The security industry was left shaken by the malware outbreak dubbed WannaCry. Starting on May 12, the attack rapidly spread to hundreds of countries, holding hundreds of thousands of computer systems hostage via a ransomware virus. The attack was slowed somewhat accidentally by a cybersecurity researcher who, during the course of his investigation, registered and sinkholed a domain being leveraged by the malware.
The WannaCry outbreak had very real consequences for thousands of businesses and public entities, including panic, downtime, productivity loss, and locked files. A significant global attack like WannaCry is a startling wake-up call for security teams and executives, especially those who know their systems are vulnerable. Companies should take this opportunity to review their endpoint security architecture and try to better understand the role of the various defense layers that comprise it.
This is a good time to discuss questions like: What controls could have dampened the worm’s propagation? What measures could have been effective at preventing the infection? How might these security controls work or fail in future against copycat variations of this attack?
A globally successful malware attack that exploits a known Microsoft vulnerability should come as no surprise. Ransomware incidents have spiked in recent years, with global damage costs increasing from $325 million in 2015 to a projected $5 billion in 2017. According to a recent SANS Institute report, malware programs capable of evading detection rose 2000% in one year (2014-2015).
Evasive techniques enable malware authors to bypass firewalls, gateways, and sandbox discovery tools. Configuration techniques like extended sleep and fast flux are the most common. Legacy systems, third-party devices and poorly administered computers are often hit hardest.
Take time to review: confirm that endpoint defenses across the enterprise are in place, functioning as expected, and complementing each other in a way that creates fail-safes and feedback loops. More emphasis should be placed on prevention as a primary defense; detection methods have often proven to be too little, too late and the required remediation drains resources.
The approaches to mitigating WannaCry-type incidents are generally known and can be executed with free and commercial tools. Recognize that in any given attack, some security components might fail and plan ways to compensate. In the case of ransomware attacks, backing up data that might be targeted is an essential defense. Patch management, network segmentation, and baseline anti-malware protection establish resilient environment:
Segment the network and block unnecessary protocols. WannaCry attacked over the SMB protocol. Microsoft recommends not using this protocol, but if you still need to, be sure to block access from outside the organization.
Keep up with security patches. WannaCry exploited a Microsoft Windows vulnerability that has been available for some time. Some machines cannot be patched quickly enough, and sometimes can’t be patched at all. In this case, be sure to harden the unpatched machines.
Install and regularly update anti-malware software. From the beginning, anti-virus vendors were successfully identifying WannaCry components as malicious.
It’s also critical to examine what defenses your organization has in place to block stealthy attack methods designed to evade these baseline mechanisms. This forces malware authors to “pick their poison”.
If they design malware with evasive capabilities, prevention-oriented approaches can simulate an environment of security tools whose presence paralyzes evasive malware and forces it to abort the attack before any damage is done. If the attacker doesn’t implement stealthy techniques, baseline anti-virus will block the specimen.
In the case of WannaCry, it appears the attacker didn’t implement evasion techniques. However, future derivatives might use techniques like sandbox avoidance and memory injection. To prepare, it is critical to have a prevention-oriented solution in place that can outmaneuver evasive technique(s). By combining a preventative malware-neutralizing approach with baseline anti-virus solutions, organizations will be protected regardless of which development path malware authors take.
The WannaCry outbreak highlights the challenges of defending legacy systems and services that are hard to protect without impeding performance, violating contracts, or inconveniencing users. Attackers are well aware that systems missing patches are often also missing baseline antivirus and other endpoint defenses; worms like WannaCry are optimized for rapid propagation through vulnerable machines.
Organizations can contain the spread of malware on legacy systems by employing malware vaccination to stabilize the situation. In fact, any enterprise not yet using an anti-evasion solution can immunize themselves against fast-spreading worms with vaccination.
New approaches that simulate infection markers are proving to be more effective in real world scenarios. Centrally managing vaccination through simulated infection markers eases deployment and preserves performance and forensics capabilities.
Defenses like infection markers and sandbox malware analysis are computationally intensive and thus impractical for universal or continuous deployment. Detection-based solutions aren’t foolproof and generate false positives and alerts that have to be sorted and prioritized. Prevention-based solutions that account for evasive techniques can be extended to every endpoint via low-footprint agents that neutralize malware before it ever executes itself.
To build sustainable cybersecurity programs that leave our organizations well defended and resilient, we have to find broadly applicable ways to outwit attackers at their own game, turning their techniques into countermeasures and frustrating their efforts at every turn by strategically layering on a variety of defenses.
Evasive malware prevention solutions are a prime example of how creative countermeasures can enhance and extend the effectiveness of baseline cybersecurity practices.