Dry Your Eyes: Lessons Learned From WannaCry
If you’re reading this post, congratulations! You hopefully aren’t using one of the more than 200,000 computers that were hit by the first wave of the WannaCry ransomware attack. Those unfortunate victims are dealing with bigger problems right now, such as how to admit patients to their emergency rooms or ship perishable items to their destinations without the help of working computers.
As this attack demonstrated, the cost of ransomware goes far beyond the fee that’s demanded to get back your files; it brings down businesses and even threatens lives. Most experts, including the FBI, recommend against paying ransoms, which have no guarantee of success and can even target you for further attacks. A better strategy is to prevent attacks in the first place. Here are some lessons we’ve learned from this and other attacks.
Patching WannaCry Ransomware
WannaCry didn’t come out of nowhere: It exploited a known Microsoft vulnerability for which the company issued a patch two months earlier. Subscribers to the IBM X-Force Exchange received that fix on the same day it was released.
It’s particularly important to patch endpoints, such PCs and mobile devices, because that’s where 85 percent of ransomware infections originate. The process can be complex, but IT teams can use endpoint tools to deploy patches consistently, reliably and automatically across a broad range of operating systems.
A majority of existing endpoint detection and response (EDR) solutions are unable to fully secure organizations from ransomware for three reasons. First, they lack full visibility of endpoints and their statuses, which limits the effectiveness and contextualization of malicious behavior. They also often require complex, post-detection incident investigations, which is a challenge in a cybersecurity field that is expected to see 1.5 million vacant positions by 2020. Some of these tools also lack any remediation abilities whatsoever, which reduces an organization’s ability to effectively act upon investigation.
Make sure your EDR solution has the appropriate visibility to not only detect, but also contextualize malicious behavior. Tool sets such as IBM BigFix can help solve those two problems and also provide effective remediation based on investigative findings.
Training Your People
By various estimates, up to 83 percent of ransomware attacks originate when an employee clicks on a malicious link, opens an infected attachment or visits a compromised website. Employees are the first line of defense, so investing in ongoing training about protecting against phishing and malware should be a priority.
Blocking Ransomware With Threat Intelligence
Deploying patches can be a complex and error-prone process, particularly when old or critical applications are involved. Your intrusion prevention system (IPS), when kept up to date with the most current threat intelligence data, can help prevent ransomware by using signatures to detect and stop it.
IBM X-Force Exchange, for example, provides signatures to detect command-and-control (C&C) communication between ransomware and other servers using the specific EternalBlue SMB vulnerability. For updates, follow the X-Force Exchange WannaCry collection.
Organizations that can’t patch can prevent the spread of the ransomware by disabling the outdated and vulnerable Server Message Block v1 in Windows. Additional recommendations are available and continuously updated on the WannaCry IBM Support page.
Detection Driven by Behavioral Analysis
While a good prevention program should stop most ransomware attacks at the door, it can’t protect you 100 percent of the time. A good security analytics platform provides the next level of defense by detecting ransomware activity based on behavior. For example, a simple rule can identify when ransomware is encrypting files at a high rate. When combined with an endpoint management product, this one-two punch can help kill the malicious process before it does significant damage.
A cognitive system can also identify malicious activities based on behavior by continually scanning online sources of intelligence, such as threat advisories and blogs. For example, IBM Watson was able to identify one WannaCry ransomware attack based on network traffic going to a suspicious IP address. It learned of the address from a threat researcher’s blog.
Responding With Dynamic Playbooks
Sometime breaches occur despite your best efforts. In those cases, an incidence response (IR) platform and team is your last line of defense. An IR platform can help orchestrate the response to ransomware attacks by helping to align people, processes and technologies in a predictable and efficient manner.
Any good IR platform supports the Dynamic Playbook for ransomware. IBM Resilient’s Dynamic Playbook adapts in real time as information about an attack is uncovered, generating a response based on the most current information.
Most successful organizations also turn to IR services providers during times of crisis. When choosing IR vendors, select one with a breadth of experience in not just ransomware, but also other areas of cybercrime. This vendor should have prior success in assisting customers to align their response and restore normal operations.
A good IR provider can help you hit the reset button by bringing your backed-up data and systems back online. IBM’s IR works with customers to ensure that restored systems are not vulnerable to similar attacks and can also improve defenses against future incidents.