WannaCry: How We Created an Ideal Environment for Malware to Thrive, and How to Fix It

Wednesday, July 12, 2017

Jesse McKenna


On May 12, 2017 a ransomware attack began impacting organizations all over the globe and in just a few days had spread to over 230,000 computers across 150 countries. It’s quite a story with the vulnerability used to spread the ransomware coming from leaked NSA data, speculation that the malware authors were not particularly sophisticated despite the breadth of the attack, possible links to North Korea, and a security researcher stumbling upon a kill switch that largely halted further spread of the malware. Although these aspects are fascinating and worthy of investigation, there is a larger question that needs to be answered: How in the world did we end up with a security paradigm where a malware infection can spread so rapidly and so broadly? And, most importantly, how do we begin to fix it?

The ultimate scope of the WannaCry ransomware attack was a result of two primary factors: the ability to communicate laterally across environments without restriction and an abundance of vulnerable machines to compromise. It is perhaps not surprising that as malware has dramatically evolved over the preceding decades, security architectures would also need to have evolved to effectively defend against these attacks. However, as we look at the security infrastructures used by organizations today, it is clear that most organizations have not evolved their security approaches enough to keep pace with emerging threat vectors.

Standard practice for security teams only a few years ago was to construct as strong a barrier as possible between the internal resources of a network and the chaos of the internet. This perimeter-centric approach made sense at the time when the resources on the network were more or less stationary.  But things have changed.  The capabilities introduced by mobile computing, BYOD, IOT, cloud computing, and increased interconnectivity between business partners and third parties has created a situation where the old perimeter is near impossible to define, let alone control.

With adversaries able to cross an organization's perimeter with little trouble, they are able to reach the largely unprotected interior of the network and data center and then operate with very little standing in their way. A good example of this was observed during the Target breach in 2013 when attackers were able to communicate with a Point of Sale (POS) system in one Target store by connecting to it from a network-connected deli meat slicer in a second store location. The solution to this situation is fairly obvious: implement security policies to isolate machines that should not be talking to each other. For example, POS systems should only be able to communicate with other payment components, different store locations should only be able to access inventory systems for other store locations, and deli meat slicers shouldn’t be able to communicate with very much at all. The industry term for this approach to dividing up a network and data center into smaller zones of communication is called segmentation.

Without proper segmentation of an organization’s network infrastructure, adversaries are able to move about at will - either manually, or in the case of WannaCry, automatically via a computer worm

The second factor that contributed to the scale of the WannaCry attack was the sheer number of machines that were vulnerable to the EternalBlue exploit being leveraged. These vulnerable machines fall into one of two categories: either they were supported OSes that had not had critical security patches applied (Microsoft released a patch for the vulnerability on March 14, 2017 following the NSA leak), or they were unsupported OSes where no security patches were available (Microsoft has since released patches for these older OSes as well).

When you pull those threads a bit, it’s clear to see that organizations not having rigorous procedures for ensuring OSes are kept up to date with critical security patches directly led to the ability of WannaCry to spread as rapidly and broadly as it did. At the same time, the sheer number of organizations using older, unsupported OSes where critical security updates are no longer made available is shocking. According to the Spiceworks 2017 OS Adoption Trends survey, 52% of companies across North America, Europe, the Middle East, and Africa are still running some number of Windows XP systems. This means that more than half of all companies were vulnerable to WannaCry by default.

It’s easy to fault companies still running OSes that have been unsupported for years, however most of these companies are simply maintaining legacy applications they neither fully understand nor have the resources to recreate on a more current platform. They are in a tough spot needing to maintain these older systems while also needing to secure them in wide-open networks where attackers can move about freely. This is the exact situation that created the opportunity for WannaCry to thrive.

Obviously keeping systems up to date with security updates and retiring/migrating systems once their OS is no longer supported can go a long way toward preventing the spread of malware inside an environment, but this approach isn’t always viable. For all the companies that need to maintain legacy systems, regardless of the reason, focusing on isolating these systems as much as possible is a much more effective strategy.

The important points for all organizations to remember are: 1) keep your systems as patched and up to date as possible, and 2) do not leave your network wide open for adversaries to take advantage of but begin segmenting your infrastructure and reducing your attack surfaces. We’re sure to see additional widespread attacks going forward, but by keeping systems up to date and preventing unauthorized communications via segmentation, your organization will be in a much better position to avoid being impacted by those threats.

About the author: Jesse McKenna is Director, Cybersecurity Product Management at vArmour. With over 12 years experience in designing leading edge detection systems, he possesses deep expertise in fraud, security, behavioral analytics, and how theoretical detection and analytics concepts can be applied and operationalized in real world environments.

Viruses & Malware Enterprise Security Security Awareness
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.