Cyber Risk Assessment– get good at it

Today’s reliance on IT technology is unparalleled and will only increase. While some businesses are pondering the benefits of IoT deployment or bespoke business applications, others are ploughing ahead and pioneering their initiatives. Some of these initiatives are stuttering and some are big winners that have transformed their business. Digitisation and it’s attendant benefits is the new game in town and it is not going away soon.  

The constant question that new initiatives will always raise is, what about cyber security? These new initiatives also need to be balanced against new compliance regimes such as GDPR which can levy punitive fines for breaches involving sensitive personal data. IoT means a greater footprint or attack surface; a new cloud application means potential exposure of data or the possibility of unauthorised access. While these risks and others exist, this should not hinder businesses taking advantage of the potentially major opportunities from digitization. What is therefore of paramount importance is a way to effectively assess and mitigate the risk from these initiatives and other IT activities that will enable the businesses to safely adopt new technology. 


Cyber security is everyone’s concern 

Cyber security is no longer just an IT issue, now it is definitely everyone’s concern. Responsibility is now being devolved as applications move to the cloud. More departments are involved in selecting and implementing their apps, therefore they also need to have security at the forefront in both the selection and operational processes. 


Comply with regulation or become extinct 

Regulation is now gaining real teeth and therefore compliance is no longer an optional nuisance. Consider the Carphone Warehouse breaches recently. If the recent 6m records breach occurred under the watch of GDPR, the fine could be a whopping £428m, compared with the max £500k fine which could have been levied under the previous Data Protection Act. Compliance is now an imperative and failure could mean business extinction due to the punitive fines.  Compliance should be seen as an opportunity to get your business in shape in which case everyone benefits. 


Cyber risk assessment is a specialism 

Change is another constant in IT, therefore risk assessment should be constant and continuous. Oftentimes risk assessments are left till the end of an initiative when in fact it should feature right at the beginning and be a part of the “go/no go” decision. If risk assessment is built into project implementation, the end result will definitely look a lot better than if it were an after thought. The struggle is to find the skills where there is a good understanding of IT risk management. It is an area where businesses need to invest in training staff at all levels of the organisation. 


Risk assessment and mitigation needs to be a continuous process where all departments in a business are engaged in continuing assessment, monitoring and improvement of the risk exposure.  


An interesting development in this light is a joint solution offered by Aon, Apple, Cisco and Allianz. The components of the solution include the following; 

  • Risk Assessment with a target output of an analysis of the businesses level of insurability, its security posture with recommendations on how to correct any gaps.  
  • Those wishing to improve their security posture receive a plan that includes an enterprise ransomware solution incorporating, advanced email security, endpoint protection and DNS layer security.  
  • The business will also deploy Apple MacOS and iOS endpoints.  
  • Businesses choosing this solution will receive favourable terms from Allianz who consider this combination to be a more secure solution.  


While it may not be practical for all businesses to adopt this solution, the method/approach is a useful indication of a what can be done. The importance things is the assessment needs to be continuous and reflect the status of the business and it’s use of IT at any point in time which of course is a moving goal post.

