Author: Chris Goettl / Source: Information Security Buzz
As many of you know, there is a ransomware attack exploding across the globe. The last headline I read estimated that 90 countries were impacted. This could be one of the biggest cybersecurity incidents we have seen to date. The impact to hospitals is catastrophic and it’s absolutely inexcusable that people’s lives are being put at risk. Seeing ransomware attacks against a hospital gets my blood boiling, and I have some choice words about it, but will refrain for now.
What I do want to address is how this happened. I have seen a number of knee-jerk responses to this incident and want to take a step back and analyze them because I think some people are too close to the issue at the moment.
By now, you have likely seen many claims about the root cause of this attack – from the MS17-010 update not being applied to the “Crazy Bad” vulnerability discovered earlier this week in the Microsoft Malware Protection Engine, to phishing scams. In actuality, what we’re seeing is combination. Most effective malware has the ability to adapt and use a number of exploits to infect and propagate. We are witnessing a jackpot or perfect storm combination that has allowed this attack to be so effective so quickly. It reminds me of incidents like Conficker, where all the right exploits came together to create the Mona Lisa of cyber attacks.
One tweet criticized Edward Snowden and called out the NSA for not privately disclosing the SMBv1 exploit when they first discovered it. While I do not condone agencies for discovering exploits and keeping them quiet, which puts us at long term risk, this vulnerability had the potential to contribute just as badly to an attack of this magnitude, regardless. Think about it: whether the vulnerability was disclosed a year ago or just recently, a knowledgeable attacker would have taken advantage of the vulnerability. This update, regardless of when it was released, made a change in the handling of SMB traffic which could cause significant issues when rolling out an update.
Many companies tremble when a security update causes a significant change to common communication channels or protocols. This SMB update had significant changes and in large enterprises these types of changes can cause legacy applications or proprietary software to break resulting in delays in pushing updates until issues are resolved or other updates are made to affected applications to accommodate the changes.
The fact of the matter is, ransomware attacks keep happening and they’re following the same patterns every time. The scope of this attack and the massive global impact is drawing more attention to the incident, but the basic recipe remains the same: phish user, exploit and infect the system, propagate to more systems, encrypt data on local system, post ransom and get paid.
What has changed is the exploit used to get into the environment, and the means by which these phishing attacks are propagating systems. This attack has enjoyed more success due to the sheer luck of having the perfect combination of exploits to infect and propagate than others.
How do we defend against these types of attacks, especially at such a massive scale? Layered security. That is, a ‘Defense in Depth’ approach that ensures that no one security control is a point of failure. AV and Next Gen Threat Protection are still a critical part of defending against malware and ransomware, but they cannot do it all. I have heard reports that only 30 percent of the AV vendors have been able to catch this variant and there may already be some new variants that are slipping past those. This will continue to happen until the holes in your defense are plugged, as the attacks can keep using the same vulnerability to gain entry into your environment.
Click here to read more