How to Mitigate Ransomware Without Tears

Vinod Vasudevan, Co-founder and CTO of Paladion.

Guest written by: Vinod Vasudevan, Co-Founder and CTO at Paladion

Events from the last few days have once again highlighted the havoc cyber-attacks can wreak. The October 2016 Dyn attack showed us the devastation a Distributed Denial-of-Service (DDOS) attack can cause, and now the WannaCry ransomware is showing us the chaos and destruction ransomware can bring. Unfortunately, the scale and impact of these attacks will only grow from here. The brunt of such attacks can be reduced if we stop taking digital security for granted and if we start taking proactive steps to prepare for such threats.

Here are some steps you can take to prepare and respond to such attacks:

Prioritize patching using threat & vulnerability intelligence
All of us understand the complexities involved in patching vulnerabilities. Systematic patching for high severity vulnerabilities is not necessarily the most efficient or effective approach, because not all high vulnerabilities are exploited. Patching all vulnerabilities is like boiling the ocean: impossible. The emerging best practice is to patch for vulnerabilities using threat intelligence and vulnerability intelligence.

We can identify such vulnerabilities by tracking common exploit kits, because vulnerabilities in exploit kits are the most likely to be exploited. Leading SOC providers also track and list the high impact threats being monitored in their SOCs and their corresponding CVEs (common vulnerabilities and exposures).

In the case of WannaCry, the hacking tool EternalBlue uses an SMB (server message block) exploit covering at least six CVEs. The MS17-010 patch from Microsoft, which was released in March this year, covers six CVEs including CVE-2017-0143 to CVE-2017-0148.

The interesting piece of insight is that the shadow broker leak of exploit tools has many more tools and many more CVEs affecting a wide range of platforms that is not just limited to Microsoft. So, more ransomware and attacks exploiting additional CVEs that are in other exploit kits leaked by the group seem imminent. It should be a priority for organizations to patch the CVEs in these exploit tools rather than wait for another WannaCry or Dyn type of attack.

Apply threat intelligence across as many sources and monitor for Indicators of Compromise(IoC)
When applied well, threat intelligence can assist in the early detection of system compromises and enables the quick arrest of threats. It is short sighted to apply threat intel feeds only on SIEM alerts as it limits detection to limited use cases that it triggers. Applying threat intelligence directly to all events from sources that include IPS, WAF, Firewalls, Proxy, NetFlow, Active Directory, End point protection platforms, and packet capture events will yield better results during such outbreaks.

In the case of WannaCry, there are 450+ indicators that can be applied across such log sources which calls for a big data security analytics platform for the necessary analysis. In addition to this, scanning for specific IoCs on end points corresponding to the current threat enables early detection. Ransomware creates simple identifiable indicators including random character directories, processes that spawn off, as well as tell-tale VBS files.

While all these should be part of signatures in End Point Protection(EPP) platforms, it is likely that the full signatures take time to evolve. Independent scans for simple IoCs, over and above EPPs, help sharper detection. This type of scan can provide a robust alternate mechanism to address operational shortcomings in an EPP including a delay in getting the correct signatures from the vendor and update failures. Such scans can also be used to target the presence of specific indicators; like the presence of a specific SMB version in the system or a flash plugin in the browser that is the cause of infection. It is a more agile mechanism in the time of crisis.

Detect lateral movement
Ransomware today has become a Ransomworm. For example, WannaCry is not a Ransomware, it is a Ransomworm due to the rate at which it can spread using SMB. Since the spread happens through desktop segments, it is very difficult to capture this lateral movement. Most organizations do not have extensive desktop logging nor are there IPS systems in these segments to detect such exploits or movements. Active Directory logs capture such lateral movement in a limited way.

There are specific event IDs for lateral movement including Explicit Credential logon (Event ID 4648 or 552) that can be detected with SIEM rules. But these are prone to false positives and require a good level of white listing and rule management on a continuous basis. The next generation evolution for such detection is to use machine learning to profile such events.

This enables much cleaner detection with less false positives and less management overheads unlike a rule based approach. Similarly, profiling which machines in a segment (or across segments) talk to each other using netflow logs enables lateral movement detection using profile deviations that occur due to Ransomware (ransomworm) communication. The detection of lateral movement is key in identifying infected machines, isolating them, and recovering these systems.

Respond rapidly
Fast response in a time of crisis depends on how well you have laid the foundation for such actions before the crisis starts. This applies to all types of crisis and Ransomware specifically. It is better to build smaller segments and have quick isolation mechanisms achieved through firewall segmentation VLANs, and NAC. In cloud architectures, micro segmentation is the future.

Readiness to apply Access Control Lists (ACL) between segments is crucial since it enables quick isolation and containment of the spread. Similarly, applying ACLs on machines using native host firewall features in the OS can be very useful in the time of crisis. In containment using ACLs, segmentation is achievable provided there is clear visibility of network communication before we hit the crisis.

Here again, NetFlow based profiling and access events based profiling can enable understanding of communication patterns within/across the segments and provides greater confidence in applying ACLs to contain the spread without incurring business downtime.

Bounce back with backups
Ransomware has taught us the value of backups. It is better to reimage and restore data than to pay a ransom. This requires that you have already done the right homework before it can be executed during a crisis. If you have not already done so, it is time you identify critical business data and have strong backup mechanisms in place for them. It is not always easy to identify data that is essential to keep the lights on during such crisis. However, it is an important requirement to combat ransomware attacks.