7 infographics from the Cisco 2018 Cyber Security Report explained

In our final part of Cisco’s 68 page 2018 Annual Cyber Security Report, we summarise the key findings and highlight the main takeaways contained in the report.
While most of the information is already known, put in context it gives a thorough view of the changing landscape and importantly identifies some of the steps that Information Security teams could take to mitigate the growing risk.
The reports highlights include;
  • Self-propagating ransomware is a growing trend
  • Legitimate cloud platforms are increasingly being exploited for cyber attacks
  • Cyber attackers are exploiting gaps in security coverage as organisations move to the cloud
  • Lack of skilled cyber security staff is a growing problem
  • Security is more effective when policies governing technology, processes and people are synced
  • Scalable cloud security, advanced endpoint protection and threat intelligence can be deployed to reduce the cyber threat risk
According to the Cisco report, cyber attackers are amassing their techniques and capabilities at an unprecedented scale.
Ransomware is the most profitable form of malware and has evolved into self-propagating network based cryptoworms as witnessed by Nyetya
and WannaCry. These ransomware variants took down whole regions and
sectors of infrastructure such as the Ukraine and the NHS.
Cyber attackers are weaponizing the cloud and using legitimate cloud services from well known vendors such as Google, Amazon, Twitter to host and conduct malware attacks. They are in fact capitalising on the benefits of cloud platforms such as security, agility, scalability and good reputation, oftentimes repurposing their sites before they are detected.
Cyber attackers are exploiting gaps in security coverage including IoT and cloud services especially where the organisation has not extended their security controls to include securing users and data in the cloud. Another growing obstacle to more effective cyber security is lack of skilled cyber security personal and inadequate budgets.
Cisco’s report also provides some essential guidance that organisations
should adopt in order to meet the growing challenge and provide more effective cyber security protection. Some of these measures include;
  • Implementing scalable cloud security solutions
  • Ensuring alignment of corporate policies for technology, applications and processes
  • Implementing network segmentation, advanced endpoint security and incorporating threat intelligence into security monitoring
  • Reviewing and practising security response procedures
  • Adopting advanced security solutions that include AI and machine learning especially where encryption is used to evade detection
While the security report is essential reading for all personnel responsible for an organisations information assets, in many areas it reiterates what we have been hearing about in the news and trade publications. The essential call to action is really to make a good start by doing the essentials. If you have already done this, then keep testing, refining and improving your cyber security posture.

5 Takeaways from the Cisco 2018 Annual Cyber Security Report

Cisco Annual Cybersecurity Report 2018

Cloud abuse on the rise according to Cisco Security Report

Cisco’s Annual Cyber Security Report 2018 provides an insightful account into the changing cyber security landscape. This article summarises some findings of the report pertaining to cloud security.
Some main take aways from the report that will be discussed in this blog include:
  • Legitimate cloud services such as Twitter and Amazon being used by attackers to scale their activities
  • Machine-Learning is being used to capture download behaviour
  • Cloud Security is a shared responsibility between organisations and its provider
  • There is an increase of belief in the benefits of cloud security
  • Cloud abuse is on the rise
According to the report, increased security was the principle reason security professionals gave for organisations deciding to host corporate applications in the cloud.
Fifty seven percent believe the cloud offers better data security
Organisations who have a security operations team are likely to have a well defined cloud security approach that may include the adoption of Cloud Access Security Broker (CASB) as they deploy to the cloud.
Many smaller organisations however are adopting cloud services without a clear security strategy, there is therefore a blurring of the security boundaries where many organisations are not certain about where their responsibilities end and where the responsibility of the cloud provider starts.
Security in the cloud is a shared responsibility: Cloud Security, DNS, IaaS PaaS Saas
Security in the cloud is a shared responsibility
Cyber attackers are increasingly taking advantage of this blurring of the boundaries to exploit systems.
An increasing trend amongst cyber attackers is to use legitimate cloud services to host malware and command and control infrastructure. Public clouds that have been used for malware activity include Amazon, Google, DropBox and Microsoft.
This makes it doubly difficult for security teams to identify bad domains and take protective measures without risking significant commercial impact caused by denying user access to legitimate business services.
Examples of legitimate services abused by malware for C2
The misuse of legitimate services is attractive to cyber attackers for a number of reasons;
  • Easy to register a new account and set up a web page
  • Adopt use of legitimate SSL certificate
  • Services can be adapted and transformed on the fly
  • Reuse of domain and resources for multiple malware campaigns
  • Less likely that infrastructure will be ‘burned’ (service can just be taken down) with little evidence of its purpose
  • Reduce overhead for attacker and better return on investment
Cyber attackers are effectively using legitimate and well known cloud infrastructure with their attendant benefits; ease of scale, trusted brand and secure features such as SSL. This enables them to scale their activity with less likelihood of detection if current protection methods are retained.
The challenges posed for the security teams defending organisations from these new threats call for a more sophisticated approach because in effect you need to block services that users are trying to access for legitimate work such as Amazon or Dropbox. Furthermore, the legitimate services are encrypted and so malware will be encrypted and evade most forms of threat inspection techniques– the threat will only become apparent after it has been activated on a host.
Intelligent cloud security tools will need to be deployed to help identify malware domains and sub-domains using legitimate cloud services. Such tools can also be used to further analyse related malware characteristics such as associated IP addresses, related domains and the registrant’s details.
An emerging and valuable approach to detect anomalous behaviour is machine learning.
Machine learning algorithms can be used to characterise normal user activity, unusual activity can be identified, and action taken automatically.
Machine-learning algorithms capture user download behaviour 2017
To meet the range of challenges presented by cloud adoption,
organisations need to apply a combination of best practices, advanced security technologies, and some experimental methodologies especially where they need to overcome the use of legitimate services by cyber attackers.

