I don’t need to go over the impact on multiple organisations of the recent ransomware attack. You can’t have missed it on the news. It wasn’t good.
The cyber security landscape is changing with the onset of advanced persistent threats (APT). These threats comprise multiple components, including malware and botnets. APTs can persist over a long period to remain undetected long enough to glean the required information.
The Wannacry outbreak sought out vulnerable public facing SMB ports and then used the EternalBlue exploit to get onto the network. The DoublePulsar exploit was then used to allow the installation of the WannaCry ransomware application. At which point, if it was your network, you were in big trouble.
Wannacry indicates a possible change in attack behaviour for ransomware attacks in that it exhibits worm behaviour, allowing for a much greater rate of attack than traditional phishing based attacks. EternalBlue is an alleged NSA leaked exploit that affects Windows operating systems from XP through to Windows 7 along with Windows Server 2003 and Windows Server 2008.
The use of standard protocols to take advantage of vulnerabilities means that traditional firewalls are not effective in preventing these modern cyber threats. Multiple security methods are required including next generation firewalls, IPS and endpoint security:
- Lock down unused protocols and ports
- Lock down unused applications
- Control malware enabling applications
- Keep security patches up to date on operating systems and applications
- Utilise sand boxes to actively test unknown files
- Provide network separation for mission critical applications
- Provide Layer 7 visibility for firewalling, monitoring, reporting and alerting against unusual traffic both at the traditional security border and internally
- Implement managed endpoint protection, especially if you have a mobile workforce
- Ensure regular (tested) backups are taken to provide a restoration point should an infection occur
Today’s threats are sophisticated and often targeted at a specific organisation or specific information. The nature of attackers has also changed. Yesterday’s opportunist coders wanting to highlight security vulnerabilities are now more likely to be gangs of well financed cyber criminals. Staying safe is difficult in the face of more sophisticated attacks but it can be done.