We just watched the unprecedented WannaCry ransomware attack sweep across the globe. On Friday, 12 May 2017, hundreds woke up to pop-up windows on their computers, demanding a sum of bitcoins before access to their files would be given. Researchers and experts quickly scrambled to find out how the ransomware was propagating, but by the of the day an estimated 57,000 computers in more than 150 countries were infected. Over the weekend it rose to a total of 200,000 systems.
Even here in Singapore, digital displays at one of the plazas and a retail store along Orchard Road were affected by the ransomware attack.
WannaCry took advantage of a known Windows software vulnerability for which Microsoft issued a patch in March. For organizations using Windows machines, the situation quickly became urgent. Organizations needed to quickly and immediately audit whether the patch had been successfully applied to all Windows software. Although the initial spread was quickly stopped and improved versions of the software appeared, experts have warned that more lethal versions of the ransomware can be expected in future.
In addition to the increasingly sophisticated cyberattacks like WannaCry, another area of concern for organizations is connected devices and the Internet of Things (IoT). Many organizations are starting to leverage IoT devices to streamline and accelerate everything from production to payment processing, as well as tap into new sources of consumer demands. However, as our network of connections increases, critical infrastructure is being exposed to numerous ransomware and computer threats.
This clamor from businesses to implement IoT devices has also resulted in solutions being rushed into market without many of the existing functions or established security disciplines that make non-IoT systems compliant with existing regulatory frameworks. This opens a potential green-field for hackers and a ransomware strike against these devices is likely imminent.
IoT system owners who want to have systems accepted and promoted into production will need to innovate to provide the necessary auditing and compliance that is present in existing production systems. Functions and solutions around log-ins, agents, SNMP MIIBs, and the like will be missing from these systems. To bridge the gap between IoT adoption and security maturation, information security teams need to implement monitoring technologies that can supplement the lack of native auditing and accountability.
Emerging options that deliver streaming analytics of network-based data, or “wire data,” offer much better visibility into the interactions occurring between IoT devices and other systems because they passively monitor every device that touches the network. Wire data analytics enables real-time network traffic analysis. Because of the observed nature of the analysis, and the complete visibility it delivers across all communications between applications and devices, network traffic analysis can help teams quickly spot characteristic ransomware patterns, identify which machines are impacted and segment those machines to prevent further spread. This type of analysis is also critical in uniting the network and security teams together to use common tools to reduce the mean-time-to-detection and mean-time-to-resolution enable businesses to immediately detect issues, pinpoint the source of attack, isolate the malicious agents and see the scope of the breach and what intruders are doing.
As a first step businesses should conduct a baseline audit of what is happening in its network followed by a schedule of periodic re-detection. A formal policy should also be created to mandate end users and IT staff in declaring and receiving permissions before adding their IoT devices to the network.
WannaCry showed the world the devastation a single ransomware attack can cause. It is crucial to take appropriate measures to protect ourselves from future attacks. Proactive policy development and enforcement, comprehensive monitoring, protocol and even in-transit encryption standardization are all valid options. Although not the end, this start will go a long way towards securing our connected world.
Danny Smolders, Vice-President APAC, ExtraHop