In addition to the frameworks, there are groups called Information Sharing and Analysis Organizations or Centers (ISAO or ISAC). ATT&CK is a good place to start, but there are other frameworks as well that include the Lockheed Kill Chain and the NIST CIS controls. This is a key reason why you must develop a process around using threat intelligence to develop and refine your detections and to stay current. A popular framework for threat intelligence is MITRE ATT&CK, a knowledge base of observed threat behaviors collected from many sources throughout the cyber security community. The content in ATT&CK is constantly evolving as new techniques are discovered. Collectively this is known as gathering threat intelligence. Knowing what to look for begins with knowing the tactics and techniques used by adversaries. That means you must rely on timely threat research that comes from various places, including Splunk's threat research team (STRT). Be aware that threat actors are always developing new ways to gain access, elude detection, establish persistence, and impact systems. That starts with knowing what steps and behaviors ransomware attacks take and how this behavior presents itself in the data. The prerequisite to building correlation searches, which are also called detections, is to know what to look for in the data. You should also reference the Getting Started with Enterprise Security article for more information. Getting endpoint data into Splunk involves the use of CIM compliant data via add-ons or Technical Adapters (TA) in combination with universal or, occasionally, heavy forwarders. See the documentation titled Data source planning for Splunk Enterprise Security for more details. Other sources could be needed but the list above represents the most common. Antivirus data from products such as Blue Coat, Crowdstrike, Symantec, FireEye, Tripwire, and others.Some important sources of evolving data are: Metadata, including integrity checks and alerts, hash values, and similarĪdditional data may be needed as new ransomware techniques are found.File create, read, update, delete (CRUD) events.Many of these endpoints contain rich data that must be monitored and mined to detect a ransomware attack. The endpoints that are targeted by ransomware contain files that are important to the business. Endpoints in this context refers to desktops, servers, laptops, virtual machines, containers, mobile devices, and more. The endpoint is often where an attack begins. It is a little like having all the surveillance cameras displaying their views on a cluster screens that are monitored by security guards. Having all the logs in one place serves the same purpose in the digital wold of cyber security.Įndpoint data is the most essential data type needed to monitor for ransomware.
Splunk enterprise security app full#
This consolidation is important to getting a full view of your environment. Ingest is the foundation, and a best practice in security is to aggregate all your data in one central place so that disparate events on disparate devices and systems can be correlated.