Reflecting on the Endpoint Security Architecture in the Aftermath of WannaCry

May 16, 2017

 |  

Lenny Zeltser

The outbreak of WannaCry ransomware has caused enterprises to examine their approach to safeguarding endpoints. What controls could have dampened the worm’s propagation? What measures could have blocked the infection? How might these security controls work or fail in future, copy-cat variations of this attack? What defensive mechanisms might or might not apply to legacy systems?

Essential Practices Form the Baseline

Overall, the essential security practices have been effective at preventing WannaCry infections in organizations that followed them:

  • Segment the network and block unnecessary protocols. WannaCry attacked over the SMB protocol, which usually should not be accessible from outside the organization.
  • Keep up with security patches. WannaCry exploited a Microsoft Windows vulnerability for which a patch has been available for some time.
  • Install anti-malware software. Even at the onset of the attack, antivirus vendors were successfully identifying WannaCry components as malicious.

The approaches to preventing this type of incidents are generally known, well understood, and can be practically implemented with free and commercial tools. Taken together, these measures would have been effective at blocking WannaCry infections, even though there are numerous business and technological reasons why some of these security layers might fail.

Unfortunately, given the vastness of the Internet, plenty of systems lacked all these essential controls and fell victim to the attack. Legacy systems, third-party devices and computers that might not have had clearly-designated maintainers were among those that were hit especially hard.

Forcing Malware Authors to “Pick Their Poison”

At Minerva, we assist enterprises in defending endpoints without overlapping with the solutions they might already have in place and, instead, strengthening the value of the tools the organizations already have in place. To accomplish this, we’re focused on blocking threats that are designed to evade existing defense mechanisms.

When Minerva Anti-Evasion Platform is on the endpoint together with a baseline anti-malware tool, malware authors are forced to “pick their poison”:

  • If they design their malware with evasive capabilities Minerva will get on its way even if the antivirus tool could not identify the malware to block it, perhaps because the specimen avoids executing in forensic environments or maintains stealth using techniques such as memory injection.
  • On the other hand, if the attacker decides not to implement stealthy techniques, antivirus will be able to block the specimen based on its core strengths of identifying malicious patterns and activities in files and processes.

In the case of WannaCry, the attacker decided not to implement evasion, given that self-propagating malware capabilities of this worm would make it extremely noisy and easy to spot anyway. As a result, baseline anti-malware products were generally able to block the malware at the onset of the attack.

To avoid being blocked by antivirus tools, derivatives of WannaCry might implement evasive techniques, such as sandbox avoidance, memory injection and the use of malicious document files, which would trigger Minerva’s defensive capabilities. Customers that have deployed Minerva together with antivirus will be protected regardless of which development path malware authors will take.

Security Architecture that Accommodates Failures

Organizations should be prepared to handle situations where the various components of their security architecture fail. In the case of ransomware, that means making sure the company backs up the files that malware might attack. For scenarios where backups are impractical, Minerva’s Ransomware Protection allows customers to automatically restore the encrypted or deleted files, instead of paying ransom.

Companies still at risk of WannaCry infections can utilize Minerva’s free vaccination tool, which creates an infection marker that immunizes the system from current, and likely future, variants of this worm. Relying on such immunization techniques has been gaining interest in the industry. Since Minerva’s core competency is in the ability to create a “virtual reality” on the endpoint that deceives malware regarding its environment, we are uniquely positioned to implement malware vaccination that works not only in a lab, but is actually useful in real-world production deployments. This is not an easy task, but if implemented correctly, it can aid the enterprise in its containment efforts.

In summary, even enterprises who were not directly affected by WannaCry can use this event as the opportunity to confirm that the various layers of their endpoint defenses are in place and supplement each other’s strengths. Patch management, network segmentation, and baseline anti-malware protection establish an environment resilient to current WannaCry versions. Organizations should also consider what defenses they have in place to block stealthy, evasive threats designed to bypass existing security solutions. This is the area where Minerva is at its strongest, as we’ll be glad to demo for you.