With household names such as Renault ceasing manufacturing and the National Health Service of the U.K. actively redirecting patients from hospitals that are incapable of providing critical health care, ransomware has moved well beyond an annoyance that impacts your grandmother’s laptop and directly into the global spotlight.

Over the past few days, however, the behavior of WannaCry has become better understood. With this clarity comes the somewhat unfortunate realization that many organizations could have avoided a lot of misfortune and unwanted publicity by adhering to some fairly straightforward security practices.

Two Phases of Threat Monitoring

Start with the fundamentals. Dealing with advanced threats such as WannaCry can essentially be broken down into two phases of monitoring.

First is a proactive phase of understanding the risks to the enterprise and dealing with them through standard security practices such as vulnerability scanning and patch management. We must be able to see the vulnerabilities first before we can patch them.

The second phase involves active monitoring of the enterprise for indications or evidence of a threat, or even an exploit in action. These two phases are certainly not mutually exclusive.

Join the webinar series: Orchestrate Your Security Defenses to Avoid Ransomware Attacks

WannaCry: An Extreme Case Study

As we now know, WannaCry exploits a vulnerability in Microsoft’s SMBv1 implementation for both initial infection and movement throughout the enterprise. Although this vulnerability has not been known for a long period of time, it had been acknowledged and a patch released nearly two months prior to the major outbreak.

WannaCry is actually a great example of an outbreak that could have been limited by proactive vulnerability scanning and patch management. Understanding where the real risk exists inside an enterprise network is the first step to any form of proactive remediation. QRadar Vulnerability Manager (QVM) users were able to take steps in early April to detect servers that were vulnerable to MS17-010 (CVE-2017-0143).

And let’s not forget the enterprise demilitarized zone (DMZ). On the off chance that an organization finds itself with publicly accessible server message block (SMB) or remote desktop protocol (RDP) ports, QRadar Vulnerability Manager can analyze the enterprise network topology, either by using Risk Manager or by scanning the DMZ, to provide insight into exactly where these are located.

Further, SMBv1 is obsolete — v2 was released over 10 years ago. Frankly, it should not be used, and organizations should disable it completely to prevent any future exploits. QVM can also help here by performing simple unauthenticated scans to locate any machines running v1, patched or not.

Follow the Breadcrumbs

If proactive scanning and patching do not alleviate the risk of exploit, all hope is not lost. The QRadar Security Intelligence Platform provides organizations with numerous mechanisms to monitor their infrastructure and detect the breadcrumbs of WannaCry if and when it arrives.

At this point, security analysts worldwide are actively taking WannaCry and its variants apart and inspecting them inside and out. This has led to the publication of a plethora of indicators that any organization can use to monitor for evidence of this exploit. IBM’s X-Force group alone amassed over 600 indicators for WannaCry and published them on IBM’s X-Force Exchange.

The QRadar Threat Intelligence app allows users to quickly pull these indicators — and any other STIX/TAXII threat intelligence feed — into QRadar and automatically operationalizes them for real-time alerting.

Monitoring Networks and Users

Like most advanced threats, WannaCry needs to communicate with the outside world for various reasons, and it isn’t shy about it. From the use of kill switch domains to control behavior to forcing users to access known bitcoin trafficking sites and the subsequent use of the TOR network for downloading additional exploit components, WannaCry’s network activity provides rich event data from devices such as the firewalls, proxies, intrusion detection systems (IDS) and intrusion prevention systems (IPS), and domain name servers (DNS) that QRadar can easily correlate with these threat intelligence feeds.

But what about the network itself? We can proactively look for the known signatures of WannaCry as it propagates from machine to machine around the network. The QRadar Network Security XGS visibility to network traffic provides insight directly into the applications and protocols being used on a network. WannaCry’s lateral propagation via SMB would float right to the top, but QRadar can dig even deeper with Network Insights, enabling users to capture content such as filenames and hashes for any and every file that enters their network in real time. This context can easily be checked against threat intelligence feeds to alert immediately on WannaCry activity.

Finally, one of the most important things for any enterprise to watch is its users. Encryption of one user’s workstation is normally an annoyance to an enterprise, but encryption of hundreds or thousands is debilitating and can bring operations to a standstill. But gaining access to those machines takes user access credentials, and quickly identifying anomalous activity associated with these user accounts is key to stopping the outbreak.

QRadar User Behavioral Analytics provides immediate insight into user behaviors such as critical asset access, privileged account escalations and suspicious privileged account activity, which are all prime indications of unwanted or malicious activities.

Lessons Learned From WannaCry

It has been a long two weeks for organizations around the world either dealing with actual WannaCry incidents or trying to close the doors so that it cannot get in. But it is important to remember that most of what we have discussed here isn’t specific to WannaCry at all.

Sure, there are specific behaviors and indicators only attributed to WannaCry, but it is simply the latest incarnation of a threat engineered to exploit organizations that struggle to stay on top of their fundamental security practices. Luckily, QRadar can help by providing these organizations comprehensive visibility across the enterprise and helping to highlight areas of concern as early as possible.

To learn more about proactively monitoring your network for evidence of threats, read the report, “The Forrester Wave: Security Analytics Platforms.” You can also watch our webinar, “Orchestrate Your Security Defenses,” and experience a demo of IBM QRadar Security Analytics.

Experience a demo of IBM QRadar Security Analytics Now

More from Intelligence & Analytics

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Overcoming Distrust in Information Sharing: What More is There to Do?

As cyber threats increase in frequency and intensity worldwide, it has never been more crucial for governments and private organizations to work together to identify, analyze and combat attacks. Yet while the federal government has strongly supported this model of private-public information sharing, the reality is less than impressive. Many companies feel that intel sharing is too one-sided, as businesses share as much threat intel as governments want but receive very little in return. The question is, have government entities…

Tackling Today’s Attacks and Preparing for Tomorrow’s Threats: A Leader in 2022 Gartner® Magic Quadrant™ for SIEM

Get the latest on IBM Security QRadar SIEM, recognized as a Leader in the 2022 Gartner Magic Quadrant. As I talk to security leaders across the globe, four main themes teams constantly struggle to keep up with are: The ever-evolving and increasing threat landscape Access to and retaining skilled security analysts Learning and managing increasingly complex IT environments and subsequent security tooling The ability to act on the insights from their security tools including security information and event management software…