5 Lessons from WannaCry: Preventing Attacks with Security Engineering
With the recent news storm concerning the "WannaCry" ransomware worm, a great deal of mitigation advice has been provided. This advice typically centers around patching, in particular installing MS17-010 from Microsoft (or the KB from Microsoft for XP/2k3), which patches the vulnerability exploited by the ETERNALBLUE exploit used by WannaCry.
Much has been made about the (in)ability for certain organizations to patch, but we felt it would be worthwhile revisiting our favorite Security Engineering principles and seeing how then can be used to protect against WannaCry. While the focus of this blog will be on protection, I’ll be writing another blog post on detection.
Here are five fundamental and widely used Security Engineering principles, which are all reusable across different types of attackers:
1. Default deny
This principle can be expressed as "only provide access where it has been explicitly granted, otherwise deny". This is a useful principle to apply to firewalling and other techniques for managing traffic flow such as IP whitelisting. By denying SMB traffic (TCP port 445) at the organization's perimeter, WannaCry's spreading technique is prevented. Often this principle is not strictly applied to internal systems.
WannaCry was typically able to move laterally within an organization as endpoints (user workstations) were able to communicate with each other. While this may be required in specific situations, the general case is that an endpoint only needs to communicate with specific servers (such as the Domain Controller, networking equipment, fileservers, etc.) but not with other workstations. Appropriately configured host-based firewalls would prevent WannaCry being able to move laterally.
2. Least Privilege
Jerome Salzer formulated this principle as; "Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job". This principle is typically applied to defeating Privilege Escalation exploitation, however, we find this principle to be a natural complement to the first principle. An appropriately segmented network provides only the privilege necessary for the hosts to do their work. If workstations do not need access to other networks, especially operational or production networks, then this privilege should not be granted.
This approach would prevent WannaCry from spreading beyond the network segment it gained access to. This principle also applies to documents, do all systems need read and write access to important data, or only read access? By limiting such privileges, the ability of WannaCry to encrypt/"lock" files is reduced.
3. (Attack) Surface Reduction
Any feature of a piece of software that is enabled increases the attack surface of that software. There is simply more for an attacker to target. In the case of WannaCry, it is reliant on SMB v1 being enabled on a host. SMB v1 is a legacy protocol and is highly recommended by Microsoft to be disabled, if not explicitly required.
By going through the process of discovering which protocols or features are explicitly required for a system to function and disabling all other, unnecessary features, a system is hardened against attack. The ETERNALBLUE exploit will fail if SMB v1 is not enabled, rendering the worm unable to gain a foothold. Another excellent way to reduce the attack surface of a piece of software is to apply vendor patches which resolve security vulnerabilities. Patching Windows prevents ETERNALBLUE from being able to successfully exploit a host.
4. Need to know/compartmentalization
Need to know is typically used to describe data classification systems but it has utility beyond those systems to a general approach to configuring systems. In the case of WannaCry, important data can be safeguarded by only granting access to those who have a business requirement to access that data, that is, a need to know. This reduces the number systems that have access to important data and therefore makes the defender's lives easier as they have fewer systems to be directly concerned about. If important data can be accessed by many systems, any one system that is compromised by WannaCry would be able to encrypt the data.
5. Defense in Depth
This principle is an overarching one that encompasses the four others. In essence, it states that not one single control is sufficient to adequately protect a system. Controls can be physical (like door locks), technical (like encryption) or administrative (like security policies). By using the four above principles together, we can derive a defense-in-depth strategy for protecting against WannaCry that is reusable against other attacks too:
- Firewall off SMB traffic both in-bound and out-bound from an organization's network (#1)
- Aggressively filter BYOD devices or assets with missing (security) patches from accessing resources in the network (#1)
- Restrict workstation-to-workstation communication to only that which is necessary (#2)
- Segment networks so that compromise of one endpoint does not automatically give access to the entire network (#2)
- Disable unneeded legacy features which are liable to be exploited (#3)
- Applying vendor patches in a timely fashion to reduce the number of exploitable vulnerabilities in installed software as part of a continuous vulnerability assessment program (#3)
- Restrict access to important data to only those who are required to have it. Read/write access should only be granted where there is an explicit business requirement (#4)
Defense-in-depth would also indicate that we should be prepared if our other controls fail so it would be natural to add a final guideline:
- Backup important data to guard against critical loss and failure of other controls (#5)
These five fundamental steps can help organizations to better prevent attacks like the WannaCry. Prevention is only one step, so stay tuned for our upcoming blog with advice on improving detection.