Would you like to learn more? Claim your Free copy of our latest eBook “A View of the Cyber Threat Landscape”. Click here.

What’s HOT What’s NOT: Cyber Security 2018

What are the main cyber security trends and focus areas for IT Managers and Chief Security Officers so far in 2018?

One thing we know for sure is that cyber security won’t be taking a lower profile as IT embeds itself at the core of organisations becoming a true business enabler.
IT is at the core of organisations and if there is a glitch then the business impact is profound. It is therefore beneficial to be able to focus limited resources and efforts on the priorities that will really
make the biggest difference.
 So the question is what will be HOT and what will NOT in 2018. The list below, while not being exhaustive, gives a focus on what you should be prioritising.


  • GDPR
  • Ransomware
  • Cloud


  • Anti-Virus
  • VPNs


25th May 2018 is the date the GDPR will come into force. The regulation will affect literally every organisation that holds personal data. With the increasing regulatory powers for investigation and enforcement, firms not complying with the regulation could face severe penalties.
GDPR must, therefore, be high on the list of business priorities and a comprehensive approach to GDPR compliance will necessitate a comprehensive review of policy, process and technology.
In a recent article we discovered that 52% of medium sized business have NOT made changes/prepared for GDPR!

NOT: Anti-Virus

In the face of the new breed of sophisticated, adaptable forms of cyber attacks, traditional Anti-Virus is becoming redundant. The approach of traditional Anti-Virus which is based of signatures relies on threats having been detected and updates being propagated to clients before an attack occurs.
Organisations need multiple layers of protection to stand any chance of detecting and blocking new threats some of which can dynamically probe and adapt to the host environment.
Anti-Virus is still essential especially if it also monitors for abnormal behaviour, however if it is your primary line of defence, expect the worst, as Robert Mueller says, you will be attacked, depending solely on Anti-Virus increases the likelihood of it happen sooner and more frequent.

Related Resources

HOT: Ransomware

2017 saw the spread of global ransomware variants Wannacry and Nyetya. Wannacry made significant parts of the NHS powerless while Nyetya caused major losses for businesses. Fedex counted losses in excess of $300m and at one stage had to resort to WhatsApp for internal communications due to compromised email systems.
The ransomware ‘business model’ has stepped up a notch with it being made available to buy as a service. The avatar of the attacker has suddenly changed from a stereotypical hoody wearing geek to just about anyone who can pay with some Bitcoin.
Ransomware has been the most profitable form of cyber attack to date and franchising it just made it cement it’s pole position as the number one threat in 2018.

Related Resources


Statistics indicate that nearly 50% of workforces are mobile, meaning they access their organisation’s IT applications from remote locations to the organisation’s offices. The ubiquitous VPN has been the secure way of connecting.
 With the various flavours and increasing range of users requiring connections, VPNs are becoming a greater management overhead and an increasing security risk especially if the controls are not kept up to date with the threats.
A need for a more sophisticated and granular method of providing remote access is emerging where users are connected only to what they require, when they require it and furthermore their security posture is established even before they are allowed any connectivity.

