WannaCry: Separating Truth from Marketing

Brad Hibbert, May 18th, 2017

WannaCry Truth vs Marketing

As a vendor in the security space, our role is to provide organizations with real solutions to help protect them from real threats. As vendors, we need to clearly articulate when and how we can help. With the recent outbreak of WannaCry and EternalBlue hitting thousands of companies across the globe, we see security vendors jumping in to tell you how their product will stop the attack. They use well-crafted sentences and walk the line between what’s true and not true. So, let’s look at the facts of the case by examining two aspects of this outbreak – initial attack vector and propagation.

Initial Attack Vector (or, How it Gains a Foothold on Your Network)

Application control (including capabilities such as whitelisting, greylisting and blacklisting) and least privilege solutions offered by BeyondTrust and other vendors can certainly protect and reduce the impact of phshing and ransomware attacks. In the case of WannaCry, if phishing was the initial attack vector to gain a foothold, then application control and least privilege could help to mitigate this scenario. However, upon inspection it appears that that the WannaCry initial attack vector was not a phishing attack. See this article, “Dr. Chenxi Wang Discusses WannaCry – A Simple Attack That Took Down The Internet” for a great overview.

Propagation (or, How the Infection Spreads)

Application control and least privilege solutions are not able to stop the propagation of WannaCry and Eternalblue due to the nature of the attack. This is the nature of a worm-able exploit operating in ring 0 of the operating system and something very rare in the cyber security community. We include more details on the outbreak and propagation in this blog, “WannaCry Ransomware Attack Explained“.

How to Protect Your Organization

To protect yourself from this specific infection there is prescriptive guidance that includes updating malware rules and app control rules, removing SMB1/CIFS, patching your systems, and blocking incoming TCP ports being used to drive the initial infection. However, it is important to note that the specific payload leveraging this exploit can be modified quickly. The best approach to protect yourself from this and future variants is to either patch or shutdown vulnerable systems.

At BeyondTrust we do offer a free scanning solution to allow customers to discover where they are vulnerable to this attack. We can also offer ways to help mitigate against phishing and ransomware attacks.

As security solution providers and advisors, vendors need to be upfront with our customers and the market. We need focus on what’s important – helping our customers stay secure – and less about the fantastic marketing.