WannaCry: Post-Attack Insight and Investigations
Network security forensics offers insight for enterprises after WannaCry ransomware exploit.
Security is a top concern for anyone running a network today. The recent WannaCry ransomware attack and other high-profile hacks have shined a new light on the fact that security strategies in the enterprise must constantly evolve to meet the challenges of new and ever-changing attacks.
On May 12, 2017 news of the WannaCry ransomware exploit hit the wire sending the tech world scrambling to patch the vulnerability that allowed malefactors to hijack data.
“It was a spear phishing malware attack. Somebody got an email and opened up a malicious attachment and basically installed the Trojan on their system. It spreads like a worm using the server message block [SMB] Version 1 exploit in some of the earlier operating systems, specifically Windows XP, Windows Server 2003, and Windows 8,” says Viavi Principal Strategic Architect, Mike Canney on the specific versions affected by the vulnerability. “Most intrusion detection systems [IDS] would catch something like this and let you know that there was an event but being able to tie back into packet insight and understand what happened, who was affected, who wasn’t affected is key.”
Network monitoring tools with back-in-time analysis like Observer GigaStor from Viavi are designed to watch the network, analyze conversations, identify issues, and alert administrators to problem scenarios. These features make them an excellent tool to help identify and isolate unauthorized activity. In addition to the regular assortment of firewalls and other defensive security measures, network security forensics tools like these can be used after an event to identify both known and unknown attacks, speeding the cleanup process.
“The thing about ransomware or any type of exploit kit is it doesn’t produce a ton of traffic,” says Canney. “It’s not like they are stealing your data. All your data remains local. It just becomes encrypted. With a situation like this, it’s like a crime scene. Is it valuable to have photographs which is similar to what you would get with detection tools like IDS? Or would it be more valuable to have fingerprints, which is more like that packet level data? It’s the difference of being able to go back and reconstruct what actually happened.”
Not all network monitoring tools offer this capability, but it has proven essential in the enterprise where breaches are not immediately detected and the ability to “rewind” back to an attack-in-progress can yield more insight.
“The value is the packets and the reconstruction capability, not assembling graphics but actually coming into your IDS log and finding exactly where and when it occurred,” he says. “With attacks of this nature, you’ve already been compromised and you need to be able to understand exactly what happened in order to prevent that from reoccurring.”
An attentive security team, the right network analyzer, and enough storage for effective post-event retrospective analysis are powerful weapons in the constant battle to ensure the integrity your network. These elements working interdependently can create strong defenses that are higher in value than the sum of their parts.
Learn more about Observer for security forensics with this a complimentary white paper from Enterprise Management Associates (EMA).