Cloud: HOT

Organisations having realised the benefits of cloud adoption have embraced it while mitigating the risks as best they can. The benefits of the cloud in many instances include lower operational costs, agility, increased resilience and scalability.
Cloud adoption is also well suited to the growth of a mobile workforce who need anytime anywhere access to their applications. Securing the cloud data and user access is however an area of cloud implementation that is emerging as a focus area that businesses have not paid sufficient attention to.
Technologies such as secure DNS and the secure Internet gateway are solutions that are highly likely to gain a lot of traction as organisations audit and protect cloud connectivity from a range of emerging cyber threats.

Related Resources

There will inevitably be questions about security topics such as BlockChain, IoT and Phishing just to name a few. Let us know how your list wouldn’t be different.

Trial Cisco Umbrella for 14 Days, completely free and no obligations!

If you have read the last few updates you should now have a deeper understanding of Cloud Security, that’s great! But what can YOU do about it? 

We are offering a 14 day trial of Cisco Umbrella, the industry’s first Secure Internet Gateway in the cloud.

Cisco Umbrella provides the first line of defence against threats on the internet. Because Umbrella is delivered from the cloud, it is the easiest way to protect all of your users in minutes.

It takes no time to install and you don’t have to provide any payment details (or even have a phone call).

So what’s to lose? 

Click here to start your trial! 

A View of the Cybercrime Threat Landscape

Download: A View of the Cybercrime Threat Landscape

$2,235,018 per year

The average amount SMBs spent in the aftermath of a
cyber attack or data breach due to damage or theft of IT
assets and disruption to normal operations.


The amount is staggering, and enough to jeopardize the viability of
many companies. Yet the business benefits that come with the internet,
Cloud computing and other applications are impossible to forego
and remain competitive.


That’s why business owners and executives are asking one question:

  • Is our internet safe?


If your service provider can’t demonstrate how it is making you
company less likely to become a victim of cybercrime, then it is time
to consider alternatives.


In this eBook, we’ll outline what companies are up against
today, and how Cisco Umbrella can help bring you peace of mind.

Download: A View of the Cybercrime Threat Landscape

The Changing Face of IT Security

We recently held a seminar on the subject of Cyber Security and the changing threat landscape. The event was very well received by the attendees and covered a number of areas that resonated with them.


Topics covered during the event included ;

The cyber security threat landscape covered by James Barrett who is the Cyber Security Lead in Cisco’s Commercial teams. James has over 10 years experience in the security space. He outlined some key developments that affect organisations and are worthy of consideration as they map out or refine their Cyber Security strategy. In light of recent cyber attacks the impact, particularly financial is becoming more severe. One recent example is the Equifax hack which resulted in a 40% fall in the company valuation as well as the resignation of the most senior executives. The recent Nyeta/Wannacry attack resulted in losses totalling in excess of $350m for FedEx who at one stage they were so severely degraded they resorted to WhatsApp for internal communications.


James also mentioned the increased talent gap of over 1.5m cyber security professionals globally with this number set to increase. The landscape is further complicated by the proliferation of security products many of which do not work effectively together. In order to gain the right balance and capability of deployed security technology, it was essential to view security from the perspective of an integrated architecture. Such an approach provides for a more comprehensive security solution that shares intelligence between all touchpoints of the information and systems network, whether they are located on premise, in the cloud or remotely. James explained how the need for integration had driven Cisco’s security acquisition strategy.


An example of this is their AMP (Anti-Malware Protection) engine which has been fully integrated with a wide range of their platforms such Meraki MX Security gateway, ISR router, ASA Firewall, on the Web and Email security devices, on endpoints and Umbrella in the Cloud. This effectively provides the same Anti-Malware capability on clients on and off net as well as a network based service on premise or in the cloud. All these instances benefit from the collective intelligence gained by their large pool of threat researchers, as well as analysis of 100TB of daily telemetry and tens of millions of users.


