Stopping Malware Like WannaCry From Spreading Through Your Network

by Doug Johnson, Senior Director of Solution Engineering

Recently the WannaCry ransomware started to attack hospitals in the United Kingdom. Since then it has spread across 74 countries, and the number of infections is continuing to spread per Kaspersky. This attack exploits a critical vulnerability with Server Message Block (SMB) version 1.

How WannaCry Works

The malware itself contains two hard-coded domain names that it uses to construct and perform an HTTP query.

  • If the HTTP query is successful, the malware shuts down.
  • If the HTTP query is NOT successful (domain name doesn’t resolve, or query itself fails), the malware proceeds to encrypt files and scan for other vulnerable hosts.

Once infected the malware scans for other vulnerable hosts using two different threads:

  1. The first thread looks on the local subnet for port 445/tcp.
  2. The second thread attempts connections to random (public) IPs using port 445/tcp.

What is particularly concerning is that Microsoft released patch MS17-010 that would prevent this attack from succeeding 59 days before the attack. Any decent security policy would have required a critical security patch to be applied in that time frame. Unfortunately, as the saying goes, the best-laid plans of mice and men oft go awry.

We have all heard this story before. “My organization can’t afford the downtime.” “I am an IT team of 1 and can’t keep up with all these updates.” “Our (most likely border) firewall is security enough.” The sad truth is this will not be the last time a patch not applied results in a compromise of this magnitude.

With hackers trying to compromise your systems, users who find the security policy too onerous for their liking, or the innocents who just don’t know any better, odds are eventually your systems will be compromised. Over time, it tends to be not so much a matter of “if”, but more of “when.”

The initial knee-jerk reaction of most security administrators was to lock down port 445/tcp on all firewalls. Given that this is the standard SMB port this will mitigate this specific attack. The problem is this is yesterday-thinking. You cannot provide security that keeps up with today’s zero day attacks with the practices we used 10 years ago.

BlackRidge Transport Access Control (TAC) is a next generation technology that could have protected these critical assets against WannaCry, even if security administrators had not yet applied the MS17-010 patch. BlackRidge TAC brings identity to the network, operating at TCP session establishment. This means that any infected machine, when trying to identify other machines to infect, would not only be unable to infect your protected resources, they also wouldn’t even see them. BlackRidge calls this cloaking technology, a feature set that was developed in conjunction with the US military and has been tested by various government agencies as well as top tier financial institutions.

How BlackRidge Works

BlackRidge TAC operates on the concept of using identity to allow (forward), redirect, or discard traffic at the TCP session establishment (in the initial SYN of the 3-way handshake). Identity is not just a person or user account – it is what can be used to uniquely identify any resource that accesses a system over a network. This includes people (sometimes accessing from more than one location), a service node, a smart refrigerator…you get the picture.

As a resource initiates a session request BlackRidge TAC will insert a unique cryptographically-secure token into the TCP header while maintaining RFC compliance. This means that as the packet travels anywhere and everywhere any other internet technology should be able to do its function and not impair the effectiveness of the BlackRidge solution.

At the other end of the session are the resources that are being protected. The BlackRidge gateway will examine each session request coming through, comparing the identity contained in the TCP SYN packet with the security policy relating to that resource. If the identity does not exist or does not match a forward policy the packet will never get to the protected resource.

With this level of security technology in place the WannaCry malware, or any zero-day attack, would be mitigated because a compromised system would not be able to spread past a BlackRidge gateway without an authorized identity.

How BlackRidge Would Have Prevented WannaCry Proliferation

With BlackRidge TAC in place as a network segmentation solution, normal users would not have an identity that allowed access to critical resources. For example, Joe the pharmaceutical sales representative does not need access to all heart patient records. It is believed that the initial infection of WannaCry was the result of a phishing attack. If Joe did click on whatever link initiated the infection and the WannaCry malware spread to the machines connected to Joe’s system the lack of an authorized identity to access the patient records would mean that the critical resource would remain protected. In BlackRidge terminology this critical resource would be cloaked, meaning to the malware the IP address that was assigned and in use appeared unplugged.

Now while a BlackRidge network segmentation implementation would have greatly reduced the proliferation of the WannaCry ransomware, this solution would only work if deployed correctly. This means placement of the BlackRidge gateways in a way that can isolate your protected resources from the rest of your network and a decent identity management system that is properly maintained.

As we stated earlier a lot of security administrators changed their firewalls to block 445/tcp. This will stop this attack, specifically this attack, from spreading. What about the next attack that uses a different port? Maybe a port that you can’t possibly block because your entire business depends on it being available. By using BlackRidge identity based network segmentation to protect your resources you can be protected against network attacks before they can be realized. When it comes to zero day attacks having this level of security is no longer a nice-to-have, but a key requirement for any business in this day and age.