Encouraging organizations to follow the usual security best practices didn’t prevent the spread of WannaCry. Let’s acknowledge that and focus on new ideas that will.
In the aftermath of the WannaCry ransomware outbreak, a familiar pattern is beginning to play itself out. Now that we all know the general details behind how WannaCry infections were initiated and spread (by exploiting a known vulnerability that Microsoft patched back in March), initial alarm and concern is gradually giving way to an expected reaction from the security community.
“How could they not have patched yet?” “Why are they still running Windows XP?” “Who leaves port 445 open to the Internet?”
Before we go blaming the estimated 300,000 victims for bringing this attack on themselves, and before we pigeonhole the cause of the attack as simple negligence, we should consider that overly simplistic assessments may be part of the reason these attacks appear to be so frustratingly “inevitable”.
The real revelation of the WannaCry outbreak isn’t that there are a staggering number of outdated and unsecured systems out there, it’s that anyone believes that making the same old pleas and showering victims with blame will change anything.
If you read most recommendations from security vendors and experts in response to this attack out loud, you’ll sound like a broken record: Patch regularly. Don’t use outdated systems. Update your antivirus. Tell users not to click on things. Run backups.
These are all good pieces of advice. So are “Get more exercise,” “Avoid sweets,” and “Obey the speed limit.” But when the rubber meets the road, as it has in the WannaCry outbreak, they sound like security industry platitudes, not solutions. At best, they’re proved difficult to follow in the face of competing business pressures. At worst, they fail to address the real issues that leave companies vulnerable as we watch for repeat and copycat attacks undoubtedly coming down the pike.
So, rather than repeat these same old recommendations and throw up our hands when no one seems to listen, let’s break them down, describe where they fall short, and suggest alternatives that will help companies to take more productive steps toward protecting themselves.
Updating the 5 Most Common Recommendations for Protecting Your Company from the Next WannaCry
Current advice: “Keep all systems up to date with all patches.”
Better advice: “Treat security patches seriously.”
WannaCry was able to spread far and wide by utilizing an exploit called ETERNALBLUE, one of the NSA hacking tools leaked by a group called the Shadow Brokers in April. Microsoft released a patch addressing the vulnerability that ETERNALBLUE targets in March (MS17-010). Following the WannaCry outbreak, it also took the unusual step of rolling out additional patches for older versions of Windows. Without question, applying a patch to address this vulnerability and others is a critical part of security and system management. But there are some valid reasons why companies take an average of 100-120 days to patch vulnerabilities.
Deploying patches across enterprise environments can pose significant logistical challenges. In some industries, like healthcare, system stability and availability are critical, requiring additional testing for any system update. In most cases, particularly when some systems only connect intermittently, it is difficult to know with 100 percent certainty that all systems have been patched. This patching advice is good, but it doesn’t consider how difficult and complicated it can be.
This does not relieve the organization of their responsibility to be aware of the issue. Vulnerability patches should always be reviewed with maximum priority. Any decision to delay deployment should only occur when there is informed discussion and consent among business, security, and IT teams. If it is necessary to delay deployment to accommodate testing, mitigating controls should be implemented to eliminate exposure of the vulnerable system or service.
Keeping systems up to date is ideal, but when reality makes that impossible, there needs to be transparency to the nature of the risk and accountability for protection in the interim.
The Shadow Brokers, who released ETERNALBLUE and other exploits, have announced that more exploits are coming on a monthly basis. This means that these update plans and processes are needed now to take control of vulnerability and patch management before the next attack occurs.
One thing to do if you can’t patch immediately: In the current situation with ETERNALBLUE, you may need to disable SMB or more tightly manage network access to it until you are able to patch. Doing so will protect you from any additional ETERNALBLUE attacks, or any other exploit targeting SMB. You should also reassess your access policy to ports 445 (SMB) and 3389 (RDP). Both have become popular entry points for attackers (see attacks deploying Dharma, CrySiS, and SamSam ransomware).
2) System updates
Current advice: “Replace all outdated machines and legacy systems.”
Better advice: “Highlight security when you justify system refreshes.”
It’s the rare organization that gets all the equipment they want, has the money for all the software they need, and has the time and infrastructure required to keep it all up to date. We can shake our head at the systems still running Windows XP all we want, but the truth is having the time and resources to update or replace every system on the network is a luxury many organizations simply can’t afford.
Security has got to become a peer-level concern with speed and functionality. The announcement of discontinuation in software updates, which will naturally include security fixes, should be an immediate trigger to plan affected systems for refresh.
