Only Network Analytics Stops WannaCry
Steve King, CISM, CISSP
Cybersecurity Marketing and Education Leader | CISM, Direct-to-Human Marketing, CyberTheory
The recent WannaCry ransomware outbreak was a credible indicator of how ill-prepared the world is for a cyberattack.
WannaCry was not a particularly sophisticated malware worm, yet once the initial infection took place it spread quickly to over 300,000 machines in 160 countries.
Even though early warning indicators of the attack were present it easily got past conventional network perimeters and diffused so quickly that human security teams were unable to contain it. Only through the accidental bumbling around by a junior security researcher who inadvertently discovered a kill switch, were we able to shut the thing down.
Next time, we won’t be that lucky.
Today, thanks in part to the NSA, Wikileaks and Shadow Brokers, the world has easy access to cheap, sophisticated, and fast-moving malware. The dark web and underground marketplaces provide ready-made and subscription-based malware as a service that for a few bucks, amateur cyber-criminals can leverage to commit extortion and ransom attacks on businesses and institutions of every size, shape and form.
There are even live chat support and 24x7 customer service lines.
Owing to all this, cyber-criminals launched 640 million ransomware attacks last year which generated over a billion dollars in revenue. Those attacks were not driven by conventional forms of subterfuge like phishing. Most of them were designed with metamorphic malware at their core which is able to self-modify and evade any conventional perimeter defense tools and most legacy end-point detection systems.
The world of cybersecurity defense has changed dramatically just in the last 24 months. Modern malware is now almost exclusively polymorphic and designed in such a way as to spread immediately upon intrusion into a network, infecting every sub-net and system it encounters in near real-time speed.
Effective defense systems have to be able to respond to these threats in real time and take on an active reconnaissance posture to seek out these attacks during the infiltration phase.
We now have defense systems that have applied artificial intelligence and advanced machine learning techniques and are able to detect and eradicate these new forms of malware before they become fully capable of executing a breach, but ...
... their adoption has not matched the early expectations.
As of today, the vast majority of businesses and institutions have not adopted nor installed these systems and they remain at high risk. The risk is exacerbated further by targets that are increasingly involved with life or death outcomes like hospitals and medical centers. All of the new forms of ransomware and extortionware will increasingly be aimed at high-leverage opportunities like insulin pumps, defibrillators, drug delivery systems and operating room robotics.
What used to be concerns over a locked down accounting system awaiting the payment of a ransom has now given away to the reality of much larger payments expected in exchange for the release of a captive pacemaker, medical scanner and other life-sustaining devices and networks.
During the WannaCry attacks, hospitals had to turn away patients, and their ability to provide care was altered significantly. Even though the threat is widely acknowledged to be real by the information security community and anyone not living under a rock, and the stakes are higher than ever, most organizations and almost all healthcare providers are still using old-school cybersecurity technologies and retain their reactive security postures.
The WannaCry ransomware attack moved too quickly for security teams to respond, but a few organizations were able to spot the early indicators of the ransomware and contain it before the infection spread across their networks. While it wreaked havoc across the globe, there was nothing subtle about it. All of the signs of highly abnormal behavior on the networks were there, but the pace of the attack was far beyond the capacity of human teams contain it.The latest generation of AI technology enabled those few organizations to defend their networks at the first sign of threat.
Network behavioral analytics that leverage artificial intelligence can stop malware like WannaCry and all of its strains before it can form into a breach. And new strains are coming. In fact, by the time this is published, it would not surprise me to see a similar attack in the headlines.
Yesterday would have been a good time for companies and institutions to arm themselves against this pandemic. Tomorrow will be too late.