Enhancing Enterprise Security for Ransomware

Anthony G. Tellez2 min read
RansomwareSplunkSecurityThreat IntelligenceEnterprise Security

Ransomware isn't going away

Ransomware is a profitable business model for cyber criminals with 2016 payments closing at the billion dollar mark. According to a recent survey by IBM, nearly 70% of executives hit by ransomware have paid to get their data back. Those survey results do not include smaller organizations and consumers who are also paying to get their data back.

With the threat from ransomware growing, aside from prevention, detection is key to removing compromised devices from the network. Unfortunately, signature-based detection alone will not catch everything. Instead, using it in combination with hunting techniques in Splunk can enhance your security posture.

In this blog, we'll walkthrough adding the free ransomware intelligence feed from abuse.ch to Splunk Enterprise Security.

Requirements

  • Internet Access for the Splunk Enterprise Security Instance
  • Splunk Enterprise Security
  • Knowledge of updating Splunk configurations

Configuration

There are two paths forward, which will depend on the level of access you have to the enterprise security search head.

Command Line Method (Recommended)

Create or update the configuration file in the SA-ThreatIntelligence app's local directory:

$ vi /opt/splunk/etc/apps/SA-ThreatIntelligence/local/inputs.conf

Add the following configuration:

[threatlist://ransomware_ip_blocklist]
delim_regex = :
description = abuse.ch Ransomware Blocklist
disabled = false
fields = ip:$1,description:Ransomware_ip_blocklist
type = threatlist
url = https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt

Restart the Splunk service:

$ /opt/splunk/bin/splunk restart

GUI Method

  1. Locate the Enterprise Security Configuration Page

  2. Select Threat Intelligence Downloads Data Enrichment

  3. Click New and fill in the configuration: Threat Intel Threat Intel Settings

Verification

Once configured, Enterprise Security will download the threat intelligence and begin alerting on any events found which match the threatlist. These can be reviewed and triaged as part of your workflow in the notable events page.

Incident Review

Note: If you're not seeing the threat intelligence feed, refer to the troubleshooting guide in the Splunk documentation.

Additional Resources

For more examples, see the official documentation: Add a ransomware threat feed to Splunk Enterprise Security

← Back to Blog