What to do if you can’t replace or update outdated systems in time: If business realities force the continued use of insecure outdated systems, consider isolating them on their own network segment. Proxy any connection to them through a single more modern system or strictly limit the types of traffic that they can consume and produce. And keep their existence and vulnerability top of mind with your management team at every opportunity.
Current advice: “Run updated antivirus.”
Better advice: “Strengthen endpoint protection.”
In the days since the initial outbreak of WannaCry, most AV vendors have been able to gradually add signatures that block it, successfully protecting their customers from this particular variant. Updating antivirus is important, as it will keep protection current with known threats, but it doesn’t protect from future variants. When the next outbreak contains a new variant (more than 240,000 were spotted in 2016 alone), there will again be a gap in protection between when the new variant is first identified and when a signature is created and deployed.
What to do instead of waiting for your AV protection to apply to the next attack: Invest in endpoint security that leverages additional approaches to block new or zero-day attacks. As an example, Barkly’s runtime malware defense blocked both the WannaCry ransomware payload and the ETERNALBLUE exploit automatically by recognizing and blocking known malicious behaviors as they attempted to execute. It’s an approach that works even when dealing with new malware variants that have never been seen before.
4) User awareness
Current advice: “Teach users not to click on any suspicious links or attachments.”
Better advice: “Make users part of your protection strategy.”
Many attacks involve users executing payloads, and training users to recognize the tell-tale signs of a phishing emails and websites is certainly a worthwhile pursuit. In the case of WannaCry, however (and other attacks targeting vulnerable network services), no user interaction is required for infection to take hold and spread.
Help your users to understand more than just the basics of their own internet use hygiene. Encourage users to be conscious of unusual activity on their systems, and make sure they feel safe to report that their systems may have become infected. It’s a long-term investment that requires time and consistent effort if you want it to pay off.
What to do in addition to training:
While informed users can be a crucial line of defense when it comes to email-based attacks, today’s sophisticated social engineering and phishing attacks have created a need for safety nets to protect them when they slip and make a mistake. Those safety nets can include user access controls, software restriction policies, backup, and runtime malware defense to block any user-triggered malicious activity in real-time.
Current advice: “Do more backups!”
Better advice: “Do backups and more.”
If there’s a silver lining to the rise of ransomware, it’s that more companies are wisely investing in backup than ever before. That said, it’s dangerous for companies to believe that backup will always be able to save the day. While backup can restore encrypted files to a previously known state, backup alone is not a complete solution.
Here are some areas to think about when making additional investments in backup, and in justifying the need to do more:
- Invest in understanding true backup coverage: Most backups aren’t 100% complete. Less than half of organizations hit with ransomware report being able to recover all the data that was encrypted with backup. Identify resources that may not be covered, or the potential delays that may be introduced between the last backup and a current attack.
- Backups are only good if your problem is getting the data back. If an attack has done more than simply encrypt your files, you may have a much larger problem. If the attack also brought your system down or caused service outages, then spending hours or days to get machines back up and running is not acceptable. Even with backups, getting everything completely back to normal can run up considerable costs.
- Ransomware doesn’t always travel alone. Ransomware succeeds by very visibly corrupting a system and equally visibly demanding payment. Lately, though, attackers have been packaging it alongside additional payloads like keyloggers that steal victim credentials and remote access Trojans that turn the infected machine into a bot. In these cases, victims may be able to recover their encrypted files while remaining oblivious to the fact they’re still infected.
- Recovering from backups doesn’t change the fact your system was compromised. Backups can help you recover from the damage caused by an infection, but they can’t undo the fact an infection took place, and they don’t do anything to prevent it from happening again. That’s especially relevant for organizations in regulated industries like healthcare, where HIPAA dictates ransomware attacks have to be publicly disclosed and reported as data breaches.
What to do instead of relying solely on backup:
Pair backup with solutions designed to effectively prevent successful attacks in the first place, before they do something that can't be recovered from by simply restoring lost or encrypted files. Maintain a consistent view of existing system operations and traffic, using local and network-based monitoring technologies like AlienVault® Unified Security Management™ (USM™), to recognize unexpected bot traffic, data exfiltration, or system misbehavior.
Moving beyond best practices and making your own plan
In the wake of this outbreak, organizations are stepping back and taking stock of their security. Is what they have good enough? Would it have protected them, or did it in fact fail them? What do they need to be more secure against these types of attacks?
Most have substantial investments in defenses like antivirus, next-generation antivirus, firewalls, and backup. As we look ahead to the next attack, it’s clear that organizations don’t just need to do more; they need to do “different”. That means taking different approaches to understanding their risk, applying different measures to their ability to patch or refresh systems and evaluating different protections to block, detect and respond to the next WannaCry, which we all know is coming.