Despite the fact that almost every organisation is using anti-virus software, there are many victims of the WannaCry ransomware.
The anatomy of an attack
Looking at today’s threats, relying on anti-virus just isn’t enough anymore. Anti-virus bypassing techniques are getting more and more sophisticated and easier to use, which makes it very hard to detect. To understand the infection technique of today’s attacks, we need to know the anatomy of an attacks. These consist of the following parts: A vulnerability, an exploit and a payload.
The vulnerability is the part of the software that contains the security flaw. The WannaCry malware uses a vulnerability in the Windows SMB service. This vulnerability was discovered by the NSA early, and was used to infiltrate organisations and foreign governments. After the The Shadow Brokers leaked the offensive NSA tools, malware makers started to implement them.
The exploit is the code written by the hacker to misuse the security vulnerability. It is a small piece of computer code that in this case leads to an opportunity to gain control over the computer.
Once the attacker has control over the computer, it’s time to tell the computer what to do with it. This is what we call the payload. When the NSA used this Zero Day, it is most likely used to deploy backdoors. The WannaCry malware however uses this vulnerability to encrypt all the files on the computer.
How to prevent WannaCry
Now we know the anatomy of the attack, we can use it to prevent it. The best way to prevent an attack is to remove the vulnerability. This can be done by simply install the Microsoft updates.
Most malware, ransomware and even the majority of the “Advanced Persistent Threats” using vulnerabilities with public available exploits. Even the most current threat, the WannaCry ransomware, uses a publicly known exploit within the Windows SMB service. A patch for this flaw has been released by Microsoft back in March, which means that infection could have been prevented by correct patch management.
Vulnerabilities could also be introduced by other flaws than outdated software, for example mis-configuration of software. By implementing a vulnerability management proces, known vulnerabilities will become visible and can be addressed. Even if the patch management process is implemented and working correctly, vulnerability management should be performed to audit the correct implementation of the patches. If there is no vulnerability, attackers have nothing to exploit and attacks will not be successful.