NotPetya Happened Today, But What About Tomorrow?
Security | Jun 27, 2017
WannaCry and NotPetya are obviously big wake up calls. Long gone are the days when companies can expect to keep powerful malware out of their networks entirely. Today, sophisticated companies increasingly see themselves in a state of continuous compromise.
The key takeaway from recent attacks? It is absolutely imperative that companies have an incident response plan and process in-place before attacks like these happen.
We see growing signs that companies are doing just that. Guidance Software customers, for example, are prioritizing incident response plans. In a recent survey, twice as many companies said they plan to build a formal security and incident management team this year compared to the year before. While incident response teams are getting bigger and companies are getting more prepared, EDR tools are gaining in importance as well. According to our recent study, “How Data Breaches Affect the Enterprise,” sponsored by Dark Reading, we noticed a 2x increase from 2016 to 2017 in organizations stating that they plan to build out incident response management teams.
But even as many companies rethink their security strategies, NotPetya is a harsh reminder that as prepared as some companies are becoming, there is still a long way to go for many companies.
NotPeyta - What To Do Today
At the time of writing this blog, there is still a lot of speculation as to exactly what this variant is and is capable of. For example, there is speculation that the malware is capable of lateral movement via psexec and wmic.
This is not a definitive list, but possible mitigation steps for companies hit by NotPetya include:
- Identify and sandbox infected machines: Remove infected machines from your network until more is known about NotPetya. If NotPetya can in fact propagate using file sharing, it is important that infected machines be isolated immediately. Take file shares down and bring up clean backup file shares.
- Apply patches: Be sure that healthy machines are patched and updated. Apply patches for MS17-010.
- Block email senders: Block email senders at SMTP gateway (SMG, FireEye)
- Block domains: Block domains at proxy and alert on callbacks in SIEM
- Block alerts: Block/alert on hashes at NSM/HIPS
- Incident response teams: Incident response teams should work to determine the infection vectors (registry analysis and timeline analysis to try and determine the infection vector - where did it come from, who clicked on what?).
- Additional online resources:
- McAfee signature update: Protecting against modified Petya ransomware variant (June 2017)
- Palo Alto Networks: Threat Brief: Petya Ransomware
- Google VirusTotal: Petya
- Payload Security: petwrap.exe
EDR - The Longer View
Once the WannaCry and NotPetya fire drills subside, companies are faced with the decision. Do they want to remain reactive to these attacks and act surprised each time they happen? Or do they want to gain the upper hand and not fear the breach.
If the latter, there are a few key things to remember:
- First, companies need to locate, categorize and backup sensitive data (and implement ongoing processes to locate and backup new instances of sensitive data over time).
- Second, companies need to re-evaluate the cost/benefit analysis of upgrading vulnerable legacy systems and associated business applications. For example, what are the risks of running industrial applications on headless systems? In a recent poll by Absolute Software, only 27% of respondents rated their organization's ability to prioritize the endpoint devices that pose the greatest risk as highly effective, and only 30% said they are highly effective in detecting insecure or off-line endpoints.
- Finally, teams need to have the trained personnel in place to build out incident response plans they can effectively execute when the time comes.
Guidance Software has mission-critical and best-in-breed applications that can help.
EnForce Risk Manager allows organizations to proactively identify and remove sensitive data from unauthorized locations. Keeping your most valuable data in the most secure locations – and not sprawled across the enterprise – will ensure that ransomware attacks targeting more vulnerable machines will have minimal disruption and loss. If those systems cannot be restored or decrypted, the damage will be reduced. Moreover, the secure locations can be segregated by network to prevent further lateral spread.
EnCase Endpoint Security, ranked #1 in Endpoint Detection and Response by Gartner, readily returns your endpoints to a trusted state by offering earlier detection, enabling faster decisions and empowering organizations with automated, on-demand responses. With our latest EnCase Endpoint Security 6, this solution enables organizations to detect potential ransomware with conditional anomaly scans focused on particular system behaviors. Once identified, it validates possible threats with continually updated cloud-based threat intelligence. One can then remediate the threat before it executes. EnCase Endpoint Security is designed for tier-one security analysts and tier-two incident responders with a user interface designed to be intuitive and easy to use. With more organizations building out sophisticated incident response teams, they can quickly hit the ground running with minimal training and quickly ramp up using EnCase.
With bigger incident teams, more sophisticated incident plans, and EDR solutions that help support millions of endpoints, intelligent companies will face future breaches with much greater ease. With increasingly advanced forms of attacks (including new levels of ransomware), security teams require a standalone, best-of-breed EDR solution that integrates with your layered security approach and tools.