James concluded by focusing on the question of where organisations could start. Some options included;

  • Stop Threats at the Edge
  • Protect Users wherever they work
  • Control Who gets onto the network
  • Simplify Network Segmentation
  • Find and Contain Problems Fast

Any option would be a good start and other options could be added progressively to eventually achieve a comprehensive and integrated approach to Cyber Security.


The second speaker for the event was Ali Wadi who works within the OpenDNS Division (now Umbrella) of Cisco. Ali while being a real larger than life and entertaining character communicated the importance of DNS in cyber attacks in very practical terms. He broke it down into concepts that were easy to understand and highly relatable.


Important takeaways include;

  • 92% of cyber attacks involve DNS services
  • 100% of organisations interact with known Malware sites
  • Umbrella essentially stops cyber threats in the Internet before they reach the network perimeter – similar to stopping a criminal at their doorstep instead of waiting for them to get to your doorstep
  • The Umbrella solution could be deployed in a matter of minutes
  • It profiles normal behaviour and flags up unusual behaviour
  • It automatically blocks known malware sites, and IP addresses with a poor reputation

Ali included a demonstration of Umbrella which included views of the portal traffic and behaviour of a period of time demonstration how easy it was to identify some anomalies.


The event host Ajani Bandele, Managing Consultant at NetworkIQ, by way of introduction outlined some of the developments in digitisation and corresponding Cyber Security threats. Some points covered included;

  • Digitisation impacts on virtually all organisations
  • Adoption of cloud by 80% organisations by end of 2018
  • 10 billion IoT devices by 2020
  • 25% users now connecting remotely

All these factors serve to dramatically increase the attack surface available to cyber criminals who have an ever growing toolkit. Also, the cyber attackers are developing a business model which provides threats such as malware and ransomware as a service. Ajani advised that a sensible security approach would be to ensure that a multi-layered approach is taken to security that effectively manages known types of threats but also is agile and comprehensive enough to respond to unknown and emerging threats.


Ajani also presented a case study based on the trade union PCS who needed to beef up their cyber security to meet new regulatory requirements as well as fill internal skills gaps. PCS conducted a trial of an advanced threat management solution which highlights some unknown threats and also provided an extremely detailed insight into their traffic and user profile. The solution deployed by NetworkIQ helped them further secure their network providing 24/7 proactive threat management and reporting capabilities.


The event received overall good feedback from the attendees and NetworkIQ will be organising a webinar soon to further look at the risk posed by DNS and how this could be addressed.

The true financial costs of a security breach

IT security is critical to protecting those elements of business that you work so hard to secure – goodwill, a solid reputation and consumer trust (as well as avoiding the things that can threaten to damage your company irrevocably, such as bad publicity that endures). Looking beyond these business risks, there lies a wealth of data that provides a window into the true financial costs of an IT breach – and if we begin with the fact that UK businesses faced costs of £29bn from cybercrime in 2016 alone, we come to realise that never has the threat of cyberattacks loomed so large on the horizon for UK companies (ITGovernance).

The (staggering) costs of recovery

Whilst many businesses still consider robust security as simply an unnecessary or overinflated cost, the alternative is what can be truly costly. For UK SME’s, the average malware attack represented a bill of £10,516 in time and money spent following a breach. What makes this figure even more staggering, is the fact that two-thirds of all UK businesses have been impacted by a cyber breach in the last twelve months alone (Government). For large UK companies, the costs of recovery have averaged out to £4.1 million.

When looking to the transnational brand names, we also see that no company is immune to the potential of an attack. TalkTalk faced a £60m recovery bill (that’s notably still rising), in addition to a fall in their share price of 30%; not only this, but the brand’s profits are down as they’ve battle to stem the flow of a mass exodus of customers (to date over 100,000 customers have left TalkTalk).

