8-Point WannaCry Checklist and What Comes Next

8-Point Checklist To Protect Your Systems



For the time being, it looks like WannaCry, or WCry, has been stopped, or at least slowed, by the discovery of the so-called “kill switch.”  However, is this just the eye of the storm that misleading calm between another onslaught.  The code can be easily tweaked and the ransomware unleashed again.  This could happen imminently, so it’s critical to prepare now.  Organisations who haven’t patched should be urgently scrambling to do so, but there are other precautions to take immediately.



We’ve put together a short checklist to help:



1 - Patch Management - Ensure all Workstations and Servers have the latest Microsoft patches, especially the ones related to MS17-010.

2 - Antivirus - Ensure AV signatures are updated on all assets. Identify critical assets and target them first. Block IOCs on AV solution.  Get the details with regards to the name of the malware and verify if this malware has been detected in the logs for last 1 week.

3 - IPS - Ensure IPS signatures are updated. Verify if the signature that can detect this vulnerability / exploit attempt is enabled and is in blocking mode.

Get the details with regards to the name of the Signature and verify if this Signature has been detected in the logs for last 1 week.

4 - eMail Gateway - Ensure eMail Gateway solutions has all relevant updates for detecting possible mails that may bring the Trojan in the environment.

5 - Proxy - Ensure Proxy solution has updated database. Block IOCs for IP Address and Domain names on the Proxy.

Verify last one week logs for the IOCs on Proxy and take action on sources of infection.

6 - Firewall - Block the IP addresses on Perimeter Firewall.  Verify logs for last one week.

7 - Anti-APT Solutions (FireEye, Trend Micro).  Ensure signatures are up to date.

Check for possible internal sources of infection and take actions.

8 - SIEM - Check logs to verify if any of the IOCs have been detected in 1 week logs.



Note for all points above:

a - If required, raise case with OEM for getting details

b - All changes to follow proper approvals and change management process



What Comes Next?



Once the dust has settled and some of the damage has been mediated, what lessons can be learned from this about protecting your vital systems?



Frankly, there is no better example than the WCry ransomware to demonstrate the importance of a tiered and layered architecture and a holistic approach to security which should include protection, detection & response to defend customers from ransomware and other forms of targeted attacks. Companies need effective defenses against exploitation, malware and fileless attacks, and malicious behaviours all operating in parallel. Assuming these defences fail, then you need appropriately timed detection and response procedures to kick in and minimise the impact of this ransomware.  In addition, these layers must be effective in detecting never-before-seen attacks. 



As we’ve seen time and time again, signature-based defenses can’t compete against motivated and sophisticated attackers. This reality forms the foundation of the LMNTRIX Adaptive Threat Response zero-breach tolerance approach to defending customer networks. 



Even if our machine learning feature was turned off, or if a variant emerged which is in the 1% of malware not detected by our endpoint machine learning algorithm, then our ransomware protection feature is in place to stop ransomware attacks. This feature, monitors dozens of aspects of all system processes in real-time. Very shortly after ransomware activity kicks off, threads associated with the ransomware activity are suspended, protecting critical data on customer machines. 



We tested this in our lab on Saturday with our machine learning feature turned off. As expected, our ransomware prevention feature detects the malicious activity immediately after it begins and it blocked the attack. 



We’ll continue to conduct research and share any relevant findings that may help mitigate the risks and damage from this, and similar, attacks in these days ahead.

 


On 2017-05-14

Privacy Statement | Terms of Use