Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
8/23/2017
09:00 AM
Brett White
Brett White
Partner Perspectives
Connect Directly
Twitter
RSS
100%
0%

Ransomware: The Tripflare in the Modern Cyberwar

With the frequency and scale of breaches on the rise, and our legacy security failing to protect us, is ransomware the catalyst we need to trigger improvement in our security postures?

May and June 2017 saw the outbreak and rapid spread of WannaCry and NotPetya across the world. Though the initial infection vectors differed, both of these worms leveraged the same Server Message Block (SMB) vulnerabilities for lateral propagation and privilege escalation, though NotPetya added a couple of extra tricks to its bag. 

These SMB vulnerabilities – EternalBlue and DoublePulsar – stemmed from a leak of NSA-authored hacking tools released by The Shadow Brokers.  In both cases, the malware delivered was overt in nature, contributing to fast detection times and, in the case of WannaCry, the rapid discovery of a kill switch which was used to halt the attack.

When The Shadow Brokers dumped the cache of tools onto the Internet, Rapid7 reported that security researchers went from feeling "like kids in a candy store" to being disinterested as they realized that "the exploits were antiques and had all been patched."  However, as time and ransomware actors would go on to prove, "even though we thought we were safe against these non-zero-day, unexciting attacks, we were not." And although vulnerable servers should not have been "exposed to the public Internet in an unrestricted manner," over 250,000 machines were infected by WannaCry within the first day. This was also not the first time that a cryptoworm had leveraged vulnerabilities that had been patched years earlier by the vendor.

As the WannaCry and NotPetya attacks progressed, we saw reports of breaches from the NHS, telecommunications service providers, critical infrastructure providers, vehicle manufacturers, airports and logistics companies, and even speed camera operators.  But for each of these thousands of companies, across many industry verticals, the impact could have been much worse, if the payload had have been different. What if it had targeted and exfiltrated NHS patient records? What if it had modified shipping or customer manifests?  What if it had disabled speed cameras or worse, moved laterally and modified traffic light sequences? What if the attack was more covert in nature? Would we have ever known?

Over the last six years, Mandiant analysts have reported a reduction in the median breach detection time from 416 days (2012) to 99 days (2017). And while, on the surface, this looks positive, it worryingly corresponds to an increase in the percentage of breaches reported by internal sources from 6% (2012) to 47% (2017), during the period in which we have seen a massive boom in ransomware innovation and activity. 

So, I wonder, if ransomware attacks are leading to an increase in the percentage of internal breach notifications, and driving the median breach detection time down, thanks to their sheer volume and overt nature, how long are the covert attacks going undetected, before ransomware actors start leveraging their Tactics, Techniques and Procedures (TTPs), alerting us to the failings of our security architectures and policies, forcing us to make a change?

Until we see broader adoption of machine learning for discovering new threats, more automated sharing of threat intelligence between security vendors and security products, and the ability to leverage the network to shut down attacks at the source, we have to ask ourselves – is ransomware the tripflare in the modern cyberwar that we can’t afford not to have?

Brett White is a Senior Security Specialist with Juniper Networks in Australia.  He is a trained pen tester and ethical hacker who is passionate about leveraging threat intelligence to help educate people on the current threat landscape, improve their cyber-hygiene, and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/23/2017 | 10:08:17 AM
If anything ....
Lack of solid, tested backup and restore protocols.  I have argued for some time that encrypted files on workstation or server are the functional same as a drive crash or OS failure.  Workstations generally far easier to restore, local backup of data less so as rules change all over the place.  SERVERS should have reliable, tested plans for data restoration IF drives or infrastructure fails.  Ransomware is thus EASY to defeat.  WHY go so crazy?  Because many firms DO NOT have these plans in place.  Thus, IT staff works 24/7 for 2 weeks not knowing what they are doing at 2 am.  Sad.
Microsoft President: Governments Must Cooperate on Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
5 Reasons Why Threat Intelligence Doesn't Work
Jonathan Zhang, CEO/Founder of WhoisXML API and TIP,  11/7/2018
Why Password Management and Security Strategies Fall Short
Steve Zurier, Freelance Writer,  11/7/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-8584
PUBLISHED: 2018-11-14
An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC), aka "Windows ALPC Elevation of Privilege Vulnerability." This affects Windows Server 2016, Windows 10, Windows Server 2019, Windows 10 Servers.
CVE-2018-8588
PUBLISHED: 2018-11-14
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8541, CVE-2018-8...
CVE-2018-8589
PUBLISHED: 2018-11-14
An elevation of privilege vulnerability exists when Windows improperly handles calls to Win32k.sys, aka "Windows Win32k Elevation of Privilege Vulnerability." This affects Windows Server 2008, Windows 7, Windows Server 2008 R2.
CVE-2018-8592
PUBLISHED: 2018-11-14
An elevation of privilege vulnerability exists in Windows 10 version 1809 when installed from physical media (USB, DVD, etc, aka "Windows Elevation Of Privilege Vulnerability." This affects Windows 10, Windows Server 2019.
CVE-2018-8600
PUBLISHED: 2018-11-14
A Cross-site Scripting (XSS) vulnerability exists when Azure App Services on Azure Stack does not properly sanitize user provided input, aka "Azure App Service Cross-site Scripting Vulnerability." This affects Azure App.