Detect and prevent attacks like WannaCry and Eternal Blue
The WannaCry attack is unique because it is the first time the public is seeing ransomware succeed at scale. Previous ransomware attacks were less broadly targeted. WannaCry (also called WanaCrypt0r 2.0 or WCry) exploits a vulnerability in commonly used Windows file-sharing systems with an NSA tool known as "Eternal Blue". Eternal Blue was released on the internet last month by a hacking group known as the Shadow Brokers.
WannaCry exposes detection gaps
The devil is in the details when it comes to WannaCry. This attack highlights the importance of using the Cyber Kill Chain as an analytic framework to better understand, detect, and then effectively respond.
There have been many Snort-based detection capabilities for the Eternal Blue exploit used by WannaCry. So, in theory, the Eternal Blue exploit should have triggered these Snort signatures during the delivery or exploit phases of the Kill Chain.
Here is where details matter: WannaCry does not execute the Eternal Blue exploit over the network. The attack downloads a payload to the user's machine and executes the exploit locally. This means that the behavior Snort is detecting does not happen on the network, which is the only thing Snort can see. Instead the behavior happens locally on the endpoint, where Snort is blind. This means that businesses which rely on Snort for delivery and exploit detection effectively have a gap in that detection.
How to detect WannaCry and Eternal Blue
Let’s apply Kill Chain concepts to this problem and ask ourselves: how can I best detect WannaCry at the delivery phase and close my current detection gap? In this case, having visibility not just to network traffic, but to the files contained in that traffic would be very valuable. There are effective YARA-based signatures for detecting WannaCry. If a security team had the ability to see all the files coming into them and could then run those files through YARA, the detection gap could be closed.
The same is true when we look at detection at the exploit phase. Snort will detect the exploit on the network. Unfortunately, WannaCry does not run the exploit over the network. Again, we ask ourselves: how can I best detect WannaCry at the exploit phase and close my current detection gap? In this case, having deep visibility to the endpoint in order to detect encryption behavior would effectively close this gap.
Using the Kill Chain as an analytic framework is a valuable tool to identify and focus our efforts on detection gaps. Once we know where to focus and what problem to solve, we can use deep and ongoing visibility into the network and endpoints to effectively close the gaps and adjust our defenses.