Detect and prevent attacks like WannaCry and Eternal Blue
The WannaCry attack is unique because it is the first time the public is seeing ransomware succeed at scale. Previous ransomware attacks were less broadly targeted. WannaCry (also called WanaCrypt0r 2.0 or WCry) exploits a vulnerability in commonly used Windows file-sharing systems with an NSA tool known as “Eternal Blue”. Eternal Blue was released on the internet last month by a hacking group known as the Shadow Brokers.
WannaCry exposes detection gaps
The devil is in the details when it comes to WannaCry. This attack highlights the importance of using the Cyber Kill Chain as an analytic framework to better understand, detect, and then effectively respond.
There have been many Snort-based detection capabilities for the Eternal Blue exploit used by WannaCry. So, in theory, the Eternal Blue exploit should have triggered these Snort signatures during the delivery or exploit phases of the Kill Chain.
Here is where details matter: WannaCry does not execute the Eternal Blue exploit over the network. The attack downloads a payload to the user’s machine and executes the exploit locally. This means that the behavior Snort is detecting does not happen on the network, which is the only thing Snort can see. Instead the behavior happens locally on the endpoint, where Snort is blind. This means that businesses which rely on Snort for delivery and exploit detection effectively have a gap in that detection.
How to detect WannaCry and Eternal Blue
Let’s apply Kill Chain concepts to this problem and ask ourselves: how can I best detect WannaCry at the delivery phase and close my current detection gap? In this case, having visibility not just to network traffic, but to the files contained in that traffic would be very valuable. There are effective YARA-based signatures for detecting WannaCry. If a security team had the ability to see all the files coming into them and could then run those files through YARA, the detection gap could be closed.
The same is true when we look at detection at the exploit phase. Snort will detect the exploit on the network. Unfortunately, WannaCry does not run the exploit over the network. Again, we ask ourselves: how can I best detect WannaCry at the exploit phase and close my current detection gap? In this case, having deep visibility to the endpoint in order to detect encryption behavior would effectively close this gap.
Using the Kill Chain as an analytic framework is a valuable tool to identify and focus our efforts on detection gaps. Once we know where to focus and what problem to solve, we can use deep and ongoing visibility into the network and endpoints to effectively close the gaps and adjust our defenses.
Related Content
On Demand Webinar – Is Your MDR Protecting You From WannaCry Ransomware With Morphick And Endgame
Sign Up for News
Related Posts
-
Morphick and Endgame Launch Ad...Learn MoreAlliance to help reduce strain on organizations to retain and train expert security talent Cincinnati, OH &...News -
From the back room to the boar...Learn MoreSecurity has become an important topic in the boardroom and based on consistent news of new data breaches, that will...News -
True Positive False PositiveLearn MoreFalse positives are an everyday occurrence for analysts. To an analyst, a false positive, while sometimes time...News -
An Evening With N3utrinoLearn MoreIntroduction In my previous post I showed off some tricks that malware authors use to check to see if they are being...News -
OPM and Anthem BreachesLearn MoreThere has been much reporting that the data breaches at Anthem, and more recently the U.S. Office of Personnel...News -
The Mozart RAM ScraperLearn MoreAs a reverse engineer on the Morphick Cyber Security team, I spend a large part of my time pulling apart and...News
