The WannaCry Wake-Up Call

Unless you’re under a rock, you know that the WannaCry Ransomware cyberattack swept worldwide headlines last week.

Organizations scrambled to apply the latest Microsoft security patch to their computers to prevent the spread of the attack. It’s estimated that the ransomware attack hit more than 300,000 victims in 150 countries.

Did we know about this?

Not until the day it happened. WannaCry is a specific instance of what security teams face every day – the unknown. We tend to wait for the alarm to trigger, and then we scramble to find out what happened, assess the damage and quickly find a solution. The more reactive we are to unknowns, the higher our risk vulnerability and the higher the impact of the threat.

What can we do about it?

We can be more proactive in our daily security management. One area is Threat Hunting.

Threat Hunting is proactive seeking and discovering the tactics, techniques and procedures (TTPs) of sophisticated attacks.  These changing tactics requires a human to engage with data to uncover adversaries traversing our networks. Hidden within all that data is behavior, behavior that can be assessed using the Threat Hunting method. For more about Threat Hunting, check out my colleague’s blog here >>

Are there any other security tools we can use to prevent a cyberattack like WannaCry?

Yes, overly permissive rules should always be locked down as part of firewall best practices. Some enterprises typically segment business units with firewalls. However, oftentimes firewalls that provide segmentation are overly permissive. It’s hard for firewall engineers to determine the least amount of access required between internal business units. Using FireMon Security Manager’s Security Intelligence Query Language (SIQL) queries and compliance reports allow security engineers to determine where to focus their efforts. As an example, a security professional can quickly search all firewalls in an environment that allow services used by WannaCry.

FireMon’s Risk Analyzer (RA) shows vulnerable assets and corresponding firewall rules permitting the traffic. Based on exposure illustrated by Risk Analyzer, a company could take action to lock down firewall rules and restrict WannaCry and permitted access at the host level. They could search to find every host with one of the vulnerabilities and then see which hosts are exposed and which hosts are protected by the firewall. This would then give them a prioritized list of hosts to patch. You wouldn’t have to patch the hosts that weren’t reachable due to the firewall blocking access. RA’s “what if” scenarios are very valuable to large organizations because these organizations typically will patch higher asset value assets first. They don’t take into account a lower asset value compromise, which allows access to more important assets.

The results from Risk Analyzer can be imported into Immediate Insight and correlated with other security data to further track and mitigate the spread of WannaCry.


It’s all about being proactive

Cyberattacks are inevitable. The impacts don’t have to be. If an organization is proactive about their security practices, the impacts from these attacks can be marginalized. Using tools such as Immediate Insight for Threat Hunting, Security Manager for Rule Assessment and Risk Analyzer to find network path vulnerability are key to whether an organization will be prepared for next time.