Andrew Mundell, Enterprise Sales Engineer at Sophos, used the WannaCrypt ransomware attack to discuss advances in data protection.
“Probably you've all heard about the WannaCrypt ransomware attack. The first interesting feature of that attack is how it got onto the system in the first place,” stated Mundell at the outset of his thought leadership presentation at the 2017 Chief Information Officer Leadership Forum held in New York on June 6. “One of the first things the infection did when it got onto the system was to start spreading itself, which it did in two ways: it started looking for other machines on the same subnet that it could infect, and every one of those machines, at random, chose a bunch of IP addresses on the Internet and began making outbound connections to try to infect those machines as well.” This was the first stage of the attack—penetration.
“One of the first things the infection did when it got onto the system was to start spreading itself, which it did in two ways.”
There was something interesting in the encryption as well, noted Mundell. “Malware doesn’t want to inform the user of its activities until all the important stuff is encrypted. On the server side, WannaCrypt actively killed those applications and stopped their access to those files so the malware couldn’t just encrypt the Word documents and PowerPoint documents on the desktop, it could start encrypting business databases and email at the server site,” he explained.
“The good news is there are things we can do across the network and the endpoint to look at how to stop these things from happening. At the penetration stage, we can patch. However, on average, it takes 190 days from a patch being released by a vendor to it being applied to a majority of systems,” he said.
“At the penetration stage, we can patch. However, on average, it takes 190 days from a patch being released by a vendor to it being applied to a majority of systems.”
“Another protection strategy is gateway protocol analysis, which is a fancy way of saying, ‘check the rules on the firewall.’ This traffic shouldn’t be going in and out of firewalls,” advised Mundell.
The next stage of a ransomware attack is deployment. “On the deployment side, there are behavior analytics—the ability of an endpoint product to look at the behavior of all the applications on the system and determine if it’s malicious,” he explained. “We hear a lot about machine learning in this regard.” Mundell gave a simple example of machine learning using a cat. “An engine is trained to identify the image of a cat to develop a learned model. From there, a prediction is made. That’s what all this machine learning, AI stuff is about—placing a bet. Is this malicious or not? For malware files, we’re trying to figure out if something is ‘good’ or ‘bad.’ Next-generation machine learning involves feeding the engine tons of data that we know is already good or bad. We don’t tell the decision-making engine what features to look for. We just tell it, ‘this stuff is good, this stuff is bad.’ We give it a new sample and it analyzes the features it wants to analyze, runs these through its model, and makes a prediction. This is called a ‘deep-learning neural network.’ In these machine learning techniques, the impact on the system is drastically lower,” said Mundell.
"Next-generation machine learning involves feeding the engine tons of data that we know is already good or bad. We don’t tell the decision-making engine what features to look for. We just tell it, ‘this stuff is good, this stuff is bad.’"
The last stage of a ransomware attack is encryption. “There are some good, ransomware-specific protection tools out there. These are the last line of defense. They look at file activity, stop encryption processes, and roll files back. In the WannaCrypt attack, these worked," stated Mundell.
The next step in protection is regular and tested backing up of files. “You’ve got to test it and know it works,” he emphasized. “A popular ransomware at the beginning of the year—a cousin of WannaCrypt—involved a double-stage ransomware attack. It encrypted all the files and, at the same time, it determined if there were any interesting ones—anything that had ‘contract’ or ‘passwords’ or ‘XLS’ in the file name—and uploaded these files to the bad guys’ servers on the Internet. So, it’s necessary to use corporate data protection to encrypt that data so that even if it’s exfiltrated, it’s still secure and protected.”
ABOUT ANDREW MUNDELL:
Andrew Mundell is a Data Protection Specialist and Enterprise Sales Engineer at Sophos, a leading innovator and provider of computer security worldwide. He works with some of Sophos’ largest global customers to help them understand and respond to the potential impact of the latest generation of threats.
Andrew’s expertise is especially critical for those customers with an ever-changing and demanding workforce who routinely tap the network with multiple devices and computers from the field or a remote office. While employees love the mobility, IT managers now have to track every possible connection (i.e., vulnerability) to keep their company safe from cyber threats. By working closely with customers and SophosLabs experts, Andrew has a “real-world” view of the threat landscape and can provide IT managers with insightful direction for security deployment based on vulnerabilities, attack type, and how employees work today.
Andrew has worked at Sophos for nine years. Previously, he worked for a large UK Government body where he was responsible for the Enterprise architecture covering security, network, and storage. Andrew is a frequent speaker at security industry events for IT and channel partner audiences. He’s originally from Weybridge, UK, and now resides in New York.