Basic security hygiene blocked WannaCry – but a comprehensive defence needs more
- 02 June, 2017 12:40
It may have sent European businesses scrambling and the security community abuzz, but the WannaCry ransomware attack’s fizzling in the United States and Australia means its legacy will be mostly as a cautionary tale – and, one security expert warns, a potential distraction from more important security issues.
The world may have braced for a global epidemic of new ransomware infections once news of WannaCry’s Saturday assault on the UK National Health Service spread, but by the time the week began “we just didn’t see quite what we were expecting,” says Bill Smith, senior vice president of worldwide field operations with security firm LogRhythm.
“We were expecting a big flareup when everyone logged in on Monday morning, but we really didn’t,” Smith said. “There really wasn’t anything unusual about WannaCry – it was run-of-the-mill, commodity ransomware – but what was unique was its ability to propagate itself, which we hadn’t seen to that extent before.”
Accurate estimates of the damage to Australia vary, but an officially published figure of 12 afflicted companies confirmed that the ransomware had failed to make as big of an impact in this country. This was lucky, given that recent figures from Flexera Software’s latest Australia Country Report reported a strong rise in the number of Australian PC users with unpatched operating systems since the end of 2016. It also suggests that many companies may be following government advice by adopting the Australian Signals Directorate’s Essential Eight mitigation strategies, which the Australian Cyber Security Centre (ACSC) noted would have protected organisations from WannaCry.
Yet as other attacks emerge based on the same EternalBlue vulnerability that WannaCry exploited, unpatched systems will once again face compromise and businesses will once again be scrambling to protect themselves. It’s a surefire sign that conventional defences can only go so far in protecting against novel attacks – and that patching remains a cat-and-mouse game as new vulnerabilities are continually discovered.
“We have to be careful of creating a false sense of security that if we patch our systems everything is OK,” Smith warned. “The vast majority of security budget is still spent on prevention methodologies, but the dirty little secret of security breaches is that most of them involve compromised credentials. And it doesn’t matter if you patch your system, if attackers have your username and password.”
Indeed, Verizon’s latest Data Breach Investigations Report (DBIR) 2017 found that fully 81 percent of hacking-related breaches leveraged stolen and/or weak passwords – meaning that intruders were able to compromise networks not through stealthy exploits like EternalBlue, but by simply walking in the front door of the network.
Such realities highlight the need for a broader behaviour and network security monitoring environment to complement patching and other best practices, Smith said. Continuous data monitoring tools, which watch user and network behaviours and compare them against continually-updated baselines, offer an important complement by allowing security teams to not pick up on ransomware, malware, and other suspicious code not by its signature but by its behaviour on the network.
Held in this light, ransomware stands out like the proverbial sore thumb: as it begins surveying the victim computer all ransomware generates a surge in disk activity that monitoring solutions will pick up as a telltale sign of an unusual infection.
“If ransomware starts to encrypt data, there is an abnormal number of reads and writes,” Smith explained. “In those cases that’s a behavioural anomaly and you couple that with information on where the customer has been, or the new processes running on the system, and there is a high probability that you can detect it.”
Poor detection capabilities can have a significant impact on the integrity of corporate data – and this can persist for a long time. DBIR analysis of 7743 incidents of insider and privilege misuse found that 81.6 percent were instigated by internal staff, compared with 8.3 percent through collusion, 7.2 percent from external sources, and 2.9 percent from partners.
The heavy weighting towards compromises by internal staff means that breaches of this sort tend to take much longer to detect than other, more obvious compromises. Some 42.8 percent of cases took months for victim organisations to detect, while 38.9 percent said it took years to spot the compromises.
These figures represent an unacceptable time-to-discovery delay that could be significantly improved by using monitoring and proactive analysis tools. “Everybody needs approaches for early detection,” Smith said, noting the quick response of some well-prepared businesses to the WannaCry outbreak. “We had some customers who were able to quickly detect and deal with it before things got ugly,” he said, “and it didn’t do any damage.”
Monitoring is also helping companies deal with the growing flood of data as Internet of Things (IoT) devices come online. With numbers of devices exploding
“There are all sorts of things coming online that need to be monitored,” Smith said, “and this just exacerbates the problem. It’s a big-data analytics problem, so doing these things is just a necessity.”
Improved monitoring and analytics are also providing a way for businesses to compensate for the chronic lack of security skills in the market. Without skilled staff, after all, otherwise-secure businesses have no way of keeping up with, and meaningfully using, the data that’s collected by monitoring systems.
“There are a lot of things we can do to ease the burden of manpower,” he says. “We won’t solve this completely through software, but we can do things to help. By making the products smart, making them understand data better, and making them function more efficiently, we can make the responses more automated.”
Increasing automation of monitoring and response systems will also help small businesses by fuelling improvements in managed security services (MSS) offerings. Those increasingly popular services offer a way for any business to add security monitoring and response capabilities, with built-in automation helping to compensate for the lack of skilled security staff.
By adopting the right mix of monitoring, automation and managed services, companies now have more ways than ever to quickly detect and isolate security threats – even if they are struggling to build up the appropriate security expertise themselves.
Turning monitoring technology into security policy will allow organisations to reduce their time to discovery even when new threats emerge – allowing them to be responsive to today’s ever-changing security climate.
“WannaCry was a reminder of the potential impact when these things aren’t done correctly,” Smith said, “and it’s disappointing because the solution for this one is so basic. Organisations are going to have to take their security policies seriously enough to make them part of their institutional routine. When there are real-life consequences for breaches, it hits home just that little bit more.”