With household names such as Renault ceasing manufacturing and the National Health Service of the U.K. actively redirecting patients from hospitals that are incapable of providing critical health care, ransomware has moved well beyond an annoyance that impacts your grandmother’s laptop and directly into the global spotlight.
Over the past few days, however, the behavior of WannaCry has become better understood. With this clarity comes the somewhat unfortunate realization that many organizations could have avoided a lot of misfortune and unwanted publicity by adhering to some fairly straightforward security practices.
Two Phases of Threat Monitoring
Start with the fundamentals. Dealing with advanced threats such as WannaCry can essentially be broken down into two phases of monitoring.
First is a proactive phase of understanding the risks to the enterprise and dealing with them through standard security practices such as vulnerability scanning and patch management. We must be able to see the vulnerabilities first before we can patch them.
The second phase involves active monitoring of the enterprise for indications or evidence of a threat, or even an exploit in action. These two phases are certainly not mutually exclusive.
WannaCry: An Extreme Case Study
As we now know, WannaCry exploits a vulnerability in Microsoft’s SMBv1 implementation for both initial infection and movement throughout the enterprise. Although this vulnerability has not been known for a long period of time, it had been acknowledged and a patch released nearly two months prior to the major outbreak.
WannaCry is actually a great example of an outbreak that could have been limited by proactive vulnerability scanning and patch management. Understanding where the real risk exists inside an enterprise network is the first step to any form of proactive remediation. QRadar Vulnerability Manager (QVM) users were able to take steps in early April to detect servers that were vulnerable to MS17-010 (CVE-2017-0143).
And let’s not forget the enterprise demilitarized zone (DMZ). On the off chance that an organization finds itself with publicly accessible server message block (SMB) or remote desktop protocol (RDP) ports, QRadar Vulnerability Manager can analyze the enterprise network topology, either by using Risk Manager or by scanning the DMZ, to provide insight into exactly where these are located.
Further, SMBv1 is obsolete — v2 was released over 10 years ago. Frankly, it should not be used, and organizations should disable it completely to prevent any future exploits. QVM can also help here by performing simple unauthenticated scans to locate any machines running v1, patched or not.
Follow the Breadcrumbs
If proactive scanning and patching do not alleviate the risk of exploit, all hope is not lost. The QRadar Security Intelligence Platform provides organizations with numerous mechanisms to monitor their infrastructure and detect the breadcrumbs of WannaCry if and when it arrives.
At this point, security analysts worldwide are actively taking WannaCry and its variants apart and inspecting them inside and out. This has led to the publication of a plethora of indicators that any organization can use to monitor for evidence of this exploit. IBM’s X-Force group alone amassed over 600 indicators for WannaCry and published them on IBM’s X-Force Exchange.
The QRadar Threat Intelligence app allows users to quickly pull these indicators — and any other STIX/TAXII threat intelligence feed — into QRadar and automatically operationalizes them for real-time alerting.
Monitoring Networks and Users
Like most advanced threats, WannaCry needs to communicate with the outside world for various reasons, and it isn’t shy about it. From the use of kill switch domains to control behavior to forcing users to access known bitcoin trafficking sites and the subsequent use of the TOR network for downloading additional exploit components, WannaCry’s network activity provides rich event data from devices such as the firewalls, proxies, intrusion detection systems (IDS) and intrusion prevention systems (IPS), and domain name servers (DNS) that QRadar can easily correlate with these threat intelligence feeds.
But what about the network itself? We can proactively look for the known signatures of WannaCry as it propagates from machine to machine around the network. The QRadar Network Security XGS visibility to network traffic provides insight directly into the applications and protocols being used on a network. WannaCry’s lateral propagation via SMB would float right to the top, but QRadar can dig even deeper with Network Insights, enabling users to capture content such as filenames and hashes for any and every file that enters their network in real time. This context can easily be checked against threat intelligence feeds to alert immediately on WannaCry activity.
Finally, one of the most important things for any enterprise to watch is its users. Encryption of one user’s workstation is normally an annoyance to an enterprise, but encryption of hundreds or thousands is debilitating and can bring operations to a standstill. But gaining access to those machines takes user access credentials, and quickly identifying anomalous activity associated with these user accounts is key to stopping the outbreak.
QRadar User Behavioral Analytics provides immediate insight into user behaviors such as critical asset access, privileged account escalations and suspicious privileged account activity, which are all prime indications of unwanted or malicious activities.
Lessons Learned From WannaCry
It has been a long two weeks for organizations around the world either dealing with actual WannaCry incidents or trying to close the doors so that it cannot get in. But it is important to remember that most of what we have discussed here isn’t specific to WannaCry at all.
Sure, there are specific behaviors and indicators only attributed to WannaCry, but it is simply the latest incarnation of a threat engineered to exploit organizations that struggle to stay on top of their fundamental security practices. Luckily, QRadar can help by providing these organizations comprehensive visibility across the enterprise and helping to highlight areas of concern as early as possible.
To learn more about proactively monitoring your network for evidence of threats, read the report, “The Forrester Wave: Security Analytics Platforms.” You can also watch our webinar, “Orchestrate Your Security Defenses,” and experience a demo of IBM QRadar Security Analytics.