Across the Atlantic, retailer Target were forced to build an entirely new cyber centre – a move that was inevitable following $118 million in lawsuits filed by banks, card issuers and customers after 40 million credit card numbers were stolen.

Facing regulatory fines (and the bad press that accompanies it)

As of 2015 the UK Government reported that they’d collected a record breaking £1.4bn in regulatory fines (each of which had a maximum of £500,000 [pwc]). Yet even these figures may soon just be the tip of the iceberg, as EU GDPR legislation is set to come into effect as of 2018, with estimates that UK companies could then be stumping up as much as £122bn.

Whilst these figures are incredible, there’s a cost that accompanies them that isn’t directly monetary – and that’s the loss of goodwill. Put simply, the bad press that comes along with such fines can be nothing short of business breaking. For more insight into the business implications of a breach outside of financial costs, read last our previous blog: The business risks of a cyber breach.

The potential for business closure

In some cases, the costs of a security breach are untenable. Code Spaces, Nirvanix and MyBizHomepage are all prime examples of companies that folded due to security breaches. Notably, the latter company was once worth $100 million – and despite a $1 million attempt to right the wrongs of the breach, the company still folded. What’s more it’s not merely financial gain that attackers set their sights on, as was the case with Ashley Madison (the extramarital affair ‘hook-up’ website), the result of which has been many a divorce case (and a situation that many experts predict Ashley Madison won’t wriggle out of).

What next?

We help businesses of all shapes and sizes in protecting their vital IT assets. For a consultation with our team as to how we can help protect you from a cyber breach, simply get in touch for a free, no-obligation conversation. Alternatively, our free downloadable guide offers more insight into avoiding (and surviving) a cyber-attack.

Global Ransomware virus spread – Nyetya

A new ransomware virus variously named Nyetya, Petrwrap and GoldenEye has been spreading globally over the last 24 hours.

cyber security

This virus is distinct from WannaCry and other initially suspected variants, it has some unique new features which makes it harder to detect and defend against, clearly showing that today’s malware landscape is evolving apace. This rapidly changing threat landscape has a number of factors including; leaked tools from government agencies, more advanced security controls that require advanced malware (the cat and mouse game) or just because attackers are more determined and more capable.

This and other recent virus attacks serves to reinforce the need for a defence in-depth approach to security with comprehensive controls at all levels of an organisations IT infrastructure.

Some Characteristics of Nyetya and why it is different

1. It encrypts the master boot record, which makes the whole system unusable and causes more damage. Previous crypto viruses (ransomware) were encrypting specific file extensions

2. It does not use a common attack vector from the Internet

It does not infect by scanning ports for vulnerable services, nor uses phishing (mails with crafted content with specific covert malware links), nor file attachments or web sites that host malicious content. Instead it exploits various ways of getting into a network including exploiting vulnerabilities in mass deployed accounting software in Ukraine (called MeDoc). The software was tricked into auto-updating with a malicious file (Perfc.dat)MS. Once it is inside it uses the Eternal Blue (SMBv1) exploit to spread (same as WannaCry) but also two other administrative tools (PSexec and WMI) which in general are valid and legitimate tools used inside a network. The use of these tools would not raise any alarms on network security controls. The malware is capable of stealing the current user’s token and use it to distribute itself to other devices via PSexec (still unclear how it is able to steal the token) or again to steal the current user credentials and use them via WMI.

3. No external internet scans

There is no evidence of external scans (from the internet) in order to locate unpatched SMB services. The only scans that the virus conducts are horizontal, once it is inside the protected network. That makes the virus very hard to detect as most organisations do not have visibility within their network for such activity

4. No Command and Control functionality

The virus does not use C&C so any reputation based security controls cannot detect it. IP addresses / domains reputation is widely used to detect zero-day attacks and to monitor the spread of the virus. That does not seem feasible protection from Nyetya

5. Special attention has been paid to cleaning up any remaining data and logs

All of these unique characteristics point to the fact that cyber criminals have changed their tactics (after the failure of WannaCry due to the incidental but timely discovery of the killswitch) and want the malware spread to be as stealthy as possible.

