By Fei Huang
“WannaCrypt ransomware attacks should make us wanna cry” is the CNN news headline for the world-wide ransomware attack which started last Friday (5/12). The data clearly showed that this was a very serious network attack: more than 20 hospital IT systems (Britain’s NHS had to cancel surgeries), more than 100 countries, large enterprises like Spanish firms Telefonica, Germany’s main train operator Deutsche Bahn, Russia’s Interior Ministry, China’s universities and gas stations…
So from security point of view, here are some interesting observations:
- Public clouds are doing a better job of security in this case. WannaCrypt is basically attacking Microsoft windows vulnerabilities on SMB, RDP, IIS service ports like 445. Thousands of computers became victims. But a lot of public cloud providers are blocking unnecessary ports 445/137/138/139 already by default, so the virtualization technologies and network segmentation naturally helped to reduce these risks.
- Internal security has become more and more important. One of the main reasons why the WannaCrypt ransomware attacks are spreading so fast is because there are fewer security protections in place for internal networks. Starting from a compromised laptop or internal VM, port scanning and attacks spread by east-west (internal) traffic. Even if gateway firewalls have the proper rules they can’t do anything for east-west traffic because they are typically deployed for north-south (external) traffic.
- Host security has limitations. Today most windows computers are armed with all kinds of security agents. In this case, research shows that among 20+ agent based endpoint protection solutions, only 7 solutions are effective. So most endpoint solutions are not working as expected. Today more and more attacks start from a network attack either internally or externally. So the first security gate which should be in place is an advanced distributed firewall.
- Run-time network security is a must. Today the WannaCrypt ransomware attacks are targeting Windows system, but the same risks exist in all operating systems include Linux, Mac or even embedded systems. That fact that we’re seeing more and more successful ransomware attacks this year proves that applications and systems are highly likely to have or to develop vulnerabilities. Security that only scan and patch known vulnerabilities is not enough. A run-time network solution that minimizes the attack surfaces outside of applications or containers is the most efficient protection that enterprises should deploy.
NeuVector is providing this type of solution for the next generation of virtualized, containerized applications. It protects both east-west and north-south traffic with fully automated policies which scale up or down with container changes. During deployment, NeuVector will learn application behavior and then block all unnecessary network connections by default. In addition, threat detection and host security features help detect and prevent such attacks at multiple steps of the kill chain.
Lastly, for a bit more technical insight into WanaCry, I think Endgame did a good job to present WanaCry’s execution flow as shown below. Click on the image to see the full post by Endgame.