Look at the Past to Fight Today's Attacks

Written by

In a landscape already dominated by cyber-warfare, ransomware has certainly made its presence felt over the last couple of months. WannaCry reared its ugly head and knocked out not only multiple NHS servers, but, due to the power of self-propagation, also affected over 200,000 computers in 150 countries across the globe.

It’s difficult to know exactly how damaging this latest round of cyber-criminality is. Many organizations will have avoided it, but even those who have been affected are increasingly unwilling to admit publicly that they have a problem. Being a victim of a ransomware attack is to open yourself up to criticism, as the NHS saw to its cost.

However, the reality is that even with stringent controls and up-to-date security software, malicious actors are adept at breaking through barriers. In the case of WannaCry, its ability to spread automatically without any human intervention meant that it wrought its stealthy attack quickly and with devastating impact. Once its malware had infected the first computer, it replicated almost instantly, not just across that network, but across multiple additional networks.

Anyone who has been in the security industry for long enough is likely to recall a similar incident almost ten years ago, when the Conficker worm forced computer networks to be shut down, points of sale closed, logistics chains interrupted and even military planes grounded. The worm took on new forms, spread like wildfire and infected several million machines internationally. The cost in terms of energy, time, resources and money was vast.

So why, we should ask ourselves, are we still so vulnerable to attacks of this nature? Unfortunately, in the case of WannaCry, the attack could have been avoided, or at least largely mitigated. The underlying exploit, EternalBlue, had been released by the hacker group Shadow Brokers in April after “liberation” from the NSA (and simultaneously drawing attention to the flaw), Microsoft had already released a fix for the vulnerability, and experts had issued many alerts warning organizations that there was the danger of an attack in the three weeks prior to the Wannacry event. Any company that wanted to protect themselves against Wannacry had the time, tools and knowledge in advance to prevent any impact.

The truth is that the advances in connectivity and the benefits of the digital revolution, have provided a serious headache for the security professionals whose strongly defended perimeter walls have been demolished brick by brick. It is now almost impossible to keep abreast of every warning and even to apply every patch.

Ransomware has one key aim, to encrypt data and hold it until the ransom is paid. However, if it can’t see it, it can’t get hold of it, and the threat becomes completely empty. Because it often uses social engineering, such as a well targeted email to launch the malware onto the target computer, the ransomware has easy access into the network.

Using a simple technique called Extension Whitelisting, organizations can limit the access to their file extensions. For example, only a certified copy of Word can access ‘.doc’ or “.docx” files. Only applications that can access specific extensions are confirmed by the executable signed certificate.

Extension Whitelisting makes sure that any suspicious application calls for a file are flagged, quarantined and killed and then notifies all other computers on the network, thus eliminating the threat of the malicious intruder spreading as well as securing the original target machine. This proactive, signature-less approach, blocks vulnerabilities from being exploited, even when they are unknown.

Perhaps this sounds simplistic. If it works, why is nobody shouting about this solution from the rooftops? Actually the concept of white and blacklisting extensions has been around for quite some time. Blacklisting can be complex and time-consuming, but creating a whitelist of extensions enables companies to actually define those applications that are most commonly accessed, and if a suitable signed certificate is forthcoming, can be made available. It works, it works well and it’s simple to implement and manage.

It is a feature best used as part of a reputable endpoint security package, of course, because, ransomware is not the only danger lurking. The other essential preventative measure is to look at the past to get a better understanding of security issues that are likely to keep occurring.

If we can’t learn from what has already happened, how will we ever stop history from repeating itself? Given that we still suffered from NotPetya, an almost identical threat vector to Wannacry, a mere six weeks after Wannacry, we don’t seem to be learning from recent history, let alone valid solutions from the more distant past.

What’s hot on Infosecurity Magazine?