AlgoBuzz Blog

Everything you ever wanted to know about security policy management, and much more.

Search
Generic filters
Exact matches only
Search in title
Search in content
Search in excerpt
Filter by Custom Post Type
Posts

Don’t WannaCry anymore? Tips to prevent, contain and clean up the tears

by and

Without doubt one of the biggest news stories of the past week is the WannaCry ransomware attack, that has infected hundreds of thousands of Windows-based computers in 150 countries. The unprecedented attack has already claimed high profile victims including the UK’s National Health Service, French car manufacturer Renault, and delivery company FedEx in the US among many others – affecting critical business processes in each organization to varying degree.

While this is not the first time that ransomware has successfully infiltrated organizations it is certainly the most widespread variant seen to date. And as a result, it has prompted many organizations to urgently look at what they can to do to contain and limit their exposure to this threat.  

Track, connect, contain and neutralize

First and foremost, the NSA-discovered vulnerabilities were patched by Microsoft several months ago (shortly after their disclosure on Wikileaks). By now your vulnerability scanners should be able to check which of your servers are vulnerable: so make sure to scan all your windows servers, and formulate a plan to install the latest patches on them.

Additionally, through an integration with the leading vulnerability scanners AlgoSec ties the data from the scanners to business processes that potentially could be impacted by a WannaCry attack. This linking is especially valuable if the processes affected are critical to key business functions – or handle regulated data such as personally-identifiable information. With this critical intelligence, you can prioritize the patching the most business-critical vulnerable servers – ideally at a time when business operations won’t be disrupted – before a ransom attack strikes.

Next, you need to ensure that you’ll be able to detect a ransomware attack early on. Clearly employees will report when their computer lock up, but you probably have technological monitors that can log anomalous behavior (such as intensive file activity) sooner – and these alerts should be forwarded to your SIEM. The Security Operating Center (SOC) staff tracking the SIEM need to be aware – and take swift action if a ransomware attack is detected. Through an integration with SIEM systems, AlgoSec ties the impacted servers to the business processes that rely on them – and also allows SOC operators to quickly isolate or shut down impacted servers, to stop the malware from spreading.

Back to basics

While there’s not much else you can do after you’ve been attacked, there are numerous security best practices that can prevent, or at least greatly reduce, the impact of the next ransomware attack:

  • First and foremost, segment your network to contain the ransomware and prevent it from proliferating laterally across the network and accessing network shares which store sensitive data. While WannaCry exploited new zero-day vulnerabilities to hijack vulnerable servers – the network traffic services that allow the malware to spread are based on the SMB ports, that are known to be risky for at least 15 years. If you don’t already segment your network, now’s a good time to start, and once you do – AlgoSec can help ensure that such malware-spreading ports are blocked between zones.
  • Backup regularly and take data offline – data that isn’t constantly in use should be taken off-line or separated and stored on another device. Spreading data around will minimize the potential impact of an attack. And of course, back up your data very regularly.
  • Secure all devices – make sure security patches as well as anti-malware/virus, host intrusion prevention are up to date. While these applications are not watertight they can protect against many of the most common attacks. All the leading antivirus and malware protection vendors updated their programs within hours of the onset of the WannaCry attack.
  • Keep tabs on critical processes – continuously monitor critical business processes to detect any vulnerabilities, risks, network connectivity problems, or compliance violations. If any security issues are flagged, prioritize remediation so that problems are immediately addressed.
  • Link SIEM and vulnerability scanner data to business processes – we previously suggested this practice as a way to contain the impact of a ransomware attack, but it should also be part of your on-going security strategy. By tying vulnerabilities to the relevant business processes, you can proactively fix any problems – such as patching an out of date server – before ransomware (or other types of attacks) can penetrate your security perimeter and impact your business. Likewise, by identifying suspicious activity through your SIEM logs and tying it to the relevant business processes, you can investigate, map and neutralize an attack before any damage is done.
  • Educate and practice safe surfing – Last, but not least, security awareness must be part of your organization’s DNA. Have a well-organized, well-understood, well-maintained, and well-monitored security policy for both insiders and outsiders, and make sure they undergo periodic training that includes regular reminders about the perils of phishing emails and suspicious websites. 

The punches keep coming

Lastly, another detrimental side effect of a ransomware attack, which I believe has not yet been fully realized, is its impact on regulatory compliance – something the UK’s NHS needs to be thinking about as it recovers from WannaCry. As I previously noted:

“Ransomware that encrypts personal data could present a serious regulatory compliance problem for organizations. According to guidance from the U.S. Department of Health and Human Services, if patient records are encrypted by ransomware, it is now considered a reportable violation under HIPAA, even if the scrambled data never actually leaves the network.  If similar measures start to apply to other regulated sectors too – such as banking, financial services and retail – it would make a successful ransomware attack far costlier in both remediation and compliance violations.”

Ransomware attacks have been around for over a decade, but the sheer scale of WannaCry has made it headline news all over the world. It is finally forcing both security and business people to recognize and take seriously the potential reachability of this type of attack, as well as the enormous damage it can do in terms of costs, business disruption and reputation. And while it’s a small comfort, I think it’s a blessing in disguise. So, dry your eyes, and get to work!

For some additional comments on ransomware, please see these recent posts:

Subscribe to Blog

Receive notifications of new posts by email.