How Automated Configuration Management Prevents Ransomware Attacks Like WannaCryMay 19, 2017
Last Friday’s global ransomware attack was a major wake-up call for governments, companies, and consumers alike. The WannaCry ransomware attack spread to over 150 countries, affecting critical infrastructure in hospitals, banks, transportation, manufacturing, telecommunications, and police departments. While the damage runs deep, we can take from this equally deep lessons on how to prevent such attacks from occurring in the future.
What is WannaCry and why is it so bad?
A form of crypto-ransomware, the WannaCry malware encrypts a user’s data and asks for a ransom (in bitcoins) in order to decrypt the data. The WannaCry ransomware is particularly dangerous because of its worm-spreading functionality. It exploits a known Windows SMB vulnerability to propagate across vulnerable systems in a network (Server Message Block is a Microsoft Windows network file sharing protocol). As seen in this recent attack, this worm-spreading functionality caused global damage and led to huge losses in money, time, and credibility for companies and governments alike.
Is the fight over?
Not at all – new variations of the WannaCry ransomware have been discovered since last Friday. But while attacks from this ransomware family have been slowed by efforts from security researchers and firms, it’s clear that the true battle lies in overhauling our private and public security practices to not only mitigate but also prevent wide-reaching attacks like this.
How can we prevent this from happening again?
Many companies have incident detection and response plans and also employ endpoint protection, but few have comprehensive security strategies that include proactive (and automated) practices. Being proactive means:
- continuously and consistently applying best security practices
- planning your operations and infrastructure to be secure by design (e.g. DevSecOps)
- ensuring that your IT infrastructure is regularly updated, backed up, and tested
- educating employees and users about best security practices and attack vectors
As companies transition to using more complex computing environments, we firmly believe that the best way to ensure a proactive security posture is through automated configuration management. You can easily deploy a proactive security posture by using security profiles containing concrete, actionable, and automated security controls. These security controls would include both an auto-check for the actual state of a configuration in the computing environment, as well as the auto-remediation that brings the configuration to the desired state. (We actually mean auto-remediation, not just a fix recommendation.)
How does automated configuration management specifically mitigate AND prevent ransomware attacks like WannaCry?
In a security profile, a control that would have prevented a WannaCry infection would include:
- A check that the Microsoft SMB server patch is applied
- If the patch is not applied, the option to auto-apply the patch, or if you choose not to auto-apply, a clear system log of which servers need the patch
Even if it takes some time to test and approve the patch (so that critical business operations aren’t disrupted, as in legacy systems or complex environments), the point is that you will have continuous visibility of your security posture and a focus on proactive intervention.
Proactive security also speeds reactive measures. By having your servers enrolled in an automated configuration management security platform, you can get instant visibility into which servers are vulnerable to a new threat (regardless of where those servers exist). Within 24 hours of the WannaCry attack, our security profiles were updated to include the SMB patch control described above. We’re constantly updating these profiles to stay ahead of attackers, so that you can rapidly auto-remediate your vulnerable servers with a touch of a button.
How Cloud Raxak Protects Against WannaCry (and Other Ransomware)
Our stringent security profiles are designed for automated and proactive security. These profiles are used to easily scan and remediate vulnerabilities, ensuring continuous and consistent protection no matter how large or complex your environment is. We use the most comprehensive security controls, drawing from standards like the DISA/NIST STIGs, CVEs, ISO27001, compliance regulations, and more.
In addition, our security platform leverages Intel TXT/TPM technology to verify that the BIOS, kernel, and overall OS of a machine are untampered, and that applications running on top do so in a trusted environment – we call this ability a hardware root of trust. This ability greatly fortifies your OS hardening and is especially important for operation-critical or geo-sensitive workloads.
The overhead of keeping up with the configurations and updates you need to be secure is removed when you employ automated configuration management. With the prevalence of increasingly complex systems, it’s simply not feasible to just react to incidents or to prioritize certain updates over others. WannaCry shows us that just one vulnerability is all it takes. For your protection, it’s more crucial than ever to proactively assess and remediate the security of your IT infrastructure. We make it possible for you to be proactively secure now and going forwards, when it’s more important than ever.
Please feel free to contact us at [email protected] if you have any questions about ransomware or proactive security.
Here are some more resources on ransomware:
- If you were affected by WannaCry, help with decrypting your files using WanaKiwi: https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d
- Information on the WannaCry ransomware: ENISA’s guide to WannaCry
- If you were affected by ransomware in general, help with decrypting your files for free: The No More Ransom Project
- More info on how to protect and harden a computer against ransomware: https://www.bleepingcomputer.com/news/security/how-to-protect-and-harden-a-computer-against-ransomware/
- FBI’s latest advisory on protecting against or respond to ransomware: https://www.ic3.gov/media/2016/160915.aspx