How to Protect Against Ransomware like WannaCry
Security | May 16, 2017
Unless you spent a long weekend wandering in the woods, you have most likely heard of the massive global ransomware attack, “WannaCry.” Details continue to emerge, but much of what we are learning is troubling.
This was preventable
WannaCry exploits a vulnerability in older Microsoft Windows operating systems and highlights a real issue related to the use of older, or even unsupported operating systems in enterprise environments. CIOs and CISOs should work together on the cost/benefit analysis of upgrading systems.
If not already, the board of directors needs to be involved in cybersecurity conversations (Read: Guidance CEO Patrick Dennis on Elevating Security to the Board Level in Risk Management Magazine). Decision makers need to balance the cost to upgrade systems against the costs of a potential compromise; including data loss, reputation impact, regulatory and compliance issues, etc.
It could have been much worse
The real-world impact of WannaCry, for example to transportation and healthcare, was significant and frightening. However, great reporting from Wired goes into detail on the amateurishness of the attack. To summarize some of the key points:
- The creators used an online “kill-switch” identified (on accident) by a young security researcher and used to slow the spread of the attack. A second iteration of the malware included a similar kill switch that limited its spread almost immediately.
- Poor design of the procedure for bitcoin payments and the actual ransom processes and communication also means attackers are unlikely to profit very much from this attack.
- The poor ransom design may also make it easier for law enforcement to catch those responsible.
- A more professional operation can, and probably will, improve the WannaCry model. The results of a self-spreading ransomware infection could be much more serious.
So how can organizations protect against ransomware like WannaCry?
Do not neglect the basics – Basic patch management and procedures for regular back-ups are important. However, with the sophisticated nature of attacks today, basic procedures like anti-virus and patch management are not enough. We also know that in the real world, back-ups for endpoints like laptops, point of sale machines, etc. are difficult if not impossible. There is simply too much data.
So what is the next step? A more effective strategy is a layered, data-driven approach to cybersecurity.
First, know where sensitive data resides
Security teams need to understand where sensitive data resides to make informed decisions if/when an incident occurs.
Most organizations have a poor understanding of where their sensitive data is stored. Enforce Risk Manager from Guidance Software gives security teams the ability to map data across the enterprise. Users can identify all sensitive information, including personally identifiable information (PII), personal sensitive information (PSI), and custom information as defined by the organization (IP, trade secrets, etc.).
Once identified, users can remediate data from any unauthorized locations or endpoints. Applying a better understanding of data, security teams can ensure sensitive date is stored in the most secure locations. Security teams can also better evaluate a successful attack, and the threat posed, by better understanding what information is at risk.
Adopting a ‘continuous compromise’ mindset – Don’t fear the breach.
The volume and complexity of modern cyberattacks mean that breaches are inevitable. However, it’s possible to overcome the fear and make breaches survivable, even manageable, with the right policies and solutions. Perimeter security is important, but organizations are increasingly turning to a strategy of continuous response. Continuous response depends on endpoint detection and response (EDR) tools, like EnCase Endpoint Security from Guidance, to identify threats that penetrate initial defences. With the right EDR tools and strategy, businesses can reduce the time elapsed for attack detection by 90% or more, reducing the risk of major impact.
In a case like WannaCry, EnCase Endpoint Security can be updated with YARA rules and known IOCs to automatically detect infection and begin remediation. For unknown threats, it provides deep and trusted visibility into your endpoints for earlier detection of anomalous behaviour, faster decisions, and complete response.
Going deep to determine root cause
Once security teams remediate the threat and return systems to a trusted state, advanced incident responders can leverage EnCase Endpoint Investigator to conduct a complete forensic analysis, determine point of origin, root cause, and collect as much information as possible about an attack.
With EnCase Endpoint Investigator, security teams have complete access to raw data on any endpoint. No other solution offers the same 360-degree visibility and the record of accomplishment of forensically sound collection.
Anthony Di Bello is senior director of product marketing at Guidance Software and is responsible for the voice of the customer and go-to-market strategy across Guidance Software forensic security, data risk management and digital investigations products. An 11-year veteran of Guidance, Anthony previously served as director of Strategic partnerships.