Real-world Healthcare Customer Case: WannaCry

Real-world Healthcare Customer Case: WannaCry

Network defenders are no strangers to worms or ransomware, but last Friday’s unprecedented, global cyber incident was caused by a lethal combination of both kinds - an aggressive worm that spread in parallel inside local networks and across the Internet, coupled with a ransomware payload that rendered any infected machine unusable until a bitcoin payment was made to the attackers. 

While the ransomware payload itself was effective but technically unremarkable, the worm’s spreading mechanism exploited a vulnerability in SMB version 1 - Server Message Block - the legacy transport protocol used by default in Windows XP, and optionally available through Windows 10. Despite a patch being available two months prior for newer Windows versions, this was not widely deployed - as patches often aren’t in large enterprises - and legacy operating systems like Windows XP had no patch, leaving them entirely vulnerable.

By Friday night, over 200,000 computers in 150 countries were infected, with organizations in every industry losing desktops, servers, phone systems, computer-controlled equipment, and more to the malware - or as an intentional counter-measure to stop the spread.

Early Morning Friday, May 12th

A vArmour healthcare customer, with hundreds of Virtual Machines (VMs) powering critical services, was alerted that WannaCry had found its way inside. No sooner did vArmour Distributed Security System (DSS) detect the ransomware, than it started taking steps to contain and remediate the attack to secure the environment. 

Here is the sequence of actions, over the 6-hour period, on how this customer squashed the incident with no interruption to any of their services. 

Hour 1 - Monitoring and Visibility of Applications, Users and Networks

The initial indicator to the customer that something was wrong started when TOR traffic (aka The Onion Router) appeared in a high risk application dashboard inside vArmour Analytics. Knowing that any TOR traffic in the data center was a sign of a problem, the customer began to look deeper at each workload.

Hour 2 - Deeper Analysis

vArmour Analytics summarized all the observed traffic in the data center in dashboards, configurable alerts, and raw event searches against layer 4 traffic data to layer 7 application identification and enrichment. Clicking on each misbehaving workload seen in the high risk dashboard, the customer drilled down further to obtain better context: each workload had high counts of SMB session attempts over port 445 - 100’s per minute - which aligned with WannaCry’s spreading behavior.

Hour 3 - Isolation

The customer’s data center could allow inbound traffic from the WAN. Because this architecture exposed their workloads to sources of traffic they couldn’t control, the customer decided a first step would be to completely isolate this data center from the rest of the larger network.

Hour 4 - Quarantine

Once the data center itself was isolated from inbound traffic, the customer turned their attention to the workloads running TOR, using vArmour DSS quarantine capability to isolate those individual workloads from communicating to any other part of the network.

Hour 5 - Deeper Policy Creation and Enforcement

To further decrease the possibility of additional lateral spread from an unforeseen WannaCry infection, the customer deployed additional segments across the data center.

Hour 6 - Remediation and Validation

Once the dust settled on all the segmentation efforts, the infected VMs were scrapped, rebuilt and redeployed to the data center, and the isolating controls were lifted as well.

As a final act of due diligence, vArmour spent some time with “hands on keyboard” to  proactively validate that all the infected VMs had been located - by looking for known WannaCry behaviors in other parts of the network, and provided reporting in the form of visual representations of the attack and response efforts as it occurred.

Additional Thoughts

By having Layer 7 application visibility to identify TOR, the right data for behavioral indicators like mass SMB scanning, and a fast policy deployment workflow for creating microsegments around misbehaving workloads, the customer minimized what could have been countless infected VMs down to less than 10!

Cyber security is about many things, including the balance between mitigating known threats against the unknowns. Although I would encourage an organization to apply every available patch anytime they can, the importance of visibility and segmentation cannot be understated. While patching checks against “known” threats, proper segmentation around critical workloads means reductions in both attack surfaces and risk exposures.

I would also strongly encourage the use of deception technologies like vArmour DSS Deception to help detect and mitigate attacks like WannaCry. vArmour DSS Deception deliberately mounts a deception point, providing SMB shares on legitimate hosts and workstations across the environment - this would present the files on this share as a legitimate target to the ransomware infection. If the host becomes infected, it would be detected by the host’s action of encrypting files on the share, thus providing a means of detection even if the host is not exhibiting the worm component’s lateral spread behaviour. vArmour DSS Deception continuously monitors for malicious actors scanning the data center or attempting to connect to synthetic workloads or services, with the ability to create the appearance of a large number of workloads and services using a single Deception Point. Using a range of containerized services for high-fidelity identification of attackers, the deception services are integrated with vArmour Analytics for rapid investigation and incident response.

At the end of the day, security needs to be effective and simple - there is no such thing as good complex security. In the security arms race where every advance by the defender is met by new tactics from the adversary, we need a simple and scalable solution to protect workloads and applications in physical, virtual, cloud and container environments, while being agnostic to the underlying infrastructure. That is vArmour’s pledge to our customers - 1 hour to download, install and microsegment workloads without any network reconfiguration, not days or months.

Get started with vArmour DSS free trial to quickly identify risky systems, then apply segmentation and microsegmentation to reduce attack surfaces in your data center. 

Learn more about vArmour DSS from this independent Network World product review.

Related Posts