Last week, we discussed the importance of patch management and the complexity of keeping systems within your company up to date.
Not only are organizations challenged by the necessity of patching, but they must also contend with specific change control processes that help keep the business running. When systems cannot be immediately patched, many companies turn to blocking malicious traffic with intrusion prevention systems (IPSs).
The Blocking and Tackling of Blocking and Patching
Blocking refers to the practice of deploying network security devices such as IPSs to block threats as they traverse the network. Such deployments are typically referred to as in-line mode, where the security device serves as a bump on the wire.
In this configuration, a pair of network ports is used to protect a segment. Network packets enter the security device on an inbound port and are inspected for malicious behavior. If none is found, the traffic is forwarded to the outbound port. However, if an attack is detected, the packet is dropped, thereby blocking the malicious traffic from reaching its destination.
An effective blocking strategy can help reduce the workload on operational IT security staff. While it is true that no security product can block every single possible attack, it is critical to block as much as possible to reduce the number of events and incidents to investigate manually.
Slowing the Spread of Ransomware
The recent WannaCry ransomware attacks, which affected millions of endpoints across more than 100 countries worldwide, illustrated the importance of blocking. For organizations employing an effective strategy, blocking could have slowed the spread of this attack in two primary ways:
- Block command-and-control (C&C) traffic. Like most malware, WannaCry reaches out to C&C servers to receive information on how to carry out the attack. For customers of IBM IPS products, signatures such as SMB_EternalBlue_Implant_CnC and SMB_DoublePulsar_Implant_CnC (both available since April 20, 2017) can be used to block C&C traffic.
- Block vulnerability exploitation attempts. WannaCry propagated throughout the internet by exploiting a vulnerability in the Windows SMB protocol. Within IBM’s IPS products, the Windows_Null_Session signature offered early warning of WannaCry propagation attempts. Further, the SMB1_Windows_Overflow_02 and SMB1_Windows_Info_Disclosure signatures provided more specific coverage for the exploitation used by the ransomware.