Stopping Ransomware: Proactive Threat Hunting with Splunk & SOAR
In today’s interconnected and AI empowered online landscape, the question for organizations isn’t if they’ll be targeted by a cyber attack, but when. Relying solely on perimeter defenses and signature-based detection is not sufficient. To truly protect valuable assets, a proactive defense in depth approach is essential. Conducting Cyber Threat Hunting and developing critical SOAR (Security Orchestration, Automation, and Response) automations to stop attacks before they occur are some of the best options for protecting your assets before they are impacted.
Threat hunting involves actively searching for unknown threats and malicious activities lurking within your network that have evaded traditional security measures. It’s about turning the tables on attackers, finding them before they achieve their objectives, and leveraging powerful tools like Splunk SOAR to stop an attack in its tracks.
Understanding the Adversary: Threat actors & Capabilities
Before we dive into the hunt, it’s crucial to understand the diverse landscape of adversaries your organization might face:
- Outsiders: These are external attackers, often financially motivated cybercriminals, nation-state actors, or hacktivists. Their methods range from broad phishing campaigns to sophisticated, targeted attacks.
- Insiders: Disgruntled employees, negligent staff, or those coerced by external forces can pose a significant threat from within. They often have legitimate access to systems, making their malicious activities harder to detect.
- Nearsiders: This category includes third-party vendors, partners, or contractors who have legitimate access to some of your systems or data. While not direct employees, their compromised accounts can serve as a bridge for attackers.
Beyond who they are, understanding an adversary’s capabilities helps gauge the sophistication of the threat:
- Low Capability: Often opportunistic, relying on publicly available tools, simple exploits, and basic social engineering.
- Medium Capability: More organized, potentially developing custom scripts, using more advanced phishing techniques, and demonstrating a better understanding of network defenses.
- High Capability: Nation-state actors or highly resourced criminal organizations. They possess significant resources, develop zero-day exploits, employ sophisticated evasion techniques, and conduct prolonged, stealthy operations.
The Attack Lifecycle: A Ransomware Scenario
Let’s walk through a hypothetical, and increasingly common, ransomware attack scenario, highlighting how threat hunting with Splunk and SOAR playbook automations could uncover and mitigate each step of the kill chain.
Step 1: Initial Access via CVE Exploitation
Our attacker identifies a publicly disclosed vulnerability (CVE) in an organization’s internet-facing web server – let’s say a critical unpatched flaw in an Apache Struts application. They exploit this CVE to gain initial access.
Indicators of Compromise (loCs):
These indicators are technical events that indicate possible CVE exploitation in your environment:
- Web Server Logs: Unusual HTTP requests to the vulnerable path, often containing encoded commands or shellcode.
- Firewall/IDS/IPS Logs: Alerts for known exploit signatures targeting the specific CVE.
- System Event Logs (Web Server): New or unusual processes spawned by the web server service (e.g., cmd.exe, PowerShell.exe running under the web server’s user account).
Splunk Hunting & Automation:
The following Splunk Search could be used to identify the IoCs, enabling alert actions on the Splunk Platform:
index=web sourcetype=apache_access | regex uri="(?i)struts.*(\$\{|\%\{)" (searching for Struts OGNL injection patterns)
Splunk SOAR Playbook in Action: "CVE Exploit Containment"
When Splunk Enterprise Security generates a high-confidence alert for this activity, it automatically triggers the SOAR playbooks:
- Enrich Data: The playbook first gathers more context. It takes the source IP address from the alert and uses threat intelligence integrations (like VirusTotal or Recorded Future) to check its reputation.
- Block Attacker IP: If the IP is malicious, a command is sent to your firewall (Palo Alto Networks, Cisco, etc.) to block the source IP address, cutting off the attacker’s connection.
- Isolate Host: The playbook interacts with your Endpoint Detection and Response (EDR) tool (like CrowdStrike or Carbon Black) to isolate the compromised web server from the network, preventing any lateral movement.
- Initiate Vulnerability Scan: A targeted scan is triggered via your vulnerability management tool (like Tenable or Qualys) on the isolated host to confirm the vulnerability and on similar servers to identify other at-risk systems.
- Create Ticket: A high-priority ticket is automatically created in your IT service management system (like Jira or ServiceNow) with all the collected information, assigning it to the security team for forensic investigation.
Step 2: Privilege Escalation & Lateral Movement
Once initial access is gained, the attacker’s next step is often to escalate privileges on the compromised host, then move laterally across the network to find more valuable targets or domain administrative credentials. They might exploit a local privilege escalation vulnerability or use tools like Mimikatz to extract credentials from memory.
Indicators of Compromise (loCs):
These indicators are technical events that indicate possible privilege abuse in your environment:
- Endpoint Security Logs (Sysmon/EDR): Creation of suspicious processes (e.g., whoami followed by net user /domain), attempts to dump LSASS process memory, execution of known lateral movement tools (PsExec, RDP from unusual sources).
- Authentication Logs (Active Directory): Failed logon attempts, successful logons from service accounts to interactive sessions, or logons from unusual source IPs.
- Network Flow Data (NetFlow/IPFIX): Unusual internal traffic patterns, especially from the compromised web server to internal administrative shares or domain controllers.
Splunk Hunting & Automation:
The following Splunk Search could be used to identify the IoCs, enabling alert actions on the Splunk Platform:
index=wineventlog sourcetype=sysmon (EventCode=10 OR EventCode=1) Image="*lsass.exe*" ParentImage!="*lsass.exe*" (hunting for LSASS memory dumps)
Splunk SOAR Playbook in Action: "Suspicious Credential Activity"
A Splunk UBA (User Behavior Analytics) rule detects a service account, normally used for automated tasks, logging in interactively to a new machine, and triggers the SOAR playbooks:
- Verify User and Host: The playbook queries Active Directory to get details about the user account (Is it a service account? When was the password last changed?) and checks the asset inventory for information on the source and destination hosts.
