On the heels of the WannaCry ransomware assault comes PetyaWrap, an evolution from WannaCry that uses techniques to break into a network and spread from computer to computer. While encrypting computers, it looks for credentials in session to steal, and going one further moves laterally looking in cache for existing credentials, leveraging these stolen credentials on internal networks to gain and escalate access. Let’s take a closer look at these attacks, the importance of monitoring anomalies in behavior, and why it’s time to remove the weakest link in the security chain: the password.
Both Wcry and Petya have been attributed to the leaked tools from the NSA. These leaks have expanded the ability of attacks to be executed by small, lesser known groups. Attackers are finding success targeting businesses that might be considered non-technology-businesses. As an aside, all businesses should consider themselves technology-businesses, with cybersecurity as a core operating value to their business. But more on that later.
First, let’s look at the known targets from WCry Worm.
- Shipping companies
- Train stations
And the targets from the revised Petya Worm:
- Drug maker
- Shipping company
- Law firm
- Advertising firm
- Snack food company
If you look at these industries, you can see the similarities. They are traditional, or non-technology businesses – but they all rely on technology to operate. The challenge for these businesses is transformation. Instead of relying on technology to operate, it’s time for all businesses to become a technology-focused: improve operational efficiencies, leverage automation and invest in IT and cybersecurity. Yes, these investments will cost organizations over the next 2 to 5 years, but what is the cost when falling victim to one of these attacks?
Many vendors will claim they can solve all the problems for every business. We would argue that cybersecurity takes on many different shapes and forms: identity and access management, network security, endpoint security, privileged access management, incident response, red teams, penetration testing, user education to name a few. No one vendor can do it all and SecureAuth has built alliances with other leading vendors to address each step of the attack lifecycle.
The most common attack vector is the pesky password – involved in 81% of all reported breaches according to the Verizon 2017 Data Breach Report. To eliminate the risks posed by passwords, we must start to eliminate the password. Passwordless authentication removes the “knowledge factor” and leverages other technologies to achieve a higher level of assurance that a user or a machine is accessing a resource without malicious intent. For example, user and entity behavior analytics coupled with known bad IP addresses, and notifications and actions being automated from a SIEM, would definitely reduce the impact of ransomware attacks such as Wcry or Petya — and in some cases, prevent it.
These attacks are a critical reminder that organizations using traditional security techniques, including username and password and even two-facor authentication are not enough against today’s threat landscape. Identity-based threat detection and a tightly integrated security ecosystem that can detect anomalies are no longer a “nice-to-have”, but are essential for a strong security posture. It’s time to evolve our security practices and move towards a passwordless state to combat ever-increasing attacks – which will persist as long as it turns a profit.
Next steps for security practitioners:
- Shift priorities to improved cybersecurity hygiene
- Implement a patch management system and implement a patching schedule
- Implement end-user education program and test users via red team/pen testing
- Begin planning for the future. Implement adaptive authentication for scenarios where the credentials are stolen or harvested and render them useless.