Ransomware & Incident Response: Thoughts from WannaCry, WannaCry2, & WannaCrypt0r

Lots of content has been created for detecting & dealing with ransomware; however, these past few days have seen a flurry of different attacks & thus require some specific after-action reports (AAR).

So, here are some observations / thoughts / notes:

• Many orgs do not have the budget to ward off ransomware, including: 
• Advanced threat protection (ATP) via: EDR, UBA / UEBA, UTM / NGFW / NGIPS / NGIDS
• Virtualization to segment legacy tech: SDN, SDS, hyperconvergence
• SIEM & TI
• SETA & CSIRT awareness notifications were slow & ineffective
• Close the patching gap....no more excuses
• We'll see this level of pandemic / infestation again...this is just a start.

So, folks will see this level of attack again & its up to them to be proactive & respond accordingly.

Ransomware Response: A Service Continuity Challenge

While many security solutions (e.g., CASB, ATP, MTD, DMARC/SPF, EDR) look to catch malware / ransomware threats before they are experienced, isn't the response to a ransomware incident a service continuity challenge?

 With proper RPO terms, as well as tested BCP/DR procedures, ransomware response should be relatively painless.  The real concern is your ecosystem, as many third parties wont have the same governance regarding BCP/DR as a large enterprise.

Focus First on Mobile Threat Defense (MTD) or Endpoint Detection & Response (EDR)

A reality of corporate life is economics, defined as the allocation of scarce resources.  So, with finite budgets, what is an IT shop to do regarding malware protection outside of the data center?

While the prevailing opinion is that traditional anti-virus (AV) no longer works for contemporary threats, and the fact that mobile device management does not handle malware, EDR stands as the apparent silver bullet.  However, most EDR solutions do not extend to the mobile space, and due to that a MTD may be the better investment to embark on first for a distributed enterprise.

Additional decision points include: industry, allowance of local admin rights, how distributed is the enterprise, usage of local drives vs EDM / ECM (e.g., SharePoint, network file shares), and the global network topology.  

HIDS vs ATP vs Sysmon(d) vs EDR

While contemporary analysis shows that traditional anti-virus is becoming less and less useful, the question then becomes what next?

Well, for endpoints EDR makes sense, but what about server systems?

The answer to that depends on the industry & threats present to those server systems.  With that said, Sysmon(d) should be the lowest common denominator, w/ advanced threat protections (ATP) added for good measure when an organization has a (relatively) flat network.

If an organization has not invested in EDR & ATP, & realizes an enhanced level of risk, then a host-based intrusion detection system (HIDS) would be needed.

IPS vs EDR vs NAC vs RMS

InfoSec teams have only so much budget, so how does one decide on whether to spend on the outer perimeter or inner perimeter of an on-prem network?

Well, what industry are you in?  Where are your critical systems and business processes?

If your org is not highly regulated, and you have critical systems (i.e., ERP) within your inner perimeter, then that should be your focal point.

While EDR, NAC, & RMS are all sexy technologies, they serve to protect the outer perimeter (e.g., laptops, workstations, file shares, business subnets).  And while assets themselves, hopefully your IT folks have embraced the cloud and ECM / EDM (i.e., SharePoint).

For the inner perimeter, your data center, IPS, UEBA, TI, & ATP technologies may be used to protect your financial systems, etc.  Now, these solutions aren't silver bullets, but there a start.

In this age of shadow IT, virtualization, and distributed workforces, priority should be your most critical digital assets.