Ransomware is a specific type of malware that holds data “hostage,” and is especially disruptive to business due to its data-destructive nature. The ransomware threat doesn’t need to keep security practitioners up at night. Detection of ransomware is key to removing compromised devices from an infected network but a holistic approach to security, centered around prevention, is necessary to keep organizations from falling victim to malware attacks.
The Challenge to Detecting Malware
The traditional way of detecting an advanced malware or threat compromise in a Windows environment relies on using a signature based anti-virus or malware product. But this approach can be difficult for many. Most anti-malware solutions that are signature based rely on a known list of signatures. And this comes with challenges because signature based detection will not catch everything because:
- Endpoint protection products don’t have a perfect list of threats to detect all signatures that exist
- They don’t apply to new types of threats that are executed as new executables at the endpoints because there is no known signature to compare against
This traditional approach is forcing organizations to deal with security breaches ranging from data exfiltration, service interruptions and ransomware that all center with the inability to protect and detect the activities on endpoints.
Fundamentally the problems lie with organizations being unable to utilize the Windows system activities events that could be collected from Windows infrastructure. As well as applying analytics to that data, to determine what is normal versus what is abnormal, by reviewing all the processes and sessions created at Windows Endpoint.
Malware Process Hiding as Existing OS or Application Process
Most PC users have experience looking at Windows process monitor, finding no particular problems where the OS seems to be running all the normal processes. Regardless of who may appear to be the user, we know that the PC is infected with all kinds of malware. An example of a “black sheep” malware disguising itself as a normal OS process is when malware processes run as if they are normal processes. How could this kind of “black sheep” be detected?
What about in the case of advanced malware, for example, a type malware that has never been known or detected by an anti-malware software product? This type of malware would be executed on an endpoint limiting the ability of most anti-malware detection software to raise a red-flag because the signature of the new executable is not known. Could this kind of problem be tackled using analytics? Analytics that compare a set of criteria from different executable fingerprints.
In order to find this, hashes on the Sysmon event play a key role. The hash information that gets attached to the Sysmon process creation event represents a unique fingerprint of an executable. If we were to find out what those existing fingerprints of trusted executables were versus comparing the new fingerprint for a similar executable that started recently, we can find the processes that are anomalies. This detailed Sysmon event about created processes and their associated hash can be analyzed with simple Splunk SPL summation by executable name.
Splunk forwarders enable users to collect the Windows infrastructure’s Sysmon data from the endpoint in real time. Splunk software automatically transports the events that are relevant for analyzing anomalies to the endpoint.
The Splunk platform provides two key functions to solve the challenges of making the best use of sysinternal events for detecting early signs of known advanced malware infections:
- Collections of Windows activities: The Splunk Windows OS-based forwarder to easily collects all sysinternal data through event logs
- Provides a simple agent for collecting all Windows data (event log, sysinternal, perf mon, files)
- Allows secure and highly confident transport means for centralizing data in an analytics platform• Sysmon specific formatting and process ability to immediately apply analysis.
- Analytics base for searching and analyzing anomalies: Using simple search, statistical summation and calculation to highlight rare values in process creation details.
- Pivots into different endpoint criteria to dynamically derive results
- Applies machine learning
Data sources that are required to detect the potential activities of malware on Windows Endpoint is sysinternal collected through Windows event log using Sysmon. An organization can gain detailed information by installing Sysmon provided by Microsoft, then installing Splunk forwarder to define what needs to be collected and filtered. This sysinternal data is where finding the indications of odd activities would begin, but additional correlation to trace the how and what got infected; further ingesting proxy, IDS/IPS, DNS/stream data is recommended to root case the route of a potential infection and determine the scope and mitigate the incident. Analyzing the sysinternals through Splunk software would provide definitive indications of compromise in detecting potential of any malware, whether it’s known or unknown.