The other day we talked to you about the WannaCry ransomware virus and the things you could do IMMEDIATELY to protect yourself; disable SMBv1 and install MS17-010 (read our last article here). WannaCry is nasty, it’s easily spread and it will absolutely ruin your day if you don’t protect yourself.
However this rabbit hole appears to be deeper than we originally thought and this recent nightmare isn’t going to stop with WannaCry. There are bigger, badder threats on the horizon and even though we don’t know their names yet, you should know as much as possible about them in advance and where they’re most likely going to be from.
TheShadowBrokers, the group behind the release of code that eventually became WannaCry, has announced a new subscription service. This service, lovingly referred to as a hack-of-the-month club, will deliver weapons-grade exploits stolen from the National Security Agency (NSA) for a fee, to anyone who wants them. This new arms dealership sells arrows from the quiver of one of the most powerful spy agencies on the planet.
The idea of Weaponized Code as a Service is scary. It scares the hell out of us here at Integris and it should scare you too. We’re not the kind of people to run around screaming “the sky is falling” but in this case you should definitely take a minute or two to try and discern what exactly it is tumbling directly towards you from the heavens above and casting that huge shadow on the ground.
It makes us angry too. The fact our tax dollars indirectly helped pay for the development of this lovely new WCaaS business model drives us up one wall, straight across the ceiling and down the other. Some really bad people now have access to tools typically used in the theater of state-sponsored cyber-warfare and espionage. This is the digital equivalent of our nuclear arsenal being stolen and put up for sale at some terrorist antique auction.
Now that our rant is out of our system we’re going to take responsibility for our emotions and tell you how you can mitigate what is around the corner, even if we’re not exactly sure what that might be.
Patching and Updating is Important
The first thing we recommend, before you get into anything else, is patch and update your system when able to do so. We know patches and updates can be buggy and there’s a reason to delay implementing them. Heck, sometimes Microsoft of Apple pull a patch or an update back after it’s proven to be a dud. However if you can shorten the time it takes between a patch’s release date and implementing it on your system, you’ll be much better off.
The same applies for your personal devices as well. It doesn’t matter if you’re on a PC or a Mac or if you’ve absconded with your kindergartner’s LeapFrog LeapPad. Making sure your system is patched and up to date will help immeasurably in keeping you secure.
Our Commercial Solutions:
So after patches and updates, how do you defend yourself from future attacks? At Integris we use a four step approach for protecting your systems from cyber-attacks like WannaCry and any new, undisclosed threat that is just over the horizon. Our trusted partners have offered technological solutions and we’ve leveraged them to keep you safe.
Here are our four steps:
Step 1: Cloud Based Defenses
We like to start with Zscaler and their cloud based defense product. Zscaler offers a platform that seamlessly integrates multiple security and compliance applications without the need for on-premises hardware, appliances, or software.
The platform provides pervasive security for an organization’s users, scanning all inbound and outbound traffic in real time to ensure compliance with corporate policies and protection from the latest threats.
Zscaler’s multi-tenant architecture ensures that organizations benefit from the “network effect.” When a new threat is identified for any one of Zscaler’s customers, it immediately updates its signatures, and protects all it’s users.
Since variants of WannaCry are already spreading and the delivery vectors are likely to change, it’s incredibly important to update those signatures quickly and effectively. Crowd sourcing signatures the way they do, Zscaler makes sure their cloud based defensive measures are constantly up to date.
Add in cloud sandboxing (features include the ability to detect payloads and ransomware strains remotely), command and control identification and SSL inspection, Zscaler is a fantastic first line of defense.
Menlo Security –
Since we’re pretty sure the WannaCry epidemic started through an email phishing campaign, we recommend Menlo Security’s Phishing Isolation solution.
Phishing Isolation eliminates credential theft and drive-by exploits caused by email attacks. By integrating cloud-based Phishing Isolation with existing mail server infrastructure such as Exchange, Gmail, and Office 365, all email links can be transformed to pass through the Menlo Security Isolation Platform.
When users click on an email link, they are 100% isolated from all malware threats, including ransomware. Websites can also be rendered in a read-only mode which prevents individuals from entering sensitive information into malicious web forms.
