WannaCry? Cry Over Too Much Complexity

Illustration: WannaCry? Cry Over Too Much Complexity - Authentic8 Blog

There’s plenty of blame to go around for WannaCry (a.k.a. Wcry, Wanna Decryptor), the ransomware that hit more than 200,000 organizations in 150 countries. Let’s focus on a driver behind this malware campaign that hasn't been widely discussed: complexity.

*

WannaCry encrypted files on Windows computers in hospitals, train stations, shipping hubs, automotive manufacturing plants and power companies (among others), then demanded a ransom - payable in BitCoin -  to unlock the files on the victim’s PC.

Once delivered to a Windows machine, this ransomware exploits a security hole in the file transfer protocol used in Microsoft networks. For in-depth information, I recommend the  Wcry US-CERT Alert and Everything you need to know about the WannaCry / Wcry / WannaCrypt ransomware on Troy Hunt’s blog.

Who’s behind it? We still don’t know. As for who’s to blame, let the finger pointing begin:

  • Microsoft blames the NSA, which got the ball rolling by exploiting a Windows vulnerability now known as EternalBlue. The weaponized exploit was stolen and dumped on the web, which allowed attackers to spread the WannaCry ransomware to Windows PCs.

  • Many in the IT security community blame the victims, often larger organizations like the U.K.’s National Health Services, the German train system Deutsche Bahn and FedEx in the U.S.  Many victims failed to apply a patch for the exploit that Microsoft made available back in March of 2017, or they used older OS versions that are not supported any longer. Microsoft released patches for Windows XP, Windows 8, and Windows Server 2003 operating systems on May 13.

  • Software industry insiders also blame software pirates, after thousands of companies and universities in China were hit by the WannCry ransomware due to their use of illegal Windows operating system copies, which were not eligible for Microsoft-issued updates and patches.

  • And don't forget to blame everybody's favorite scapegoat - recent disclosures suggest that some digital fingerprints in the code match those found in exploits attributed to North Korea.

While IT is in full wanna cry mode, vendors continue peddling updates, advanced capabilities, improved analytics, and more.  As if they only need to install this one magic tool, and all ills will be cured.

So far, so predictable. Users are getting as tired as weatherman Phil Connors from Groundhog Day:

Phil Connors on Groundhog Day

Jody has a point. I sympathize and will refrain from hawking Silo here,  Authentic8’s secure virtual browser.

Given the nature of the exploit, once WannaCry entered the network, not even the most secure browser would have prevented the exploit from spreading. Once behind the firewall, the code exploited local area networking protocols for lateral infection, not the web vector.

Instead of harping on a single technology point or solution, let’s look at the role system complexity played in what can only be described as a systemic breakdown of enterprise IT security.

Increased complexity = reduced security

The mix of technology components designed to secure enterprise IT is getting more complex by the day. IT is spending billions of dollars per year across multiple vendors that deliver a cocktail of point solutions.  Some of the most common ingredients:

  • At the endpoint, local applications, patches and updates are supposed to ensure secure and compliant user activity.  Layered anti-virus solutions promising the latest zero-hour detection can’t keep current enough, as the growth in exploits shows.  And each of these invasive routines can impact local system performance, forcing shorter field life of equipment and more regular updates.

  • At the network level, filtering gateways, threat scanners, monitoring systems, behavior-based analytic systems and more are configured to ensure the corporate environment is cordoned off from third party code and inappropriate or malicious content.  Keeping current and exception management creates further stress on IT.  And lacking a single management framework, IT is investing in yet another bit of kit, the policy orchestrator.  It’s so meta: adding complexity to manage complexity.

  • For monitoring, audit and remediation, packet analysis log aggregation and visualization tools are layered into the environment to preserve IT’s oversight. The volume of data collected in a production network is staggering, requiring complex data science solutions to try to make sense of it all.  And while many vendors promote analysis as a way to remediate threats, as I’ve written before, relying on post-facto analysis is too little, too late.

This cocktail of tools and technologies is costly, complicated,  and requires special IT expertise and perspective.  It’s no surprise that it didn’t stop WannaCry, which comes with its own set of complexities.

A primary reason is that in most organizations,  IT is stretched too thin. The team has to navigate multiple points of administration across the infrastructure, often falling behind updating and patching schedules.

At the same time, IT needs to maintain holistic context - the situational awareness necessary to keep the network operational for the business.

Reduced complexity = increased security

Outsourcing business applications, data storage solutions or even network security to the cloud reduces the attack surface, by shifting it away from enterprise servers and individual PCs on the company’s network.

Our customers confirm that this approach has helped them reduce complexity and cost while improving the organization’s IT security posture.

While we make the browser used by some of the most security-sensitive organizations worldwide, we’ve been successful because Silo helps the enterprise reduce the complexity and costs they face in securing access to the web, for all users.

This is most obvious at the endpoint, where WannaCry found its first foothold. In (hopefully extremely rare) instances an enterprise IT admin was irresponsible enough to leave firewall ports 139 or 445 open, allowing WannCry to be dropped on the network from the outside.


WannaCry/Wcry infections worldwide - map on NYT / MalwareTech blog

WannaCry infections worldwide -  animated version
Source: New York TimesMalwareTech Blog

I can’t imagine that any administrator would knowingly leave those ports open, so I choose to believe that the affected organizations were initially infected because a user at some time, somewhere clicked on a corrupted link or downloaded a malicious payload attached to an email.

Once inside, the ransomware encountered no resistance across organizations that had not kept current with OS versions or had not applied patches.  Even with endpoint malware detection increasing in sophistication, such tools still failed to detect the initial attack.

To remove complexity, move the attack surface to the cloud

Where enterprise apps and network resources are centrally managed and protected via the cloud, the result is reduced costs, less complexity and more reliable protection of the connected endpoints.

The responsibility to keep resources current, patched, and on top of the threat landscape shifts to the vendor whose business depends on doing this right. This way, security doesn’t become just another task on the list of an already overburdened IT team.

A browser isolation approach for instance, where all web code (even rendering documents like PDFs and office files) executes outside of the corporate network and off the user’s device, guarantees that web-borne ransomware and related exploits are effectively neutered.

In WannaCry’s case, IT’s slower patch and upgrade cycle wouldn’t have put the enterprise at risk if the initial exploit hadn’t been able to take root.

For our customers, moving to the cloud delivered cost efficiency, increased IT leverage, and provably better security - when was the last time you saw ransomware lock down your web mail or cloud storage provider?

Now apply the same logic to core IT. Outsource your web attack surface and head off the next ransomware attack. Remove the gateway through which most malware infiltrates the enterprise: the local browser.

Try the browser as a service:

https://go.authentic8.com/intro

###

About the author: Scott Petry Scott is Co-Founder and CEO of Authentic8. Prior to Authentic8, Scott founded Postini and served in a variety of C-level roles until its acquisition by Google in 2007.

Topics: Security