Devastating cases of cyber-attack scenarios continue to mount. Unfortunately,  the most recent high-profile example is a harbinger of things to come.  By now, everyone is at least peripherally aware of the WannaCry ransomware attack that occurred just a few weeks ago.  If you somehow missed it, the WannaCry ransomware attack was a worldwide exploit by the WannaCry ransomware cryptoworm. It targeted certain security vulnerabilities in some legacy Microsoft Windows operating systems. The result of this successful exploitation was simple; the ransomware encrypted user data and then demanded payments in the Bitcoin cryptocurrency to unlock the data. To make matters worse, the cost to decrypt the data increased at declared intervals. Ultimately, if no payment was made the data was permanently destroyed.

Let’s look at some details of the attack timing and its effect:

The attack began on Friday, 12 May 2017 and within a day was reported to have infected more than 230,000 computers in over 150 countries. In fact, some parts of Britain’s National Health Service (NHS), Spain’s Telefónica, FedEx and Deutsche Bahn were hit, along with many other countries and companies worldwide. Ultimately, a web security researcher who blogs as “MalwareTech” was able to create a kill switch by uncovering the mechanism by which the ransomware activates itself post install. By registering a Domain Name in DNS that acted as a trigger in the ransomware activation routine, that rate of infection was slowed, effectively halting the initial outbreak on Monday, 15 May 2017.  That said, entirely new versions have since been detected that lack this vulnerability and new methods will need to be derived to stop future attacks.

If you were unfortunate enough to have seen this image on your PC, then you felt the pain of this attack. You’re probably now trying to figure out if anything could have been done to prevent this from happening.

Those who didn’t suffer from this incident should be stepping up their efforts to find those solutions that will protect them from similar exploits.  To set up an effective defense, we need to first dissect the functionality of a ransomware style attack. This allows us to better understand how the infection works so we can more effectively mitigate their impact.

Here is a typical Ransomware Attack Flow:

  1. Attacker distributes an attack email
  2. The email was designed to bypass most spam filtering technologies
  3. The email lands in a user’s inbox
  4. The user(s) click on the malicious link in the email
  5. Antivirus fails to stop the resulting download and installation of malware
  6. The malware executes operations as seemingly harmless child processes
  7. The malware “calls home” and connects with the command server operated by the attacker
  8. The malware pulls down a certificate, gets instructions or sends out critical data
  9. Usually some sort of inspection of the local data is undertaken and encryption begins…the rest is well, what makes you wanna cry.

The typical flow of a ransomware attack almost always involves some sort of outbound connection. Steps 6 and 7 above are critical junctures where your SIEM or anti-malware must be on the lookout.  While this might be a simplified, rather generic example of how ransomware attacks flow, what you really need to take away from this is how confident are you that your system would detect and stop this attack vector?

With regard to ransomware, it’s fair to say that you minimally need a 4-layered method to effectively protect against them. The basic layers are:

  1. Good Data Backup and Recovery Technology
  2. Email Security
  3. SIEM
  4. Outbound Connection SSL Inspection

Good Data Backup and Recovery Technology

When we say “Good Data Protection”, we’re really saying that you should acquire the best solution available to achieve your optimal Recovery Point Objective (RPO) required to function as a business. The question you need to ask is: How frequently do I need to do my backups in order to lose the least amount of data tolerated by the business?

Email Security

In step 2 of the typical Ransomware Attack Flow, ideally you need to have a system that can monitor for malformed and suspicious URLs arriving in email. A good solution will automatically detect a suspicious URL and rewrite that URL so that any targeted user can’t possible click on the bad link. This is super critical today.  Look for technology solutions that will provide this functionality, as well as other aspects of layered email protection, such as journaling, alerting, etc.

If you are interested in learning more about some of this technology, here is some great information from our partner, Mimecast about how they can help in the layered approach to security in preventing WannaCry and other cyber security threats:

https://www.mimecast.com/blog/2017/05/wannacry-ransomware-outbreak/

https://www.mimecast.com/blog/2017/05/wannacrypt-ransomware-an-action-plan-to-improve-your-cyber-resilience-defenses/

https://community.mimecast.com/docs/DOC-1641

SIEM

Security Information and Event Management (SIEM) is the “security camera”of the network, servers and applications. The best SIEM solutions offer things like, machine learning or Artificial Intelligence to facilitate advanced threat detection without requiring attack signature knowledge ahead of time. Just as important, SIEM solutions should provide customizable automated response to the ‘things’ that they detect– humans simply cannot keep up with the sheer volume and pace of the cyber threats today.

Outbound Connection SSL Inspection

Step 7 in the Typical Ransomware Attack Flow requires special attention. Sure, if you’re inspecting outbound traffic with your firewall or IDS/IPS appliance, you can see this, but what if the connection is encrypted? What then?  In order to effectively detect and separate the good traffic from the bad, your IDS/IPS needs to see decrypted traffic. Would seem obvious that an appliance that performs this task with high rates of throughput as to not affect network performance would be a sensible investment.

When evaluating solutions to solve this problem, look for technologies that can serve multiple purposes to maximize your investment value. Players in this space, such as A10 Networks, have a industry leading SSL inspection capability that can solve this problem effectively. They typically offer great enhancements to application content delivery resulting in superior encryption and application performance capabilities.

If you’re like to learn more about how A10 fits into the protection against malicious SSL encrypted traffic and fulfill your other application delivery and security needs in a single solution, here are some interesting blogs from their team:

https://www.a10networks.com/blog/wannacry-ransomware-uses-encryption-hold-files-hostage

https://www.a10networks.com/blog/retailers-not-using-ssl-inspection-ponemon

https://www.a10networks.com/blog/advanced-ssl-encrypted-traffic-processing

Ok, so maybe you have some of these things. After all, we’re talking about a multi-layered approach, right? If you’d like to discuss your approaches to a multi-layered security solution and share experiences with your peers, please join us at our upcoming Cyber Security event at Del Frisco’s Grill in New York City on June 14th. I’ll be there with members of my team and would love to talk shop and compare notes.

Thanks!
Ben Thurston

 

 

© Corporate Technologies, Inc.   |  Privacy & Legal