Wannacry and Petya: The Circus Comes to Town

By now, you will have all heard about the rampant spread of ransomware through countless press pieces, blog articles, and far too often, the outrageous claims of some security vendors. 

But let’s stop and think for a minute or two. How did these attacks happen? Are companies focusing on valid threats, fixing the right problems, or developing correct processes? Have so-called disruptive technologies disrupted our thinking? Let’s not go tactical. Instead, we need to consider, “what is our best strategy?” 

Ever since the NGFW (Next Generation Firewall) circus came to town, it’s become cool to spend time at the sideshow tents while missing the main event. For example, looking at how a firewall can manipulate details about a user’s application habits has been quite trendy. I’ve seen a number of vendors over the years try to win customers by demonstrating the gory details of how an enterprise firewall can block a certain game in Facebook, while at the same time allowing other games to pass through. As a result, firewall capabilities began to be measured and judged based on the number of application signatures their firewall contains, the conclusion being that more application signatures makes for a better enterprise firewall. 

While this and similar trends have been dominating the enterprise firewall conversation, the recent epidemics of Wannacry and Petya should make both enterprise firewall vendors, and their customers, think twice. The question they should be asking is, are they really focusing on the problem that needs to be solved? Or are they still standing at one of the sideshow tents knocking down milk bottles and collecting teddy bears?

Because, after looking at this problem carefully, I am led to one conclusion: both NGFW vendors and their customers are focusing on the wrong problem. The key business risk – and as a security research team we have seen and proven this over and over again – continues to be email-based ransomware and malware.

Let’s take a look at a typical ransomware attack and how an enterprise gets hit.

We start with our old friend and constant companion, email. People are used to spam messages today. Even the dumbest ones are still circulating – the million-dollar lottery win, or the person descended from that foreign monarch who can’t wait to share his wealth with you. The cleverer attempts masquerade as a message from your bank letting you know of some non-existent problem with your account, the government trying to collect or return tax money, or information about an important package waiting for you. And of course, there are the scarier attempts, like an urgent message from your boss demanding, at short notice, some information, or better yet, some payment for the latest super secret project he’s working on for the company.

We call these last targeted attempts spear phishing (this is an industry that has no problem in coming up with new terms.) Spear phishing email contains all the right names, and all the correct details to make them seem convincing. IT professionals like to think they can easily spot the mistakes in these emails – such as spelling errors, clumsy grammar, or last year’s logo – and laugh the attempt away. But an enterprise isn’t made up exclusively of IT professionals. In fact, even a professional IT company requires additional help to making their business viable. And for the rest of the companies out there, if you employ hundreds, thousands, or tens of thousands of employees there is always that one person, be they a contractor, an intern, an overworked friend at the desk next to yours, an executive that you’d never expect to fall for this type of thing – or sometimes, even you – who will click that infected link or attachment. 

Once that link is clicked, it cannot be unclicked. And then the nightmare begins.

The malware it launches immediately begins searching for the valuable and the vulnerable. It also delves into the murky depths of your file system looking for peer computers on the same network that it can infect. Soon, the encryption of data and drives starts, and then the blackmail begins.  To get your data back, your company finance department will have to go and purchase bitcoins (after first looking up what a bitcoin is and how to buy them) to see if that will release the data being held hostage. But that’s rarely the end. Other twists and turns will arise that will tie your company in knots for days, weeks, or months to come. Then the newspaper headline appears, and everyone knows what happens next because we read about it every day. 

This process, or one very much like it, has been happening every single day for years, and in spite of billions of dollars being spent on NGFW devices. Why?

Well, one reason might be because insiders are responsible for 60% of all attacks. Of these, three-quarters are intentionally malicious, while the rest are inadvertent. But the point is, all of them happen on the wrong side of the firewall. Which is why effective defense systems need a fabric-based approach that contains the following elements:

1. An effective email spam malware filtering system (like FortiMail or FML cloud) – This system should be highly effective at detecting spam. If you don’t know if your current system (or the one you are looking at) is any good, take a look at the VB-100 comparative test to see the top vendors. Not only should your solution detect regular spam and malware, it should also highlight anomalies such as external users trying to impersonate internal users – remember that email from your boss and his secret project? 
2. User awareness training – This can help users spot fake emails, and what to do with them – such as submitting them to our FortiGuard site.
3. The creation of a segmented internal network –  Two-thirds of all attacks occour from inside so It is far better for a CISO to assume that someone in his network will click the link in an email attachment, and the company will be compromised, than to simply trust that his deployed security technology will always solve the problem. Once a breach occurs and believe me, it WILL happen, good segmentation implementation will help contain any resulting damage to a much smaller scope because when the ransomware starts to encrypt data or other resources in one segment of your network, it can be detected and sealed off so that other segments are not affected. This also helps with the restoration effort. You still have a business to run, and it will be much easier to restore 1TB of files than to restore a 100TB of files.
4. Good data back up – Considering the worst-case scenario, backing up data and storing it off network can save you a lot of bitcoins (even if you have figured out where to get them from.) The key is to periodically drill the backup system to make sure it works, that it is not infected, and that all your critical files are covered. No backup strategy should include that part where you cross your fingers and hope it’s working.
5. Knowing what you’re sharing, with whom, and why  – You need to know what is on your network, including users, devices, data, and applications, implement good authentication and authorization policies across the various parts of your file system, and harden and control access points. This is important data; treat it as such. 
6. Understanding your host system and its vulnerabilities – Knowing what devices are on your network, and what OS and patch level they are running will be really helpful the next time those NSA hacks are leaked to the public because you’ll already know which hosts you need to patch and how to reduce your attack surface.
7. Building a coordinated SOC – Whether you are using a SIEM, or a FortiAnalyzer-like dedicated log analysis system, a SOC is needed for any enterprise. One reason is because if an alarm goes off in any corner of the network, the CISO/CIO needs to be alerted in real time, and then understand what’s going on. Just showing him a blinking red light won’t be enough. He and his team will need the full picture so they can make real-time decisions as to what needs to be done and how to do it. He needs be able to drill down into the risk and make a judgment as to whether the issue is a minor problem that can be ignored, or a major one that requires locking down the entire network. Of course, deciding you need to lock down a network is not the same as knowing how to do it.
8. Establishing a good command and control system – Locking down a network, whether in whole or in part, is non-trivial, and a system similar to Fortinet’s security fabric will help. If the CISO/CIO determines that a serious breach or compromise has taken place, the network should provide him with the mechanisms necessary to lock down infected hosts/departments – or even the entire company – within a few valuable seconds. Keeping this time as short as possible can make the difference between whether you simply lose some key contracts, or whether you manage to keep your business intact. Fortinet’s security fabric capability allows IT teams to do this within a couple of mouse clicks, enabling security teams to respond to a threat, either manually or through an automated system, to can shut down any part of the network (SSID, VLAN, or hosts) within seconds.

Security requires much more than a firewall that can turn off Facebook games. It needs to provide a holistic, integrated approach to security that spans your entire network. Don’t get me wrong. A NGFW appliance plays an important role in your security strategy. But it’s not enough. Which is why we provide much more than NGFW appliances and platforms. And because we provide full service, enterprise class security, we know a circus when we see one.