wannacry debrief: lessons learned including petya ... · wannacry debrief: lessons learned...

WannaCry Debrief: Lessons Learned including Petya Ransomware Attack

Trend Micro Ed Cabrera – Chief Cybersecurity Officer, former CISO, U.S. Secret Service Youssef Jad – Cyber Threat Researcher, TrendLabs

HITRUST Elie Nasrallah, CISSP – Director Cyber Security Strategy Michael Frederick – Vice President of Operations

© 2017 HITRUST Alliance

Over200Countries300KWindowsmachines

Worldwide Outbreak


WannaCry Timeline

Microso(PatchMarch14,2017

MS17-010

ShadowBrokersLeakTools

April14,2017

WannaCry/WCRY1.0April14,2017

HITRUSTEnhancedIOC

Detects&AutomaOcallysharesIOC’sMay2,2017

WannaCry/WCRY2.0May12,2017


SMBv1FileSharingProtocol

InfectionChain

InstallRansomware

EncryptDataFiles

SMBv1Vulnerability

WCRY

SpreadAgain

QueriesKill-SwitchDomain

Infection Chain


MS17-010, Port 445, SMBv1

Exploit Used


WannaCry Kill Switch


Sleep Mode


WannaCry Continues to Spread

MINIMIZE RISK OF WANNACRY


Recommended Critical Actions - General ü Patch Immediately - all Windows-based machines (servers and

workstations) should be updated to protect against MS17-010 ü Disable SMBv1 on non-essential servers and systems

ü Ensure all security solutions have updated patterns/signatures and optimal configuration settings

ü Deploy firewalls and intrusion prevention systems (IPS) where practical

ü Check integrity of critical data periodic backups

ü Remind end users to be diligent and promptly report any suspicious activity to your internal InfoSec team


HITRUST Cyber Threat XChange (CTX) • The HITRUST Cyber Threat XChange (CTX) was created to significantly accelerate the detection

and response to cyber threats targeted at the healthcare industry. • WannaCry indicators were detected several weeks in advance of the outbreak. • The CTX Enhanced IOC systems detected indicators over SMB early in the attack lifecycle and

automatically issued IOC’s to all CTX participants for protection. • Various indicators were collected and shared including WannaCry hashes, URL’s and C&C IP’s. CTX

distributed actionable indicators automatically and seamlessly to the CTX organizations to protect their environments from attack.

• CTX greatly reduces the risk of cyber attack or breach of both known and unknown threats including ransomware by detecting threats across all stages of the attack lifecycle including lateral movement and sharing those threat indicators in near real-time.


HITRUST Threat Bulletins


WannaCry Variants Bulletin


HITRUST UPDATES: PETYA • The HITRUST team is actively monitoring and updating our Threat Bulletin on Petya. • The Petya ransomware is using NSA’s EternalBlue code. • This variant is using the same exploits as WannaCry, targeting SMB v.1 with the EternalBlue exploit.

– Utilize the mitigation measures that were implemented for WannaCry v2.0. – Patch and update your systems, or consider a virtual patching solution. (MS17-010) – Disable SMB (v1) on vulnerable machines. – Implement security mechanisms for other points of entry attackers can use, such as email and websites. – Proactively monitor and validate traffic going in and out of the network.

• PETYA Vaccines: Create a dummy file “C:\Windows\perfc” on all the machines via your management tools (e.g. SCCM), or block the creation of that file using your endpoint agents.

• DON'T PAY A RANSOM, you wouldn't get your files back - The e-mail address used by the threat agent (wowsmith123456{at}posteo{dot}net) has been suspended by the hosting provider Posteo.

• HITRUST CTX Enhanced IOC participants can leverage their Deep Discovery Inspector Rule 2383: CVE-2017-0144 - Remote Code Execution - SMB (Request) for detection.

HITRUST HITRUST CSF Controls Related to Threats


CSF Controls Related to Threats CSF Control for WannaCry Ransomware • Control Reference: *09.j Controls Against Malicious Code

– Control Text: Detection, prevention, and recovery controls are implemented to protect against malicious code, and appropriate user awareness procedures on malicious code is provided.

– Implementation Requirement: Protection against malicious code is based on malicious code detection and repair software, security awareness, and appropriate system access and change management controls.


CSF Controls Related to Threats CSF Control for WannaCry Ransomware • Control Reference: *10.m Control of Technical Vulnerabilities

– Control Text: Timely information about technical vulnerabilities of systems being used shall be obtained; the organization's exposure to such vulnerabilities evaluated; and appropriate measures taken to address the associated risk.

– Implementation Requirement: Specific information needed to support technical vulnerability management includes the software vendor, version numbers, current state of deployment (e.g. what software is installed on what systems) and the person(s) within appropriate, timely action shall be taken in response to the identification of potential technical vulnerabilities. Once a potential technical vulnerability has been identified, the organization shall identify the associated risks and the actions to be taken. Such action shall involve patching of vulnerable systems and/or applying other controls.


CSF Controls Related to Threats CSF Control for WannaCry Ransomware • Control Reference: 09.l Backup

– Control Text: Back-up copies of information and software shall be taken and tested regularly.

– Implementation Requirement: Back-up copies of information and software shall be made, and tested at appropriate intervals. Complete restoration procedures shall be defined and documented for each system.


Post WannaCry Survey

• Complete a brief survey to offer feedback on your experience with the WannaCry incident.

• This information will help us improve the communications HITRUST provides you during similar events.

www.research.net/r/HITRUSTWannaCrySurvey


Visit www.HITRUSTAlliance.net for more information.

To view our latest documents, visit the Content Spotlight.


wannacry debrief: lessons learned including petya ... · wannacry debrief: lessons learned...

Documents