WannaCry: Taking a defense in depth approach


Ransomware is top of mind again with the rapid spread of the WannaCry malware, which has spread across the Internet encrypting users’ files and demanding $300 in Bitcoin before decrypting them. Even after a lucky fix slowed it down, the infections continue and new variants can be expected. This is a time to reflect: what could enterprises who critically depend on their networks do to protect themselves from such digital pandemics? How can we adopt a defense in depth approach?

First, let’s take a step back and ask, how does WannaCry spread? Take an example as reported by Bleeping Computer: at Telefonica, an internal server was infected with the WannaCry malware. The malware attempts to contact any server it can reach which has TCP port 445 accessible, corresponding to the SMB protocol, where it tries to gain entry via the “EternalBlue” exploit (said to be leaked from the NSA). Once the Telefonica internal server was infected, it would have been able to reach many other individual machines, prompting Telefonica to urge its employees to disconnect from the company’s network or shut down their computers.

In addition to the internal servers, machines could also have been infected through contact with machines elsewhere on the Internet; in fact, an unprotected machine might be infected within just about 15 minutes. And malware often spreads even more quickly within a local network, since it can find machines faster.

In other words, for a victim machine to be infected, at least two things have to happen:

  1. An infected computer contacts another victim across the network.
  2. The victim is running vulnerable software.

Therefore, a machine can be protected if one or the other step is prevented.

The most common recommendation is to ensure your machines are patched, which is certainly a necessary step. This way, the victim is not running vulnerable software.

But an enterprise can’t assume that all machines are patched. Microsoft released a patch for EternalBlue on March 14, yet the WannaCry ransomware has infected hundreds of thousands of machines across Telefonica, the British National Health Service, Russia’s central bank, and elsewhere around the world (check out the live map of victims). Especially in large enterprises, we be sure that some patches are missed, delayed or just not done.

Protection can be improved and the spread of the malware can be slowed, therefore, by also working to disrupt the first step where the infected machine contacts the victim in the first place. This kind of isolation helps limit the “blast radius” of a security incident.

Of course, today, completely disconnecting a machine from the Internet typically renders it of little use. But network connectivity can be limited as much as possible, which is known as network segmentation: certain parts of the network (say, employees’ machines) should not be able to initiate connections into other parts of the network (say, databases holding credit card data). Segmentation requires careful network architecture, especially in a complex environment where configurations of firewalls, routers and other devices are continually changing. Rigorous network verification methods can help ensure that the intended segmentation is continually realized.

In the case of WannaCry, some machines were also protected through the accidental discovery of a “kill switch”. And by ensuring regular, secure backups exist, you can avoid paying the decryption ransom. These methods lessen the damage but don’t stop the malware’s spread.

Ultimately, these techniques are complementary, which is the idea of the defense-in-depth approach. By keeping software updated continually and also providing strong network segmentation in the event that a threat does get in, IT teams can protect the enterprise with multiple lines of defense.

Read more about how Veriflow ensures network segmentation while eliminating outages and vulnerabilities, in our most recent whitepaper.