Published on May 30th, 2017 | by Raj Wadhwa
Protecting Yourself From Ransomware Like WannaCry with SS8 BreachDetect
With the WannaCry ransomware still making global headlines, many IT teams are taking a hard look at their network protection. If your organization was one of the unlucky number hit by the notorious malware, you’re probably still reeling from the aftermath, and if you managed to escape it, you may be wondering when the next potential compromise might hit.
How SS8 BreachDetect Helps Head Off Ransomware
SS8 BreachDetect does constant recursive analysis on all High Definition Records (HDR’s ) that it has generated over the past several months and looks for anomalous behaviors like Beaconing, Port scans, Brute Force Attacks, etc. that may indicate an asset being compromised.
The HDR’s also provide deep visibility into 1000+ protocols and this high fidelity data is then further leveraged to uncover anomalous / malicious communications.
SS8 BreachDetect Analytics engine can also get constant updates from Threat Feeds and can go back in time to see if an asset communicated to a Botnet or C&C server deemed malicious by the Threat Feed (weeks or months before the IP address or URL was known to be malicious).
With these capabilities SS8 BreachDetect can quickly uncover assets that might be at a risk of being compromised by attacks such as WannaCry.
An Example of a Ransomware Attack on a Network Protected by SS8 BreachDetect
In WannaCry’s case, an SS8 customer that has the BreachDetect application would execute on the following steps quickly to figure out what devices may be at risk:
- Run a quick investigation on SS8 BreachDetect to figure out if a file matching the hash value of the WannaCry malware got downloaded on any system (over any protocol). One needs to click on the executable for it to launch the ransomware (if not infected via SMB protocol) and it could very much be the case that the ransomware is sitting on a device but has not yet been activated.
- With SS8 BreachDetect Analytics, quickly determine what Operating Systems and User Agents are running on all the assets on the network. This way one can quickly patch the assets that may be running an older version of the Operating system. BreachDetect can even discover assets that a vulnerability scanner could miss (due to hardened operating systems on most servers).
- With BreachDetect Analytics, quickly determine if protocols like Tor are running on the network. If so, one could update the firewall rules to block the ports on which these protocols are traversing the network to stop the attack from completing.
- SS8 BreachDetect would be analyzing network communication from all assets for anomalous/malicious behaviors and can thus detect assets at risk even if the malware mutates and changes the way it communicates to its C&C server.