Carbon Black (CB) "More on WannaCry"
Continuing from the last blog, Carbon Black Defense “Put to the test”. Most of the world has heard or experienced WannaCry.
How WannaCry works
The WannaCry ransomware does not have any original tricks up its sleeve. It is standard ransomware that, upon execution, creates dozens of files in its current location and starts infecting the system. It targets a specific set of file extensions, more than 150 of them, beginning with known Office documents, which is also in line with many other known ransomware families. What is truly unique about it is its method of delivery, which is believed to be through the now-known ETERNALBLUE exploit.
Protection against the ETERNALBLUE exploit is fairly basic. The exploit targets servers with SMB network sharing exposed to the Internet, a feature that should be immediately considered for deactivation. Servers are targeted over the standard network ports for the SMB service, all of which can be actively disabled in an organization’s firewalls.
More importantly, these exploits have been actively resolved by current, and ongoing, patches released by Microsoft. Patches should be considered for immediate testing and release within an environment. These suggestions follow the established SMB Security Best Practices.
Ransomware (non-specific) Attack Anatomy by CB
Defense by Carbon Black
Cb Defense’s default policy will block WannaCry ransomware. Carbon Black is focused on delivering more focused protection against ransomware threats, the most prevalent and damaging attacks across industries. Cb Defense is ever-evolving such that new features will detect malicious activity from ransomware such as WannaCry and disable the malware before damage is done, even as it morphs.
Cb Protection running in Medium or High Enforcement mode will, by design, automatically prevent the ransomware from execution. This is due to Cb Protection’s strength in preventing execution of unknown binaries, especially those of very suspicious origins.
Cb Response will detect this threat using a combination of both behavioural and intelligence-based indicators. Notably, Cb Response and Cb Threat Intelligence contain watchlists for applications attempting to remove Windows Volume Shadow Copies via vssadmin.exe.
Defending against Ransomware in general
Here are immediate steps your organization can take today to protect against WannaCry and other ransomware variants.
- Back up data regularly. Verify the integrity of those backups and test the restoration process to ensure it’s working.
- Secure your offline backups. Backups are essential: if you’re infected, a backup may be the only way to recover your data. Ensure backups are not connected permanently to the computers and networks they are backing up.
- Configure firewalls to block access to known malicious IP addresses.
- Logically separate networks. This will help prevent the spread of malware. If every user and server is on the same network newer variants can spread.
- Patch operating systems, software, and firmware on devices. Consider using a centralized patch-management system.
- Implement an awareness and training program. End users are targets, so everyone in your organization needs to be aware of the threat of ransomware and how it’s delivered.
- Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
- Enable strong spam filters to prevent phishing emails from reaching end users and authenticate inbound email using technologies such as Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent spoofing.
- Block ads. Ransomware is often distributed through malicious ads served when visiting certain sites. Blocking ads or preventing users from accessing certain sites can reduce that risk.
- Use the principle of “least privilege” to manage accounts: No users should be assigned administrative access unless absolutely needed. If a user only needs to read specific files, the user should not have write access to them.
- Leverage next-generation antivirus (NGAV) technology to inspect files and identify malicious behaviour to block malware and non-malware attacks that exploit memory and scripting languages like PowerShell.
- Use application whitelisting, which only allows systems to execute programs known and permitted by security policy.
- Categorise data based on organizational value and implement physical and logical separation of networks and data for different organizational units.
- Conduct an annual penetration test and vulnerability assessment.