Protecting yourself from the attack

A short summary of techniques necessary to protect against the attacks are listed below. These cannot be undertaken in isolation and it is assumed that good security practices are already in place such as disaster recovery strategy as well security control such anti-malware controls.

Patch your systems (MS17-010 should be applied), close off any SMBv1 services (disable)
Do not use admin/elevated privileged accounts for normal users
Monitor your network and endpoints for PSexec and WMI communication and try to establish if that is valid communication (could be based on which one the administrators use and also the time of the day)
Monitor your internal network segments using an IDS/IPS

Which type of network security controls are best suited to discover and prevent malware spread?

While other forms of malware attack may have been stopped by reputation based or email and web security controls, neither would have been effective in this instance.

An essential tool in the armoury of security controls is endpoint security such as Cisco AMP for Endpoints, which actively analyse the behaviour of executable files on the system and perform sandboxing.

IDS/IPS network controls are able to catch lateral scans and spread via SMBv1 exploit only if they can see the traffic (actively monitoring traffic on the same logical domain). The most common IDS/IPS deployment model is on the Internet edge, as this malware does not use external scans or gets distributed via normal Internet related channels (mail and web) these controls are not effective. The tactical adaptability in the way the cyber criminals craft their malware attack necessitates a defence in depth approach to security where there can never be too much control in place.

Don’t WannaCry from the “mother of all” ransomware attacks?

As you might be aware this Friday 11th May there was a massive global outbreak of a new type of crypto virus dubbed WannaCrypto (aka WannaCry). Major locations hit included the UK (Health sector including Hospitals and GP Surgeries), in Spain Telecom giant Telefonica were targeted (along with Portugal and Argentina telecoms) and institutions in Russia. Over 140 counties have been affected and over 200,000 systems were affected.

This article provides an anatomy of this ransomware and some steps to prevent such an attack in the future.

How was the UK affected?

The NHS was crippled (more than 46 hospitals and many GP surgeries reported the malware spread) having to resort to pen and paper for day to day activities, patients were turned away, important data such as scans and personal test results were lost, planned surgeries were cancelled, we could easily say that lives were at stake as sometimes more critical operations had to be postponed or done without important tests/scan results. This was the stuff of science fiction being played out in real life.

Facts about the WannaCry cyber attack:

1.   The fastest spreading malware ever (over 140 countries with a large number of affected endpoints in a matter of hours)

This link shows the spread over time. The animation was made possible because the authors of MalwareTech were able to hack into one of the Command and Control domains and gain control over it so they can trace the incoming call home requests from the hacked machines (keep in mind that this does not depict the whole spread of the virus as MalwareTech operated in EST time and the spread in Europe and Asia was already going for some hours).

2.   The virus exploited a vulnerability in Windows OS systems that was used for years by the NSA (and GCHQ) but only revealed for the public a couple of months ago

Security specialists are quite split in their opinions about the leaking of this exploit.

One opinion is that the vulnerability should never have been leaked preventing bad guys becoming aware of it and hence they would not be able to exploit it. This approach is Security through Obscurity or the ostrich effect – dig the head into the ground and if you cannot find it, it does not exist.

The second opinion is that not a single discovered vulnerability should remain hidden, the more people are aware of the threat, the more people can react to it. General security admins had more than two months to patch their systems as an official patch from Microsoft was released pretty quickly after the leak.

Many government and large organizations (due their sheer size and bureaucracy) are still running Windows XP (long time a dominating OS for the whole world) and since XP is out of life and support, there was no patch for it.

3.   Kill switch – the virus had a kill switch designed by its creators, a hidden long domain that if alive will make the virus stop spreading. A researcher found it by looking at the malware (reverse engineering it) and he was not really sure why the domain was there, he registered the domain and luckily helped in stopping the spread.