With their users safely isolated, administrators can monitor behavior statistics, and provide customizable time-of-click messages that help reinforce anti-phishing awareness training. Administrators can also define workflow policies for groups or individuals that determine if or when web input field restrictions can be relaxed. With zero dependency on error-prone threat detection methods such as data analytics, Menlo Security Phishing Isolation is the only email security solution that protects every email user the instant it’s deployed.
Step 2: Perimeter Defense
For defending your system’s perimeter, we recommend Fortinet and their FortiGate product. FortiGate is Fortinet’s award-winning network security appliance provides one platform for end-to-end security across your entire network. FortiGate next-gen firewalls are optimized for internal segmentation, perimeter, cloud, data center, distributed, and small business deployments. Simplify your security posture with one security solution across your physical, virtual, and cloud deployments.
If proper segmentation is essential to stopping worms like WannaCry you can’t go wrong starting with Fortinet and FortiGate. Fortinet is incredible at what they do and using their product correctly will help keep you safe from threats like WannaCry.
Step 3: Host Defenses
When it comes to actual end-point detection, it’s hard to beat Cylance. As we’ve said before (over and over) there’s a reason they’re top dog when it comes to nipping threats on your system right in the butt. WannaCry doesn’t even stand a chance when going up against Cylance’s end-point protection app.
Only an artificial intelligence approach can identify and prevent both known and unknown cyber threats from ever executing or causing harm to your endpoint. Using a breakthrough predictive analysis process, Cylance quickly and accurately identifies what is safe and what is a threat, not just what is in a blacklist or whitelist.
By coupling sophisticated machine learning and artificial intelligence with a unique understanding of a hacker’s mentality, Cylance provides the technology and services to be truly predictive and preventive against advanced threats.
We could honestly talk about Cylance for hours and hours but this video showcasing exactly how Cylance can protect you speaks louder than anything we could say about the product:
Step 4: Attack Detection
So, let’s say you’re not ready to take the plunge on the products we’ve mentioned above. We totally understand. We do. It’s a lot to take in and you’re worried about cost. We get it. Still though, that doesn’t mean you shouldn’t have SOME level of protection. That’s where Cybereason’s RansomFree comes in.
With RansomFree, Cybereason’s corps of elite cyber-security experts go on the offense against attackers. Defenders are fighting a never ending battle: as attackers become more ingenious, defenders are forced to constantly improve their security programs to stay ahead.
Cybereason uses a four step process to identify, engage and defeat threats like WannaCry.
Collect – Silent sensors are quickly deployed on endpoints and servers collecting telemetry in real time. No reboots and no disruptions.
Detect -Cybereason’s Analytics Engine queries data at a rate of 8 million questions a second across the entire environment, augmenting your existing team with technology not more bodies.
Hunt – Their Hunting Team goes on the offensive, profiling your environment using our analysis platform to find the low and slow insidious activity missed from signature-focused tools and teams.
Report – Cybereason will present a comprehensive report of incidents, findings and recommendations to close gaps and improve your security posture.
The best thing about RansomFree from Cybereason? It’s free and you can download a copy of it for yourself right here.
We also recommend Canary by Thinkst. Since WannaCry spreads laterally on a network, a device like Canary can help you detect a threat like WannaCry as it moves around your system.
Like the classic canary in the coal mine, this canary warns you of danger you might not notice. Canaries are deployed inside your network and communicate with the hosted console through DNS.
This means the only network access your Canary needs is to a DNS server that’s capable of external queries, which is much less work than configuring border firewall rules for each device.
Simply choose a profile for the Canary device (such as a Window box, brandname router, or Linux server). If you want, you can further tweak the services your Canary runs. Perhaps you need a specific IIS server version or OpenSSH, or a Windows file share with real files constructed according to your own naming scheme (say, 2016-tenders.xls). Lastly, register your Canary with our hosted console for monitoring and notifications.
The only thing left to do is wait. Attackers who have breached your network, malicious insiders and other adversaries make themselves known by accessing your Canary. There’s little room for doubt. If someone browses a fileshare and opened a sensitive-looking document on your Canary you’ll immediately be alerted to the problem.