- Disable User Account: Based on the high-confidence anomaly, an action is sent to Active Directory to immediately disable the compromised user account, preventing further authentication attempts.
- Terminate Active Sessions: The playbook uses EDR or remote administration tools to find and terminate all active logon sessions associated with the disabled user account across the environment.
- Collect Forensic Evidence: An automated command is sent to the EDR agent on both the source and destination endpoints to collect memory dumps and a list of running processes for later investigation.
- Notify & Escalate: A critical alert is sent to the security operations channel in Slack or Microsoft Teams, including a summary of actions taken and a link to the investigation.
Step 3: Impact - Destroying Backup Capabilities
A critical step for ransomware attackers is to destroy or encrypt backups, preventing recovery and increasing the pressure on the victim to pay the ransom. This might involve deleting shadow copies, encrypting backup files, or uninstalling backup software agents.
Indicators of Compromise (loCs):
These indicators are technical events that indicate possible backup elimination actions in your environment:
- System Event Logs (Backup Server): Execution of vssadmin.exe delete shadows /all /quiet, deletion events for backup files, uninstallation logs for backup agents.
- File System Auditing: High volume of file deletion events or modification events on backup volumes or shares.
- Network Activity (Backup Server): Unusual outbound connections from backup infrastructure, potentially for exfiltration before encryption or C2.
Splunk Hunting & Automation:
The following Splunk Search could be used to identify the IoCs, enabling alert actions on the Splunk Platform:
index=wineventlog sourcetype=security EventCode=4688 CommandLine="*vssadmin.exe delete shadows*" (hunting for shadow copy deletion attempts)
Automation:
A Splunk alert detecting a rapid, unusual increase in file deletion events on a backup server or execution of vssadmin from an unauthorized user/process could:
- Immediately sever network connectivity for the backup server (quarantine).
- Create immutable snapshots of remaining backups if available.
- Notify backup administrators and the security team.
Splunk SOAR Playbook in Action: "Backup Infrastructure Defense"
A Splunk alert for vssadmin execution on a critical server by an unauthorized user triggers this highly aggressive playbook:
- Isolate Backup Server: The playbook immediately sends a command to the network switch or firewall to change the VLAN of the backup server to a “quarantine” VLAN, cutting off all communication except to a forensic workstation.
- Trigger Immutable Snapshot: If your backup solution supports it (e.g., Veeam, Cohesity), an API call is made to trigger an immediate, immutable snapshot of the backup data, preserving it from deletion or encryption.
- Revoke Access: The playbook identifies the user account that executed the command and sends an action to both Active Directory (disable account) and your Privileged Access Management (PAM) solution to revoke any privileged sessions.
- Critical Alert to Stakeholders: This action is considered a severe pre-ransomware indicator. The playbook sends a high-priority email and SMS notification directly to the Head of IT Security and the Infrastructure team leader.
By the time the attacker is ready to deploy their ransomware, their access has been revoked, their tools have been contained, and the systems they were targeting are isolated. The final, devastating encryption stage is prevented entirely, not by a human working through a checklist, but by automated, decisive actions executed in seconds. This is the power of combining proactive threat hunting with a robust SOAR strategy.
Step 4: Impact - Deploying Ransomware: Bad Ending
If all automated defenses fail and the ransomware is deployed, the attackers win. With backups compromised, the attacker deploys the ransomware across accessible systems. This often involves executing a malicious payload that encrypts files and displays a ransom note. At this stage hunters will be assessing the impact of the attack and trying to develop a recovery plan.
Indicators of Compromise (loCs):
These indicators are technical events that indicate possible ransomware being deployed in your environment:
- Endpoint Security Logs (Sysmon/EDR): Creation of new files with ransomware-specific extensions (e.g., .locked, . encrypted, .ryuk), execution of known ransomware processes, suspicious file writes to multiple directories.
- File System Auditing: Simultaneous modification of a large number of files across multiple systems.
- Network Activity: High volume of outbound connections to C2 infrastructure (if the ransomware calls home), or unusual internal SMB traffic as the ransomware spreads.
Splunk Hunting & Automation:
The following Splunk Search could be used to identify the IoCs, enabling alert actions on the Splunk Platform:
index=wineventlog sourcetype=sysmon EventCode=11 (TargetFilename="*.locked" OR TargetFilename="*.ryuk") (hunting for known ransomware file extensions)
Automation:
A Splunk Enterprise Security correlation search identifying:
A rapid increase in file creation/modification events and The presence of known ransomware process names and Attempts to write to system-critical directories could automatically:
- Isolate affected endpoints from the network
- Force a system reboot into a safe recovery environment
- Trigger an incident response playbook, including notifying key stakeholders and initiating forensic analysis.
This automation could quickly identify an ongoing ransomware attack, and potentially save some systems from encryption with strong playbooks in place.
The Power of Proactive Hunting
This scenario illustrates that while reactive defenses are important, proactive threat hunting with Splunk and intelligent automation can significantly reduce the dwell time of attackers and minimize the impact of an attack. By continuously searching for the subtle clues attackers leave behind, organizations can identify and neutralize threats before they escalate into full-blown disasters.
Key Takeaways:
- Know your assets and your adversaries.
- Collect comprehensive logs from endpoints, network devices, applications, and authentication sources.
- Develop robust threat hunting queries and leverage Splunk’s analytical capabilities.
- Implement automation via SOAR to respond rapidly and consistently to detected threats.
- Continuously refine your hunting techniques based on new threat intelligence and attack methodologies.
