How Recent Ransomware Attacks Spread
Wanna, Petya, and other ransomware attacks have crippled countless organizations. These articular attacks spread by exploiting a vulnerability in Microsoft’s Server Message Block (SMB) network file-sharing protocol. This protocol is ubiquitous on corporate LANs and allows computers to discover each other for the purpose of sharing files and other
resources like printers. It can also be used for file sharing outside the firewall if the necessary ports (TCP 139 and/or 445) are opened or forwarded on the firewall.
The particular exploit used by Wanna and Petya is known as EternalBlue. EternalBlue allows remote code execution by sending carefully crafted messages across the network to the vulnerable SMB service on computers running Microsoft Windows.
In the case of the EternalBlue exploit, Microsoft quickly issued a patch for this vulnerability once it was publicized, but hackers took advantage of the fact that rolling out patches in organizations is a considerable undertaking and were able to launch these attacks before many systems had been updated. Even in the most diligent organizations, there’s always a gap between vulnerability discovery and patch deployment, which is why it’s so important to have leading next-gen technology protecting your network and endpoints from these kinds of attacks. So how can you protect your organization from letting these attacks into the network in the first place? And if an attack should somehow penetrate your network, how can you prevent it from propagating or moving laterally, infecting other systems in its wake?
Blocking Network Exploits
IPS (Intrusion Prevention System) is a critical security component of any next-gen firewall
as it performs deep packet inspection of network traffic to identify vulnerability exploits and block them before they reach a target host. IPS looks for patterns or anomalies in the code that either match a specific exploit or a broader target vulnerability.
As with the EternalBlue exploit discussed earlier, these attacks typically attempt to send
malicious inputs to a host application or service to compromise it and gain some level of
control to ultimately execute code – such as a ransomware payload in the case of Wanna
Blocking File-Based Ransomware Payloads
While Wanna and Petya spread like worms, many ransomware variants leverage social engineering tricks through phishing email attacks, spam, or web downloads to gain entry to your network through more conventional means. These attacks often start as cleverly crafted malware lurking in common files like Microsoft Office documents, PDFs, or executables such as updates for common trusted applications.
As a result of this new breed of file-based malware, sandboxing technology has become an essential security layer at your network perimeter. Fortunately, cloud-based sandboxing typically doesn’t require any additional hardware or software deployment – it simply identifies suspect files at the gateway and sends them to a safe sandboxing infrastructure in the cloud to detonate active content and monitor the behavior over time. It can be extremely effective at blocking unknown threats like new ransomware attacks before they enter the network.
Best Practices for Firewall and Network Configuration
- Ensure you have the right protection, including a modern high-performance nextgen firewall IPS engine and sandboxing solution.
- Reduce the surface area of attack as much as possible by thoroughly reviewing and
revisiting all port-forwarding rules to eliminate any non-essential open ports. Where possible, use VPN to access resources on the internal network from outside rather than port-forwarding.
- Be sure to properly secure any open ports by applying suitable IPS protection to the
rules governing that traffic.
- Apply sandboxing to web and email traffic to ensure all suspicious active files
coming in through web downloads and as email attachments are being suitably
analyzed for malicious behavior before they get onto your network.
- Minimize the risk of lateral movement within the network by segmenting LANs
into smaller, isolated zones or VLANs that are secured and connected together by the
firewall. Be sure to apply suitable IPS policies to rules governing the traffic traversing
these LAN segments to prevent exploits, worms, and bots from spreading between LAN
- Automatically isolate infected systems. When an infection hits, it’s important that your IT security solution be able to quickly identify compromised systems and automatically isolate them until they can be cleaned up (either automatically or through manual intervention).
Segmenting LANs to Minimize Lateral Movement
A best practice is to segment the LAN into smaller subnets using zones or VLANs and then connecting these together through the firewall to enable the application of anti-malware and IPS protection between segments that can effectively identify and block threats attempting to move laterally on the network.
Whether you use zones or VLANs depends on your network segmentation strategy and scope, but both offer similar security capabilities by providing the option to apply suitable security and control over traffic movement between segments.
- Zones are ideal for smaller segmentation strategies or networks with unmanaged switches.
- VLANs are the preferred method for segmenting internal networks in most cases and offer the ultimate in flexibility and scalability, but require the use (and configuration) of managed Layer 3 switches.
While it’s a best practice to segment your network, there’s no “best” way to segment a network. You can segment your network by user type (internal, contractors, guests), by department (sales, marketing, engineering), by service, device or role type (VoIP, Wi-Fi, IoT, computers, servers) or any combination that makes sense for your network architecture. But generally, you will want to segment less trusted and more vulnerable parts of your network from the rest, and also segment large networks into smaller segments all with the aim of reducing the risk of threat penetration and propagation.
Source: Sophos Whitepaper