On 12th May’17, unprecedented WannaCry ‘ransomware’ attacks swept across multiple geographies, exposing the vulnerability of enterprise systems. The virulent ransomware – “WannaCrypt 2.0” or WannaCry – spread over 200,000+ computers across 150 countries and still continues to be a threat. The after–effects have been huge. Many of the Global 2000 enterprises have been affected, however not all instances are known. The few known instances include impact on medical and transportation services, leading to disruptions such as postponement of surgeries in UK, delayed package and parcel deliveries in US, blocked public information display system for trains and transportation systems, and impact on some of the public sector organizations of India.
The prime reason why WannaCry has been successful in expanding its tentacles at such a wide scale globally is because of its ability to spread across the organizational network without user interaction by exploiting a known Microsoft Windows vulnerability.
Enterprises need to renew their focus on solutions that ensure their systems are secure, or they risk the loss of their data, time, money and most importantly, their Credibility. Such ransom–ware attacks prove that all efforts of threat protection against cyber–protection can never be considered complete – they need to be ever–evolving to prepare for more and more complicated types of attacks in the future.
Let’s understand how ransomware work, before arriving at a four–step approach, that all organizations should implement for effective threat protection
How do ‘ransomware’ attacks work?
The entry point for the worm modules in an organization is generally through a benign looking social engineering email with a luring attachment or an appealing link opened by an unwatchful employee/ business user. The attachment/link tricks the user to run the malware which activates the Server Message Block (SMB) exploit. The worm can enter the exploitable systems on the worldwide internet using scanning methods.
Once WannaCry is introduced to a system it creates two threads. First one scans host on the LAN using port 445, and the other one gets created 128 times and scans hosts on the wider Internet by generating random IP addresses. If the port 445 is found open anywhere on hosts on LAN or on IPs on wider internet, an exploit attempt is made. If the system is running an unpatched version, the exploit attempt is successful and similar twin threads are created on each infected system. After infecting the system, WannaCry takes complete control of an affected system. It can then install programs; modify or delete data; or create new accounts with full user rights.
A four step approach to protect yourself – act now!
The WannaCry ransomware attack serves as a wake up call for every enterprise on how cyber–attacks can impact their businesses. Every day, cyber security threats continue to rise and get more sophisticated, with their impact more severe.
The need of the hour for global enterprises is to formulate and implement an Adaptive & Evolving approach towards their security posture. The static nature of cybersecurity needs and piecemeal incident response is passé. With a dynamic threat and regulatory environment it is imperative for enterprises to build an adaptive security posture.
To achieve this adaptive security posture, enterprises need to assess their current cyber security strategy and validate if their security environment architecture is scalable enough to defend against future threats. After strategizing a scalable future ready architecture,enterprises must transform their security posture with the help of requisite advanced controls and continuously integrate them in their environment to securely enable business growth.
We recommend a simple comprehensive four–step approach towards the enterprise security journey:
1. Start with the basics! Ensure cybersecurity hygiene: While most enterprises are focusing on niche security technologies or investing in next–generation security controls, they have de–prioritized the basics of security operations, such as ensuring protection and controls on all connected devices and educating all the users. Following are the best practices for cybersecurity hygiene:
• Regular patching and updating of operating systems and security software
• Next-Gen Anti-malware to detect and respond swiftly to advanced threats
• Educating and Securing end users through security awareness & training campaigns
• Controlling & limiting access to administrative accounts on the endpoints
• Enabling application whitelisting on end–systems
• Taking regular data backups and creating system restore points on multiple platforms
• Continuous vulnerability assessment and corresponding risk mitigation
2. Proactive and predictive threat monitoring: For enterprises, continuous monitoring and corresponding security management leads to proactive defense against threats. In order to be proactive and predictive, organizations need to implement security analytics, and utilize the power of machine learning, behavior analysis and vulnerability/threat modeling to detect and mitigate the threats targeting an Enterprise.
3. Integrate global threat intelligence: Global threat intelligence, integrated with a security monitoring tool, is the recommended approach for visibility and actionable insights into proactive threat management. With the rise in the number of sophisticated attacks, the need of the hour is ‘collaborative threat intelligence platforms’ that can aggregate threats, vulnerability and social media feeds from multiple sources.
4. Implement a holistic ‘Incident Response System’: Enterprises need to move away from ‘prevention only’ approaches to holistic detection and response mechanisms. It is important to have integrated & robust incident response systems, which are automated and orchestrated to stop, contain, eradicate and remediate from the impact of WannaCry and other possible future threats. Gartner expects spending on enhancing detection and response capabilities to be a key priority for security buyers through 2020.
Conclusion
Enterprises need to move away from ‘static’ security posture to a ‘dynamic’ posture. Most modern attacks are a result of lack of awareness/education on the part of users or laxity on the part of organizations to continuously secure their environments through regular vulnerability assessment and mitigation/patching updating programs.
Threats such as ransomware do not always necessitate advanced security toolsets for defense. A proactive and planned threat protection approach, with support across the enterprise security journey will can help organizations to securely grow their business, while remaining compliant to all the business and regulatory compliances. With a proactive approach, CyberSecurity leaders need to adapt and evolve towards the security challenges to inspire overall business confidence.