The outbreak of WannaCry ransomware has caused enterprises to examine their approach to safeguarding endpoints. What controls could have dampened the worm’s propagation? What measures could have blocked the infection? How might these security controls work or fail in future, copy-cat variations of this attack? What defensive mechanisms might or might not apply to legacy systems?
Overall, the essential security practices have been effective at preventing WannaCry infections in organizations that followed them:
The approaches to preventing this type of incidents are generally known, well understood, and can be practically implemented with free and commercial tools. Taken together, these measures would have been effective at blocking WannaCry infections, even though there are numerous business and technological reasons why some of these security layers might fail.
Unfortunately, given the vastness of the Internet, plenty of systems lacked all these essential controls and fell victim to the attack. Legacy systems, third-party devices and computers that might not have had clearly-designated maintainers were among those that were hit especially hard.
At Minerva, we assist enterprises in defending endpoints without overlapping with the solutions they might already have in place and, instead, strengthening the value of the tools the organizations already have in place. To accomplish this, we’re focused on blocking threats that are designed to evade existing defense mechanisms.
When Minerva Anti-Evasion Platform is on the endpoint together with a baseline anti-malware tool, malware authors are forced to “pick their poison”:
In the case of WannaCry, the attacker decided not to implement evasion, given that self-propagating malware capabilities of this worm would make it extremely noisy and easy to spot anyway. As a result, baseline anti-malware products were generally able to block the malware at the onset of the attack.
To avoid being blocked by antivirus tools, derivatives of WannaCry might implement evasive techniques, such as sandbox avoidance, memory injection and the use of malicious document files, which would trigger Minerva’s defensive capabilities. Customers that have deployed Minerva together with antivirus will be protected regardless of which development path malware authors will take.
Organizations should be prepared to handle situations where the various components of their security architecture fail. In the case of ransomware, that means making sure the company backs up the files that malware might attack. For scenarios where backups are impractical, Minerva’s Ransomware Protection allows customers to automatically restore the encrypted or deleted files, instead of paying ransom.
Companies still at risk of WannaCry infections can utilize Minerva’s free vaccination tool, which creates an infection marker that immunizes the system from current, and likely future, variants of this worm. Relying on such immunization techniques has been gaining interest in the industry. Since Minerva’s core competency is in the ability to create a “virtual reality” on the endpoint that deceives malware regarding its environment, we are uniquely positioned to implement malware vaccination that works not only in a lab, but is actually useful in real-world production deployments. This is not an easy task, but if implemented correctly, it can aid the enterprise in its containment efforts.
In summary, even enterprises who were not directly affected by WannaCry can use this event as the opportunity to confirm that the various layers of their endpoint defenses are in place and supplement each other’s strengths. Patch management, network segmentation, and baseline anti-malware protection establish an environment resilient to current WannaCry versions. Organizations should also consider what defenses they have in place to block stealthy, evasive threats designed to bypass existing security solutions. This is the area where Minerva is at its strongest, as we’ll be glad to demo for you.