Post by, Ori Bach, VP of Product.
As their https://trapx.com/product/ dashboards lit up like Christmas trees, security teams had little doubt this was a priority 1 incident.
On regular days, the Traps produce little to no noise, so alert fatigue did not come into the equation.
The alerts told a simple story. A self-spreader using the SMB EternalBlue exploit was attempting to spread throughout the network. The IoC’s were unmistakable it was WannaCry.
Those who already patched their systems against the vulnerability, could take a breath and use the alert kill-chain timeline to identify the careless employees on unsecure BYOD device who were the patient zero for the infection.
Others tasked with protecting systems that are unpatched or running legacy OS’s such as medical devices and ATM’s had a more difficult task ahead.
WannaCry is just the latest example of cyber attackers leveraging automated malware propagation to compromise thousands of computers globally. These malware “spreaders” combined with semi-sophisticated spear phishing attacks are creating havoc for already overburdened IT and security personnel. Unfortunately, many organizations have little to no visibility of these attacks happening until the damage is done.
This image immediately shows the impact the attacks can have on large corporations. By leveraging DeceptionGrid, customers achieved something we call Rapid Detection of Automated Malware Propagation (RDAMP). The benefit of TrapX RDAMP is the following:
- Rapid detection of patient(s) zero and ability to automate containment
- Automated analysis and visualization of the attack (see above)
- Immediate visibility into infected IoT/OT devices (e.g. medical, industrial controls, SCADA)
- Ability to report to senior management “All Clear…no Impact to us by the malware!”
In addition to detection, DeceptionGrid can be used to facilitate automated containment of infected assets through integration with Cisco’s Identity Services Engine (ISE) Platform or ForeScout CounterACT®. DeceptionGrid easily shares real-time actionable intelligence with the customer’s infrastructure, saving precious time by invoking automated containment workflows for rapid response.
Ultimately it was the immediate detection coupled with clear situational awareness of what areas were infected that helped mount an effective and timely response.
Value of DeceptionGrid as it relates to WannaCry (and other lateral moving threats):
- Immediate detection of the spread of the malware (RDAMP)
- A full mapping of infected managed and unmanaged endpoints with timeline to allow identification of the original point of breach (patient zero)
- Clear IoC’s of the compromise– including packet capture (PCAP) content to support packet-level deep analysis. Which in this case captured the unique commands used in the exploit
- Automated quarantine workflows that can be enacted to suppress and contain the attack
- Resiliency– as our approach does not require prior knowledge of the malware/exploit the solution will cover future attacks using unknown exploits
To know more about WannaCry & DeceptionGrid please check out the latest report: Malware Analysis – WannaCry