Detecting Ransomware Attacks with Splunk

 A few days ago, a customer asked me if Splunk could be used to detect Ransomware – y’know, the malware that encrypts all of the files on your hard drive and asks you to pay a ransom to get them back.  (If you’ve been trapped under something heavy for the last few years, see here  and here.)

Ransomware has been around for a few years now, and in fact Michael Gough, a local “Malware Archeologist” published a blog post about using Splunk to detect it way back in 2014. So yes, Splunk has been able to detect Ransomware for about as long as its been around.

Michael’s technique relies on enabling File Auditing within the Advanced Auditing features

» Continue reading

Virtual Gov Day: What Did You Miss?

B_GSiiLXIAAU1wsLast Wednesday marked our first Virtual Gov Day webinar, hosted by Carahsoft, where Splunk experts and customers showed attendees how valuable machine data can be in addressing daily IT challenges. Together, we learned how hundreds of government agencies use Splunk software to mitigate cybersecurity risk, optimize service delivery, maintain uptime of critical applications and reduce costs. For those who were unable to participate, I thought a brief summary of the discussion would be helpful.

Drive Disruption, Drive Change
Alan Webber, Research Director for IDC Government Insights, kicked off the web event highlighting how government agencies can use Splunk to reestablish their foundation and cultivate innovation. From Alan’s perspective, “there is a new focus in government agencies, and …

» Continue reading

The Splunk App for Stream – Tracking Open Ports for Security and Compliance – Part 2

In  Part 1 of this post we looked at using the Splunk App for Stream to look for open ports on your networked systems.  (Hint: Follow the ACK packets.)  This post looks at how to keep track of those open ports, and how to detect when a NEW port starts listening.


Of course, Splunk is an extensible tool that gives you the ability to solve problems like this a number of different ways.  The method I’ve chosen to use for this case is the Splunk Key Value Store.  This is a new feature in Splunk 6.2 that lets you read and write data within a Splunk app, allowing you to maintain state in that application.  Think of storing …
» Continue reading

The Splunk App for Stream – Tracking Open Ports for Security and Compliance – Part 1

A customer asked me recently if Splunk can be used to detect when a new port starts listening on a host.  This seems like a pretty modest request; in fact it’s one that I get a lot.  Being able to identify and track open ports on a system isn’t just a good idea, it’s the law!  Well, it is if your organization is affected by compliance with:


     – PCI-DSS Sections 1.1 and 2.2
     – CIP-007-R1
     – CSC 11


And those were just the references I had within arm’s reach!


When I talk to customers about tracking listening ports, a typical conversation can go like this:


“I need to track when a host starts listening on …
» Continue reading