11 Jun 5 Fundamentals for Mitigating the Risk of Laterally Spreading Malware
A wormable vulnerability, that’s been compared to Wannacry, has prompted Microsoft to release software updates for older and unsupported Windows operating systems.
“The vulnerability (CVE-2019-0708) resides in the ‘remote desktop services’ component built into supported versions of Windows, including Windows 7, Windows Server 2008 R2, and Windows Server 2008. It also is present in computers powered by Windows XP and Windows 2003, operating systems for which Microsoft long ago stopped shipping security updates.
Microsoft said the company has not yet observed any evidence of attacks against the dangerous security flaw, but that it is trying to head off a serious and imminent threat.”
“This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable,’ meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. It is important that affected systems are patched as quickly as possible to prevent such a scenario from happening.”
WannaCry hit older Windows systems particularly hard, especially those that were not current with patches and updates. The malware infected hundreds of thousands of machines in 150 countries according to Mr. Krebs. There are reports suggesting many more computers remain susceptible to a WannaCry infection – healthcare and municipal governments are examples.
Similarities and Differences to WannaCry
The newer vulnerability, which has since been dubbed “BlueKeep” is similar to WannaCry in its worm-like capacity to move laterally. However, it’s different because it may be easier to exploit, writes Chris Goettl in a piece published on ISBuzz News:
“Unlike WannaCry, this threat is seen as extremely easy to exploit. It took a leaked NSA tool to exploit the WannaCry vulnerability, whereas the fear with BlueKeep is that it will be much easier to take advantage of. And, with a patch now available you can bet there are cyber adversaries who are reverse engineering the patch as you read this, getting ready to exploit organizations and individuals alike.”
“Nearly one million Windows PCs are vulnerable to BlueKeep, a vulnerability in the Remote Desktop Protocol (RDP) service impacting older versions of the Windows OS. This number comes to put initial fears into context – that over seven million devices were in danger – although the danger remains present, as one million devices are still nothing to joke about.”
5 Fundamentals for Mitigating the Risk of Laterally Spreading Malware
The question remains: what can you do to prevent, reduce or mitigate the risk of laterally spreading malware? There is no shortage of viewpoints which range from upgrading to a modern infrastructure or adding automated backups to the cloud in the case of compromise. From our perspective, looking through the lenses of network security, there are five steps that can be taken proactively to defend against laterally spreading malware.
1) Improve patch management collaboration.
Patching systems when a software update is released seems like an obvious step but it’s a challenge in large organizations. Many have complex IT infrastructures and patches can have unintended consequences. For example, implementing a patch might plug a security hole on one hand, while disrupting a process associated with another critical business application.
This is why many development operations (DevOps) teams have implemented change management systems in large enterprises. These are methodical, and often deliberately slow, processes for testing new patches before implementing them in a production environment. In 2018, it took organizations an average of 38 days to patch vulnerabilities – and 34 days to patch the even most critical. Improving collaboration among these two important teams can help bring the time-to-patch down.
There does seem to be room for improvement too. A survey of network security professionals we published found views of the relationship between security and DevOps were divided into near-equal thirds:
- 34% indicated the security relationship with DevOps is strong;
- 35% were neutral – the relationship is neither strong nor weak; and
- 27% indicated the security relationship with DevOps was weak.
2) Segment your network.
Network segmentation is both good practice for data loss prevention – and it can also help defend against laterally moving malware. This is one of the lessons from the likes of WannaCry and Petya that applies to BlueKeep and any wormable malware. One expert we interviewed about the security challenges in healthcare pointed out segmenting critical data and even separating out guest Wi-Fi networks are simple steps that can make a difference.
3) Instrument choke points on your internal network.
That the security community uses phrases like “zero-trust” and “assumed breach” to convey, in part, that the days of inspecting traffic solely at the perimeter are long gone. You can’t trust packets merely because they are on your network. Since most threat intelligence subscriptions will push detection rule updates to monitor for the exploitation of newly announced vulnerabilities, instrumenting your internal network along key chokepoints is a useful technique for mitigating the risk of laterally moving malware.
>>> Also see: The Race Against Time Between Vulnerability and Patch
4) Use multiple methods of detection.
Modern threats require comprehensive threat detection that employs multiple detection techniques running currently including signatures, anomaly detection and artificial intelligence that identify zero-day threats and variants. When these techniques are integrated together on the same appliance used to instrument a network, this optimizes detection and minimizes false positives.
5) Implement threat hunting.
The longer a system remains unpatched, the greater the probability it has been compromised. Research shows that in 2018, the average dwell time to detect threats on the network was 40 days. In part, this has contributed to the interest and adoption of threat hunting programs, which with the right tools can reduce dwell time to 15 days.
* * *
It’s been more than two years since the security community first heard of WannaCry and yet we are both still feeling the effects and seeing similar characteristics in new malware today. This is a good reason to believe the risk of threats with the capacity for lateral movement will have a long shelf life – and further motivation for locking down the fundamentals to inhibit it’s spread.
If you enjoyed this post, you might also like:
5 Emerging Vectors of Attack and Recommendations for Mitigating the Risks