In last few days, a new cybercrime gained prominence, WannaCry. It is a type of malicious code classified as ransomware, of those who “hijack” data from computers to demand money in return for giving back access to its owner.
Once the machine is infected, the virus encrypts the files and displays a screen in which it demands a payment of the ransom, usually in electronic money (bitcoins). Bitcoins, like cash, leaves no trace when it moves and allows circular values among criminals.
The most interesting thing about WannaCry is that it explores a vulnerability of the Windows operating system, known for at least two months. The vulnerability allows remote code execution through a vulnerability in the Service Message Block (SMB) service.
What does the episode leave us?
1. Growth of cyber threats
Threats grow in terms of magnitude and aggressiveness. With increasing connectivity, each new threat has the potential to infect more computers.
2. Cyber crime is growing
This new threat also reminds us that cyber crime is increasing, as threats increasingly have a financial motivation. They become more dangerous because the criminal organizations that run them have more and more resources to develop sophisticated “weapons” and act globally with them.
3. Real impact on business
During the last few days have seen news of companies that were contaminated and had to pay for the rescue of their data, and others decided to disconnect their equipment. In both cases, the impact in terms of cost (either by the payment of the ransom or by the loss of productivity) is evident.
4. Prevention is fundamental and starts with small things
The vulnerability is known about two months ago when Microsoft published a bulletin recommending the update of Windows systems to correct it. A Patch Management job, complemented by Vulnerability Management, would have avoided that headache.
5. Microsegment the network
The use of tools for micro-segmentation reduces the damage. By isolating systems by microsegments, the lateral movement performed by the malware is contained, and it does not contaminate a large number of networked computers.
Opting for software micro-segmentation, focusing initially on more critical systems will allow rapid adoption, with no impact on the network architecture. In the medium and long term, this technique will increase security and simplify the network by reducing the complexity of internal firewalls and segmentation via VLANs.
6. Monitoring Malware Behavior
New threats will emerge at all times, which will be unknown to traditional security tools that work with known malware signatures and standards.
The use of event correction tools is a necessary control, but it is not enough. Preparing for new malware requires a smarter SOC that identifies anomalous behaviors even when a new attack with unknown signature is present.
In the case of WannaCry, communication through the SMB gate, the behavior of moving laterally within the network, and the address of its “master” it tries to contact, are typical signs that something strange is happening and will allow a Smart SOC detect the new threat in time.
7. Response to incidents
Once the new threat is detected, a rapid response is required. Automatic or manual responses could block suspicious traffic and remove contaminated equipment from the network.
The use of an Adaptive Security Architecture is recommended to respond dynamically, changing the architecture of subnetworks as the contaminations are identified. One example is to quarantine contaminated equipment and prevent it from polluting others.