4.   Botnet Command and Control(CnC) centers were located in TOR (the onion router)

CnC is very important for Crypto Viruses as these are usually created not to destroy but to extort money out of people who want their files recovered and recovery is done via a backchannel in TOR supplying the key. TOR, also known as the Tor Project or the Onion Router, is an online anonymity network designed to conceal its user’s identity and online activities.

If people pay and their files do not get recovered the rumor spreads and other victims accept their losses and do not pay anything. The current estimation for infected systems with encrypted files is more than 55,000 and attackers want an average of 300 USD for file decryption, that amounts to a hefty sum (if 20,000 users pay, that is over 6 million dollars).

5.   The attack is heavily customized with detailed interaction between user/victim – The information displayed to the user explains in detail what has happened and what needs to be done (how to pay) to recover files and it is translated and shown in 28 languages

How does the attack work?

The malware uses a vulnerability in the SMBv2 remote code execution in Microsoft Windows. The exploit (codenamed “EternalBlue”) has been made available on the internet through the Shadow Brokers dump on April 14th, 2017 and patched by Microsoft on March 14th. As SMB traffic does not communicate directly to the outside world, the attack point was via email and then spread internally via the infected host. After initial infection the virus spread like a worm, probing all hosts within the network for open SMB ports and trying to infect them. Also quite unique for this virus is that it uses different services for performing different tasks, aka Modular Service approach – for example, it uses different services for file dumping, for finding files with particular important extensions and encrypting them, for disabling the shadow copy/system restore, for presenting the screen with the note/demands/payment information – yes that is a separate executable file.

Protection techniques

This is what unaffected clients need to do to avoid becoming victims of this ransomware.

1.   Patch – regular/automated patching of windows systems would have prevented this malware from doing any damage by removing the vulnerability that could be exploited

2.   Security awareness training – organization employees should be aware of the dangers of opening file attachments in emails or clicking on links

3.   Advanced malware protection on the endpoints – could stop the execution of the malware in the first stage or downloading and installation of the malware in the second stage

4.   Email security – strong email security would have greatly reduced the spread of the malware or disabled any executable files from being delivered to the users (depends on tuning, but even files with unknown status should be blocked and verified before further analysis can be done) or check URLs in emails to determine if they are safe to click (more modern Email protection systems have built in Web URL protection)

5.   Web security controls – would help in cases when the infection point happens by URL link in email

6.   Advanced IPS with Command and Control botnet detection – would not be effective in the first minutes of the spread but will quickly update itself (depending on vendor) and will detect/drop outgoing CC connections. Traditional firewalls with stateful technology would not help except by blocking SMB traffic based on TCP 139/445 ports (however traditional firewall deployments do not scan internal traffic)

7.   Backup your important information in a separate secure location – a reactive approach but very effective towards crypto viruses

Please also refer to updates from the UK National Cyber Security Centre which provide guidance on how to protect against ransomware.

Indicators of compromise

How to check if your network has the malware. Typical indications are listed in the link below

Basically infected clients will request connections to associated IP addresses, in there will be evidence of file transfers with the mentioned SHA-256 fingerprint (keep in mind there are small variations of the virus resulting in multiple fingerprints)

Mitigation techniques (after the attack)

Unfortunately after files are encrypted, it is close to impossible to decrypt them without having the proper key. Most endpoint protection companies give you a list of things to do to remove the virus, mitigate its spread, and be immune in the future but not to recover files. General recommendation vary between different vendors but most of them follow these steps.

1.   Make sure your endpoint protection software is running and not disabled

2.   Download and install the latest signatures

3.   Install the PATCH from Microsoft (MS17-010) which fixed the SMBv1 vulnerability

4.   Scan all systems, the virus is detected (usually by this name MEM:Trojan.Win64.EquationDrug.gen), and reboot the system (before that make sure you have the patch installed).

This article was compiled by our Lead Security Consultant Deyan Panchev.