Our Response to WannaCry Ransomware Attack

Sovereign Systems

by Sovereign Systems

Many of you have asked how Sovereign’s architectural approach to security is positioned to help protect your organization from worm-based ransomware, such as the WannaCry variant.   Below is a high level summary of the WannaCry outbreak, including an explanation of the role the relevant cybersecurity components play in protecting your organization from such outbreaks.

What Happened:

The WannaCry ransomware attack is an ongoing cyberattack of the WannaCry ransomware crypto- worm, which targets the Microsoft Windows operating system, encrypting data and demanding ransom payments in the cryptocurrency bitcoin.

The attack started on Friday, May 12, 2017 and has been described as unprecedented in scale, infecting more than 230,000 computers in over 150 countries. The worst-hit countries are reported to be Russia, Ukraine, India, and Taiwan, but parts of Britain’s National Health Service (NHS),[  Spain’s Telefónica, FedEx, Deutsche Bahn, and LATAM Airlines were hit, along with many others worldwide.

Ransomware usually infects a computer when a user opens a phishing email.  Although such emails have been alleged to be used to infect machines with WannaCry, this method of attack has not been confirmed. Once installed, WannaCry uses the EternalBlue exploit and DoublePulsar backdoor developed by the U.S. National Security Agency (NSA) to spread through local networks and remote hosts that have not been updated with the most recent security updates, directly infecting any exposed systems.  A “critical” patch had been issued by Microsoft on 14 March 2017 to remove the underlying vulnerability for supported systems, nearly two months before the attack, but many organizations had not yet applied it.

Those still running older, unsupported operating systems, such as Windows XP and Windows Server 2003, were initially at particular risk, but Microsoft has now taken the unusual step of releasing updates for these operating systems for all customers.

To prevent exposure to this known ransomware, the following steps should be taken immediately:

  1. Ensure all Windows-based systems are fully patched. At a very minimum, ensure Microsoft bulletin MS17-010has been applied.
  2. In accordance with known best practices, any organization who has SMB publically accessible via the internet (ports 139, 445) should immediately block inbound traffic.

Sovereign’s Role in the WannaCry Kill Chain:

There are no silver bullets against today’s advanced attacks. Securing an organization against a multi-vector attack requires a security architecture and not any single solution.  As we have seen time and time again, one tool that might have been successful today won’t be against the next outbreak as the attackers and their tactics evolve. To stay ahead of the next wave and not just be caught up to the last attack, multiple layers of defense that can coordinate and share intelligence to ultimately mitigate threats are needed. Let’s look at some of the layers that will help prevent this type of attack from happening:

Patching standards: The original Microsoft patch was released on March 14, 2017, so organizations can help minimize risk by staying up to date with their patching levels. By using tools that automate the push of security updates after testing on production workloads, most companies would have averted any further damage by this outbreak.

If this has not occurred, however, let’s look at other options that customers should deploy to help prevent this and other outbreaks from occurring.

CMDB: Customers should have a Configuration Management Database (CMDB) that is updated via an automation tool to maintain a current repository of all company assets.   An excel spreadsheet that is manually updated by an internal IT team brings risk to the entire company. By having an accurate CMDB at your fingertips, it allows customers to quickly identify potential risky assets and deliver a solution to remediate those assets.

ITSM: With a proper IT Service Management (ITSM) solution in place, companies can mobilize the correct resources to remediate the security events and maintain company SLA’s during this process via an automated response.  It is critical to have an automated workflow to avoid human delay and errors to ensure the proper actions are taken during this time sensitive work.

Endpoint Protection:  Customers need to employ endpoint protection that has threat detection capabilities. If the endpoint protection has the security intelligence community feeding information on what threats are being seen worldwide, the customer  will receive these updates much faster so the endpoints will be able to recognize the threat and place the questionable file into a quarantined area, even if they have not had the proper Microsoft patching applied to the machine.

Endpoint detection and response should be comprised of four primary capabilities that provide deep visibility and control:

  • Threat Intelligence: Utilize the security community to help uncover threats
  • Sandboxing: Advanced sandboxing capabilities to perform automated static and dynamic analysis of files against hundreds of behavioral indicators to uncover stealthy threats
  • Point-in-Time Malware Detection and Blocking: Using one-to-one signature matching, machine learning, and fuzzy fingerprinting to catch and block known and unknown malware in real-time
  • Continuous Analysis, Retrospective Security, and Remediation: Once a file enters your network, continue to watch, analyze, and record its activity, regardless of the file’s disposition. If malicious behavior is spotted later, send your security team a retrospective alert that contains the complete recorded history of the threat: where the malware came from, where it’s been, and what it’s doing. This gives you the control to contain and remediate it.

Network Threat Protection:  Customers need to employ next-generation threat protection that will determine if a payload is malicious. Next Generation Firewalls (NGFW) or deep packet inspection for internal network segmentation could have prevented the file from moving laterally across segmentation points in the network.  Coupled with communication to the worldwide security community, clients  could share common threat information.  The moment patient zero discovered this WannaCry variant, the network would block the file preventing its spread laterally across the network.

Network Behavior Analysis: Customers can utilize the functionality of the network to report anomalous behavior across the network. By using netflow, customers have visibility to certain behavior that is not the usual pattern of daily traffic.   As the EternalBLUE vulnerability began unusual probing across Port 445 trying to discover vulnerable machines, netflow/behavior analytics would recognize the anomalous behavior and quickly alert on the suspicious activity.

Security Policy Enforcement: Customers could use a policy enforcement engine, which would be able to initiate a Windows update on non-compliant endpoints to keep them up-to-date. This would allow security teams to know whether or not clients are already protected from this cyberattack on Microsoft supported Windows versions. You must know what is present on the network to be able to create policy enforcement to remediate the issue. The policy enforcement engine allows customers to enforce security policy on all clients that are connected to the network at any time, regardless if they are a wired or wireless client.

DNS Security: DNS is typically the first method of communication for any malware threat as it tries to call home. By deploying this type of security, you will be able to stop most threats before the spread occurs.

Summary:

Unfortunately, there are no silver bullets against today’s advanced attacks. Securing an organization requires a deep layered security approach that looks at all threat vectors and addresses all the potential vectors with equal importance. This has been a disruptive event to many organizations throughout the world, but will not be the last. By leveraging a layered security model, your organization will be much more prepared to deal with WannaCry and future threats that will be released.

If there’s anything we can do or questions we can answer, please don’t hesitate to reach out to our team.

Written by: Tony Jaroszewski, Gray Griffith and Steve Fox