5 Fundamentals for Mitigating the Risk of Laterally Spreading Malware

A wormable vulnerability, that’s been compared to Wannacry, has prompted Microsoft to release software updates for older and unsupported Windows operating systems.

According to Brian Krebs on his site Krebs on Security:

“The vulnerability (CVE-2019-0708) resides in the ‘remote desktop services’ component built into supported versions of Windows, including Windows 7, Windows Server 2008 R2, and Windows Server 2008. It also is present in computers powered by Windows XP and Windows 2003, operating systems for which Microsoft long ago stopped shipping security updates.

Microsoft said the company has not yet observed any evidence of attacks against the dangerous security flaw, but that it is trying to head off a serious and imminent threat.”

Mr. Krebs cites Simon Pope, director of Incident Response for the Microsoft Security Response Center as saying:

“This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable,’ meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. It is important that affected systems are patched as quickly as possible to prevent such a scenario from happening.”

WannaCry hit older Windows systems particularly hard, especially those that were not current with patches and updates. The malware infected hundreds of thousands of machines in 150 countries according to Mr. Krebs. There are reports suggesting many more computers remain susceptible to a WannaCry infection – healthcare and municipal governments are examples.

Similarities and Differences to WannaCry

The newer vulnerability, which has since been dubbed “BlueKeep” is similar to WannaCry in its worm-like capacity to move laterally. However, it’s different because it may be easier to exploit, writes Chris Goettl in a piece published on ISBuzz News:

“Unlike WannaCry, this threat is seen as extremely easy to exploit. It took a leaked NSA tool to exploit the WannaCry vulnerability, whereas the fear with BlueKeep is that it will be much easier to take advantage of. And, with a patch now available you can bet there are cyber adversaries who are reverse engineering the patch as you read this, getting ready to exploit organizations and individuals alike.”

While Microsoft has published an update that addresses BlueKeep, a significant number of machines remain vulnerable. Writing for ZDNet, security reporter Catalin Cimpanu noted:

“Nearly one million Windows PCs are vulnerable to BlueKeep, a vulnerability in the Remote Desktop Protocol (RDP) service impacting older versions of the Windows OS. This number comes to put initial fears into context – that over seven million devices were in danger – although the danger remains present, as one million devices are still nothing to joke about.”

5 Fundamentals for Mitigating the Risk of Laterally Spreading Malware

The question remains: what can you do to prevent, reduce or mitigate the risk of laterally spreading malware? There is no shortage of viewpoints which range from upgrading to a modern infrastructure or adding automated backups to the cloud in the case of compromise. From our perspective, looking through the lenses of network security, there are five steps that can be taken proactively to defend against laterally spreading malware.

1) Improve patch management collaboration.

Patching systems when a software update is released seems like an obvious step but it’s a challenge in large organizations. Many have complex IT infrastructures and patches can have unintended consequences. For example, implementing a patch might plug a security hole on one hand, while disrupting a process associated with another critical business application.

This is why many development operations (DevOps) teams have implemented change management systems in large enterprises. These are methodical, and often deliberately slow, processes for testing new patches before implementing them in a production environment. In 2018, it took organizations an average of 38 days to patch vulnerabilities – and 34 days to patch the even most critical. Improving collaboration among these two important teams can help bring the time-to-patch down.

There does seem to be room for improvement too. A survey of network security professionals we published found views of the relationship between security and DevOps were divided into near-equal thirds:

  • 34% indicated the security relationship with DevOps is strong;
  • 35% were neutral – the relationship is neither strong nor weak; and
  • 27% indicated the security relationship with DevOps was weak.

>>> Also see: How is the Relationship between DevOps and Cybersecurity?

2) Segment your network.

Network segmentation is both good practice for data loss prevention – and it can also help defend against laterally moving malware. This is one of the lessons from the likes of WannaCry and Petya that applies to BlueKeep and any wormable malware. One expert we interviewed about the security challenges in healthcare pointed out segmenting critical data and even separating out guest Wi-Fi networks are simple steps that can make a difference.

>>> Also see: Considerations for Planning, Structuring and Deploying a New Network Security Strategy

3) Instrument choke points on your internal network.

That the security community uses phrases like “zero-trust” and “assumed breach” to convey, in part, that the days of inspecting traffic solely at the perimeter are long gone. You can’t trust packets merely because they are on your network. Since most threat intelligence subscriptions will push detection rule updates to monitor for the exploitation of newly announced vulnerabilities, instrumenting your internal network along key chokepoints is a useful technique for mitigating the risk of laterally moving malware.

>>> Also see: The Race Against Time Between Vulnerability and Patch

4) Use multiple methods of detection.

Modern threats require comprehensive threat detection that employs multiple detection techniques running currently including signatures, anomaly detection and artificial intelligence that identify zero-day threats and variants. When these techniques are integrated together on the same appliance used to instrument a network, this optimizes detection and minimizes false positives.

>>> Also see: Layers of Cybersecurity: Signature Detection vs. Network Behavioral Analysis

5) Implement threat hunting.

The longer a system remains unpatched, the greater the probability it has been compromised. Research shows that in 2018, the average dwell time to detect threats on the network was 40 days. In part, this has contributed to the interest and adoption of threat hunting programs, which with the right tools can reduce dwell time to 15 days.

>>> Also see: Here’s What Network Threat Hunting Means, Why It Matters, and How to Get Started

 * * *

It’s been more than two years since the security community first heard of WannaCry and yet we are both still feeling the effects and seeing similar characteristics in new malware today. This is a good reason to believe the risk of threats with the capacity for lateral movement will have a long shelf life – and further motivation for locking down the fundamentals to inhibit it’s spread. 

If you enjoyed this post, you might also like:
5 Emerging Vectors of Attack and Recommendations for Mitigating the Risks

Back to Blog


Bricata Included as a Representative Vendor in the Inaugural Market Guide for Network Traffic Analysis by Gartner, Inc.
“Applying behavioral analysis to network traffic is helping enterprises detect suspicious traffic that other security tools are missing,” wrote Gartner analysts.
+ +