This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
WannaCry Debrief: Lessons Learned including Petya Ransomware Attack
Trend Micro Ed Cabrera – Chief Cybersecurity Officer, former CISO, U.S. Secret Service Youssef Jad – Cyber Threat Researcher, TrendLabs
HITRUST Elie Nasrallah, CISSP – Director Cyber Security Strategy Michael Frederick – Vice President of Operations
HITRUST Cyber Threat XChange (CTX) • The HITRUST Cyber Threat XChange (CTX) was created to significantly accelerate the detection
and response to cyber threats targeted at the healthcare industry. • WannaCry indicators were detected several weeks in advance of the outbreak. • The CTX Enhanced IOC systems detected indicators over SMB early in the attack lifecycle and
automatically issued IOC’s to all CTX participants for protection. • Various indicators were collected and shared including WannaCry hashes, URL’s and C&C IP’s. CTX
distributed actionable indicators automatically and seamlessly to the CTX organizations to protect their environments from attack.
• CTX greatly reduces the risk of cyber attack or breach of both known and unknown threats including ransomware by detecting threats across all stages of the attack lifecycle including lateral movement and sharing those threat indicators in near real-time.
HITRUST UPDATES: PETYA • The HITRUST team is actively monitoring and updating our Threat Bulletin on Petya. • The Petya ransomware is using NSA’s EternalBlue code. • This variant is using the same exploits as WannaCry, targeting SMB v.1 with the EternalBlue exploit.
– Utilize the mitigation measures that were implemented for WannaCry v2.0. – Patch and update your systems, or consider a virtual patching solution. (MS17-010) – Disable SMB (v1) on vulnerable machines. – Implement security mechanisms for other points of entry attackers can use, such as email and websites. – Proactively monitor and validate traffic going in and out of the network.
• PETYA Vaccines: Create a dummy file “C:\Windows\perfc” on all the machines via your management tools (e.g. SCCM), or block the creation of that file using your endpoint agents.
• DON'T PAY A RANSOM, you wouldn't get your files back - The e-mail address used by the threat agent (wowsmith123456{at}posteo{dot}net) has been suspended by the hosting provider Posteo.
• HITRUST CTX Enhanced IOC participants can leverage their Deep Discovery Inspector Rule 2383: CVE-2017-0144 - Remote Code Execution - SMB (Request) for detection.
CSF Controls Related to Threats CSF Control for WannaCry Ransomware • Control Reference: *09.j Controls Against Malicious Code
– Control Text: Detection, prevention, and recovery controls are implemented to protect against malicious code, and appropriate user awareness procedures on malicious code is provided.
– Implementation Requirement: Protection against malicious code is based on malicious code detection and repair software, security awareness, and appropriate system access and change management controls.
CSF Controls Related to Threats CSF Control for WannaCry Ransomware • Control Reference: *10.m Control of Technical Vulnerabilities
– Control Text: Timely information about technical vulnerabilities of systems being used shall be obtained; the organization's exposure to such vulnerabilities evaluated; and appropriate measures taken to address the associated risk.
– Implementation Requirement: Specific information needed to support technical vulnerability management includes the software vendor, version numbers, current state of deployment (e.g. what software is installed on what systems) and the person(s) within appropriate, timely action shall be taken in response to the identification of potential technical vulnerabilities. Once a potential technical vulnerability has been identified, the organization shall identify the associated risks and the actions to be taken. Such action shall involve patching of vulnerable systems and/or applying other controls.
CSF Controls Related to Threats CSF Control for WannaCry Ransomware • Control Reference: 09.l Backup
– Control Text: Back-up copies of information and software shall be taken and tested regularly.
– Implementation Requirement: Back-up copies of information and software shall be made, and tested at appropriate intervals. Complete restoration procedures shall be defined and documented for each system.