two Splunk apps for Zenith. The first is our technology add on (TA): its role is to ingest and index ALL the raw information from the Zenith server that the Ziften agents produce. As this data comes in it is massaged into Splunk’s Common Info Model (CIM) so that it can be normalized and easily browsed along with utilized by other apps such as the Splunk App for Enterprise Security (Splunk ES). The Ziften TA also consists of Adaptive Response capabilities for acting from events that are rendered in Splunk ES. The second app is a dashboard for showing our data with all the charts and graphs available in Splunk to facilitate digesting the data much easier.

Considering that I already had the details on how the WannaCry threat behaved in our research lab, I had the advantage of understanding exactly what to find in Splunk using the Zenith data. In this case I had the ability to see a signature alert by utilizing the VirusTotal integration with our Splunk app (see Figure 4).

Risk Hunting for WannaCry Ransomware in Ziften and Splunk

But I wanted to wear my “event responder hat” and investigate this in Splunk using the Zenith agent data. My first idea was to browse the systems in my lab for ones running SMB, because that was the initial vector for the WannaCry attack. The Zenith data is encapsulated in different message types, and I understood that I would probably discover SMB data in the running process message type, nevertheless, I utilized Splunk’s * regex with the Zenith sourcetype so I might browse all Zenith data. The resulting search looked like ‘sourcetype= ziften: zenith: * smb’. As I anticipated I received 1 result back for the system that was running SMB (see Figure 5).

My next action was to utilize the exact same behavioral search we have in Zenith that looks for typical CryptoWare and see if I might get outcomes back. Once again this was really simple to do from the Splunk search panel. I utilized the very same wildcard sourcetype as in the past so I could browse across all Zenith data and this time I added the ‘delete shadows’ string search to see if this behavior was ever provided at the command line. My search appeared like ‘sourcetype= ziften: zenith: * delete shadows’. This search returned outcomes, displayed in Figure 6, that showed me in detail the procedure that was produced and the full command line that was carried out.

Having all this info inside of Splunk made it really simple to determine which systems were susceptible and which systems had actually currently been compromised.

WannaCry Removal Utilizing Splunk and Ziften

Among the next steps in any type of breach is to remediate the compromise as quick as possible to prevent additional destruction and to do something about it to prevent other systems from being compromised. Ziften is one of the Splunk founding Adaptive Response members and there are a variety of actions (see Figure 7) that can be taken through Spunk’s Adaptive Response to alleviate these threats through extensions on Zenith.

When it comes to WannaCry we really could have used almost any of the Adaptive Response actions currently offered by Zenith. When attempting to decrease the impact and avoid WannaCry initially, one action that can occur is to shut down SMB on any systems running the Zenith agent where the variation of SMB running is known susceptible. With a single action Splunk can pass to Zenith the agent ID’s or the IP Address of all the vulnerable systems where we wished to stop the SMB service, thus avoiding the exploit from ever taking place and permitting the IT Operations group to get those systems patched before beginning the SMB service again.

Avoiding Ransomware from Spreading out or Exfiltrating Data

Now in the event that we have already been jeopardized, it is vital to prevent further exploitation and stop the possible exfiltration of delicate details or business intellectual property. There are actually three actions we could take. The first two are comparable where we could eliminate the harmful process by either PID (process ID) or by its hash. This is effective, however because many times malware will simply spawn under a new procedure, or be polymorphic and have a different hash, we can use an action that is ensured to prevent any incoming or outbound traffic from those infected systems: network quarantine. This is another example of an Adaptive Response action available from Ziften’s integration with Splunk ES.

WannaCry is currently lessening, but ideally this technical blog post reveals the value of the Ziften and Splunk integration in handling ransomware threats against the end point.