By now, most of you would have heard about the havoc that WannaCry has caused globally. It is regarded as the biggest cyber-attack of its kind ever and has brought many organisations to its knees most notably the NHS in the UK.
WannaCry was just another ransomware attack. The fact is that neither ransomware, nor the mechanisms required to protect against them are new or sophisticated. I will outline some of these measures below. My simple request when you read them is to know that the sky is not falling and we can take steps to manage such events!
In order to understand how to protect against ransomware attacks such as WannaCry, one must first understand how they work and propagate. Attacks like these usually start with a phishing email to users. Once a user clicks on a malicious link in the email or opens a malicious attachment, malware is then downloaded to their machines. In the case of WannaCry, the malware spread laterally in the network using a Windows vulnerability that was patched two months before WannaCry was released in the wild. Then the process is simple – the malware infects a computer, locking users out of the system (usually by encrypting the data on the hard drive), and then holding the decryption or other release key ransom until the victim pays a fee, usually in bitcoin. In the case of NHS, they experienced hobbled computer and phone systems, system failures, and widespread confusion after hospital computers started showing a ransom message demanding $300 worth of bitcoin. Because of Friday’s (12-03-2017) infection, hospitals, doctors’ offices, and other health care institutions in London and Northern England have had to cancel non-urgent services and revert to backup procedures. Multiple emergency rooms around England spread word that patients should avoid coming in if possible. The impact was wide and serious.
So having had a look at how ransomware works and its impacts, lets now look at some simple steps that can be taken to minimise the damage.
- User Education – almost all ransomware attacks start by targeting users and enticing them to clink on a malicious link or open a malicious attachment. Your users can be your weakest link in your security strategy or your greatest ally if they have the right education. Ensure that all your users know IT security basics and have regular education programs. Run mock phishing campaigns to test their knowledge and reinforce the learnings. For further information and practical steps on creating a cultural change around user education, please refer to https://www.cso.com.au/article/604844/security-more-than-user-education-it-about-cultural-change/
- Malware entry points – plug as many entry points for ransomware related malware into your organisation. Think, email, web and removable devices on endpoints. Use well regarded web and email filtering solutions. Web protection is particularly important, as not only can malware be downloaded from websites, web-based emails also come into your network via this channel. Employ web and email protection measures that do not just rely on signatures, but use better detection techniques such as behaviour analysis, heuristics, and artificial intelligence to detect and stop sophisticated threats. Use next generation endpoint protection technologies that protect against advanced threats using user and network behaviour analysis, heuristics and other advanced techniques
- Vulnerability Management and Patching (applying software updates) – this is one of the most simplest and practical ways to prevent attacks in your organisation. There is a reason why this has been in the ASD Top 4 and now Top 8! Attackers search and exploit unpatched vulnerabilities in your systems to spread and infect your IT assets. Run regular (at least monthly) vulnerability scans and patch your systems before attackers can exploit these vulnerabilities. Remember, WannaCry spread using a Windows vulnerability that was patched two months before the release of WannaCry. Environments that cannot be patched should use virtual patching – put them behind an appliance that holds signatures for the unapplied patches so that they can intercept and stop attacks based on these unpatched vulnerabilities
- Segmentation – The reason why malware (WannaCry) spreads so fast through networks is that practically everyone’s network is flat and the networks are designed like chocolate M&Ms – hard on the outside and soft on the inside! This was the case with NHS and further, they had many machines running Windows XP, which went end of life and support (no security patches) a while ago. They were constrained by the fact that certain critical applications needed the XP operating system to run. To protect against such scenarios, organisations need to segment networks based on the criticality of information they house and the risk to them. Machines that cannot be patched for whatever reason should be further segmented to protect them. Use of microsegmentation makes this easy and very practical without requiring major changes to the network infrastructure itself. We are used to applying this segmentation methodology to web based architectures (think separation of web server, application server and database server separation), yet we seem to forget this for the internal network
- Minimal User Privileges – malware usually executes on a machine using the privileges of the logged on user. Ensure that users only have the required privileges to perform their tasks. Allowing blanket local admin access to all users is not a good idea!
- Incident Response Plan – recognise that despite all our best efforts, bad things will happen! Have a robust and well tested incident response plan that can be activated in the case of a security breach so that you can recover easily and in a methodical fashion
- Backups – run regular backups. The backup schedule should be based on the criticality of the systems i.e. the more critical the system, the more frequent the backups should be. Ensure that you have a robust Disaster Recovery Plan and have documented your Recovery Point Objectives (how much data can you afford to lose) and Recovery Time Objectives (how soon do you want the system back up and running to limit the hindrance to your business operations)
- Protection Against Advanced Threats – know that the threat landscape will only get worse. The ‘success’ of WannaCry will only encourage attackers to come up with better ways to attack you. Invest in technologies that will detect and protect you against advanced threats. Ensure that the protection is applied at all the right layers – endpoints, servers, network, web traffic, email traffic, etc.
I must point out that everything I have said so far is purely tactical. Threats will evolve and get worse. The only way to truly protect yourself is to conduct a robust risk analysis of your environment using standards such as ISO 27001, NIST, CoBIT, etc. and address the issues that are found. Start with a simple healthcheck. Understand your vulnerabilities and address them methodically. Moreover, once you are done, rinse and repeat! The threat landscape and your environment will constantly change and evolve. In order to stay on top of new and emerging threats, you have to stay ever vigilant and reassess your risks at least annually. Remember, security is a journey!
In addition to this, engage in what is called intelligence-led security. Simply put, it is about having relevant intelligence about threats and vulnerabilities related to your environment and protecting yourself against them. Many organisations provide very useful threat information including from sources such as the open, deep and dark web. Importing this information along with your vulnerability information into your Security Information and Event Management (SIEM) tool will allow you to detect threats faster and much more accurately. This process will greatly enhance your capability to pick up Indicators of Compromise, the investigation of which can prevent or minimise damage.
The risk analysis approach looks at strategies from the inside out. The intelligence-led approach looks at strategies from the outside in (from the attacker’s perspective). It is the combination of these two approaches that can truly give you a well-rounded perspective to risks and threats affecting your organisation.
As the threat landscape evolves, it is important to take some simple and practical steps to protect yourself. What happened with WannaCry would have been a lot less impactful had organisations taken some basic security steps as outlined above. The sky is far from falling, but if one has failed to prepare, then one must prepare to fail.
Ashwin Pal is the Unisys Director of Security Services responsible for Unisys’s security business in the Asia Pacific region.