By Jeff Castillo
Of course, large-scale attacks aren’t new. Attacks like the ILOVEYOU worm and Code Red and Nimda were massive attacks, some of which affected exponentially more devices and organizations that this latest round of attacks. The spread of WannaCry − which reportedly hit a couple of dozen companies in the Philippines − and Petya were quickly curbed unlike these worms of the past. But this isn’t just about scale.
Unlike in years past, the new digital economy means organizations rely on data as both a critical resource and an essential source of revenue. And these new attacks are more sophisticated than ever.
Attacks like Mirai managed to hijack tens of thousands of IoT devices, such as DVRs and digital CCTV cameras using known device passwords installed by their manufacturers. These devices were then aggregated and used as a weapon to take out a massive chunk of the Internet. More recently, Mirai’s lesser known malware cousin, known as Hajime, upped the ante by adding cross-platform functionality (it currently supports five different platforms), a toolkit with automated tasks, updatable password lists, and the use of thresholds to mimic human behavior in order to stay under the radar.
Wannacry pioneered a new sort of ransomware/worm hybrid, something Fortinet calls a ransomworm, in order to use a Microsoft exploit created by the NSA and publicly released by a hacker group known as the Shadow Brokers. Rather than the usual ransomware method of selecting a specific target, Wannacry’s worm functionality allowed it to spread rapidly across the globe, attacking thousands of devices and organization. While the potential was there, the damage was quickly curbed due to an embedded kill switch.
And just this past month we saw the emergence of a new ransomworm called Petya. This new malware uses the same worm-based approach of Wannacry, even targeting the exact same vulnerability, but this time with a much more potent payload that can wipe data off a system and even modify a device’s Master Boot Record, rendering the device unusable. Since very little money was made during this attack, we can say that this attack was certainly more focused on taking machines offline than monetization through ransom. Machine availability ransom like Petya may become a much larger problem in the future when spreading through a rapid Ransomworm.
I believe that the Wannacry and Petya attacks were simply shots across the bow. They are part of an insidious new opportunistic strategy of targeting newly discovered vulnerabilities with massive, global attacks and increasingly malicious payloads. This is just being the tip of the iceberg and potentially the start of a new wave of attacks we are in for in the future in the form of Ransomworms.
What Can You Do?
The scale and scope of these attacks have people understandably upset and concerned. But before panic sets in, here are four things you can do to protect your organization.
1. Patch and replace
Network and device hygiene are perhaps the most neglected elements of security today. The Wannacry ransomworm targeted vulnerabilities that Microsoft had patched two months previously. And in spite of its worldwide impact, Petya was able to successfully target the EXACT SAME vulnerability a month later, compromising thousands of organizations. In fact, most successful cyberattacks target vulnerabilities that are an average of five years old.
The answer, of course, is to establish a habit of regularly patching devices. And devices that are too old to patch need to be replaced.
2. Know what devices are on your network
Of course, you can’t patch devices you don’t know about. This is why you need to invest in either the time or technology to identify every device on your network, determine what its function is, what traffic passes through it, how old it is, what OS and patch level it is running, and who or what devices have access to it.
3. Implement a Security Fabric
Some of these attacks target IoT devices that simply can’t be patched or updated. Which is why you also need to implement effective security tools that can see and stop the latest threats at multiple places in your network. Fortinet tools, for example, were able to see and stop all of these attacks.
But given that our networks now span a wide range of devices, users, and applications deployed across multiple networked ecosystems, isolated tools monitoring traffic that passes a single point in the network are no longer adequate.
4. Segment your network
Dividing your network into functional segments to protect data and resources isn’t new. Unfortunately, like patching, most organizations fail to do this. They tend to have flat, open networks, and once the perimeter security has been breached, malware can create havoc.
For those organizations that have seen their perimeters disappear, this is especially challenging. In the case of vulnerable IoT devices, for example, they should be automatically assigned to a separate, secured network segment so if they begin to behave badly the rest of the network is protected. But segmentation alone isn’t enough. Organizations need to deploy a segmentation strategy designed to meet the security demands of today’s most complex networked environments:
1. Network segments need to be secure – You not only need to monitor and inspect devices and traffic moving in and out of a particular network segment. You need to secure data as it moves laterally across your network. Most malware is designed to move across your environment looking for resources to exploit or steal. It is essential that your segmentation strategy be able to see, inspect, and stop malware and unauthorized users and applications attempting to cross between segments.
2. Segmentation needs to be automated – Given the number of devices and volume of traffic today’s networks have to deal with; organizations can no longer rely on a manual process for granting or revoking access. What is needed is a way to see and categorize data and devices at the point of access based on a number of contextual characteristics, including what device or application it is, who it belongs to, where it is going, etc. This requires tight integration between your security devices and your access points.
3. Segmentation needs to support both vertical and horizontal traffic – Users and applications often need to be able to move laterally across the network, between one secure network zone and the next. When traffic needs to cross segmentation boundaries, a segmentation security solution needs to be able to a) evaluate the connection request and permit or deny it based on policy, b) continuously monitor that traffic passing across the segmentation border, and c) pass credentials and policies to other devices along the data path to ensure that monitoring is maintained and policies are enforced.
4. Segmentation needs to be able to identify and isolate rogue and infected devices – You need to keep track of and monitor the behavior of devices once inside a segment. A secure segmentation solution needs to be able to continuously monitor behavior deep inside the network, identify and track malicious traffic, and then quickly identify and isolate rogue or infected devices.
5. Segmentation needs to span network environments — Today’s networks are complex. Segmentation solutions need to be able to span the diverse ecosystem of networks, and seamlessly pass along policies and profiles as data and users move across these systems.
For security professionals, very little of this should be new. The difference is an incredible urgency for security hygiene and network segmentation to help minimize your organization’s risk exposure to attacks like Petya. And executive business decision makers need to understand that if the appropriate resources aren’t allocated to do these things, they are putting the life of their organization at risk. These are not optional, nice to have security strategies; they are necessities for today’s new normal.
By Jeff Castillo, Fortinet Regional Director for Southeast Asia and Hong Kong