Write This Down. What Did We Learn From Petya And WannaCry?


Originally published in ITSP Magazine
BY: Druce MacFarlane

On May 12th, 2017, the first case of WannaCry ransomware was discovered and within a day, over 230,000 machines were estimated to have been infected in more than 150 countries. The scale and speed of this attack left the industry stunned.

WannaCry originally targeted users by way of a phishing attack. If the user’s system becomes compromised, it will then utilize the EternalBlue – an exploit for compromising a Windows systems protocol allegedly leaked from the National Security Agency (NSA) – to spread to other local windows systems.

This is an important development because it allowed WannaCry to spread laterally and passively to other systems. Usually, a system is infected as a result of an action, such as clicking a link, but this new twist means systems need not take any action in order to become infected.

Things didn’t slow down. About six weeks later a new ransomware variant of Petya was discovered crippling systems in a number of countries and facilities. While details are still being investigated, indicators point to a compromised update server as the initial delivery of the variant.

How Laterally-Moving Infections Change Cybersecurity

Traditional advice for mitigating ransomware attacks, such as employing a comprehensive data backup strategy, and keeping systems updated with patches and virus scanners, are still valid. However, this lateral infection used by WannaCry, and now it appears Petya, have changed the game in a substantial way. This is because systems originally considered outside of the reach of external attack have been shown to be vulnerable to these new forms of attack.

To that end, enterprises need to think differently about a layered security posture. Here are four strategies to help protect your internal assets from future attacks of this nature:

1) Establish a policy of data segmentation on your network

Enterprises should segment network shares to only allow each user to view and edit files to which they require access (many do not currently). While this is a good practice from a data loss prevention standpoint, it also helps to minimize the impact that any one infected user can have upon the enterprise as a whole. If the end user is not given access to a file, the malware on that user’s system cannot encrypt it.

2) Instrument your internal network

While establishing intrusion prevention or intrusion detection on the perimeter is commonplace, establishing a good monitoring policy for the internal network is not as common. At this point, most threat intelligence sources, such as Emerging Threats by Proofpoint, include rules to identify the type of behavior indicative of the use of the EternalBlue exploit.

In turn, this would be an early warning of the next generation of malware or ransomware, regardless of the variant. However, you must instrument your network in the appropriate places in order to detect such activity.

3) Ensure your endpoints are adequately guarded for signature-less malware

The threat landscape has changed, and it has become trivial for a malware author to defeat most static virus scanning. Your endpoints should be instrumented to detect malicious objects, with or without a known signature. This is where machine learning and artificial intelligence is demonstrating practical use in cybersecurity.

4) Establish a normal baseline of activity on your network to identify anomalies

The previous two examples are good practices for the use cases we already know of, including WannaCry and Petya. Attacks continue to evolve, and new exploits are regularly introduced into the industry. The only way to protect yourself from the unknown is to make it known.

To do that, it is important to baseline what is normal for your network while it is in a steady-state to avoid trying to guess what is normal during the next attack. Instrumenting your network with a system that allows you to determine what is normal is key to identifying when things become abnormal. Make sure that any strategy includes a solution that allows you to identify when you see abnormal user behavior, atypical network activity, for example.

Back to Blog

Bricata and Garland Technology Announce Partnership
Technology Partnership delivers total network visibility and threat hunting to accelerate detection and response
+ +