Why We’re Still Talking About WannaCry and You Should Too
Sean Keef May 24, 2017
Unless you’ve been living under a rock, you’ve likely heard of or been hit by the WannaCry attack. It was so widespread that even if you have been living under a rock, you may have been locked out of your rock files, called up your rock CISO in a panic and second guessed every rock email attachment you opened in the days following.
Thankfully, the WannaCry ransomware attack has gone quiet (for now), and we can step back to get some perspective on this global cyber phenomenon.
WannaCry Was Weird
Seemingly everything about WannaCry positioned it for celebrity status. From the exploit and backdoor it borrowed from The Shadow Broker’s leak of NSA hacking tools, to its size and speed with which it spread, to the extremely lucky existence of a kill-switch and rumors of who was behind the attack, the internet was a–twitter with speculation and accusation.
Even the way the attack was initiated set it apart from the majority of ransomware. More than 95 percent of ransomware attacks use phishing as the means for initial distribution. WannaCry is the most successful ransomware attack ever, but appears to have shirked this method.
According to research from Malwarebytes, WannaCry first infected machines in organizations not blocking 445 from the internet. The related Wired article states, “New information suggests that WannaCry infections used the alleged NSA-leaked EternalBlue software to exploit underlying vulnerabilities in public–facing server message ports.” After exploiting unpatched Windows Server Message Block (SMB) vulnerabilities, the attack again used 445 and other Microsoft/SMB ports to spread like wildfire, taking advantage of network connectivity for its own nefarious purposes.
As the payload remained encrypted on infected machines, many malware detectors were unable to recognize the threat.
What We Already Know We Struggle to Do
Yes, organizations should’ve blocked port 445 access from the internet. Yes, they should’ve applied the Microsoft patch to the related vulnerabilities or mitigated their risk with compensating controls. Yes, they should’ve had better internal segmentation to minimize the spread of the attack.
Security teams around the world are probably still kicking themselves over such a high–profile attack that could’ve been avoided through basic cyber hygiene. But with the laundry list of tasks facing already resource– and staff–strapped security teams, it’s no surprise WannaCry was able to slip in through the cracks.
Because organizations could’ve been proactive against WannaCry, the attack shows us current methods of security management aren’t working.
Insanity is doing the same thing and expecting different results. It’s time for a different approach.
The biggest challenges of security today, in my opinion, are visibility and intelligence. They are difficult to achieve and fundamental to protect against and contain attacks. Yet many organizations don’t even know what it is they’re trying to protect, where their risks lay and what tools are at their disposal to deal with them.
So even if you didn’t get hit by WannaCry and think, “I dodged a bullet – I must have awesome security,” unless you have complete visibility and contextual intelligence of your attack surface, it’s more likely you just got lucky.
My prescription to be prepared for the next WannaCry–style attack (a resurrection or other NSA–tool–powered attack seems likely): get a holistic view of your attack surface, prioritize risk in a way that makes sense for your network and start taking action:
- Adjust firewall rules to protect against initial infections and spread of worms
- Get up–to–date intelligence on exploits in the wild and remediation options (available patches,IPS signatures, etc.) to address imminent threats immediately
- Run simulations to understand how attackers could infiltrate and move laterally in your unique environment (e.g., its network paths, security controls, vulnerabilities, compromised hosts, etc.)
- Track remediation of your biggest threats to ensure they’re neutralized and monitor the risk levels of lower–severity issues that you can’t get to right away
WannaCry was only the beginning. Because while we look back at the lessons learned from WannaCry’s successes, cybercriminals around the world are doing the same thing looking at its failures. The next WannaCry might not have a kill switch and it might not be $300 ransoms. Now is your time to prepare for what’s next.
Bring all of your attack surface into view with a simple, interactive model — Skybox Horizon. Understand the interconnectedness of your entire network, zoom in on problem areas and quickly spot indicators of exposure, including exposed or exploited vulnerabilities, risky access rules and unsecure device configurations.
Watch the demo on how to use Skybox Vulnerability Control to spot the vulnerabilities associated with WannaCry in your network, get info on demand on available patches or compensating controls and track remediation to ensure the threat is rooted out.