Global malware outbreaks: An insight into Incident Response & Security Operations
With two major attacks making headlines in the last two months, ransomware is enjoying its time in the limelight.
In most cases, however, by the time breaches like WannaCry and Petya are being reported in the media, our Security Operations Centres (SOC) are already ramping up work to protect threat intelligence customers from the threat. Customers are able to call on retainer days to invoke our threat response service.
Using the recent WannaCry attack as an example, here’s a look into what happens during a global malware outbreak…
A robust response
The National Institute of Standards and Technology, or NIST, recommends a four-step approach to incident response: preparation, detection and analysis, containment, eradication and recovery, and post-incident activity.
Let’s start with the first of these steps: preparation. The old adage of “failing to prepare is preparing to fail” is as relevant here as ever.
As soon as breaches are reported to or detected by the SOC, a priority action is always to create a post on the Cyber Security Special Interest Group, a site maintained by the Fujitsu Cyber Threat Intelligence and Analytics team. This provides a single point of focus for our account-facing information security managers to go to, to collect information that they can then share with their customers.
In the case of WannaCry, the post included a link to a threat advisory, produced back in April for Fujitsu’s Threat Intelligence and Threat Monitoring customers, which detailed remediation advice against the recent Microsoft MS17-10 security bulletin and vulnerabilities impacting the SMBv1 protocol which WannaCry was evidently using to spread.
It also offered guidance on patching and highlighted the risk of the vulnerability and potential critical nature of the exploitable capabilities.
A further threat advisory was also produced in this instance – and in light of the scale of the WannaCry attack – detailing specific initial indicators of compromise and further information about the threat.
Containing the threat
That wasn’t all, though – a number of other, parallel activities were also taking place.
Communication is key during any incident response cycle as there are many stakeholders to keep updated. The Fujitsu cyber threat mailbox is positioned as a central contact point, and regular SOC status calls with relevant personnel are scheduled.
An EMEIA-wide communication channel is also set up to make sure all appropriate advice and guidance can be shared quickly and easily.
Whilst our SOC capability is a manned 24/7 function, in the case of a major incident it’s important to ensure business-as-usual work can continue in tandem with the incident response.
As such, in these cases an incident response plan is invoked to ensure resources are available for on-going intelligence gathering and out-of-hours customer support.
This involves making sure all 24/7 staff are up to speed on the latest developments, as well as engaging the Major Incident Management Team and aligning appropriate threat intelligence resource and communicating to other heads of departments to align resources that may be required to assist in a wide-scale security incident.
Investigating the issue
With resources and communications channels in place, it’s possible to focus on the detection and analysis phase – which in turn feeds directly into containment and eradication.
In an incident response scenario, detection and analysis feeds directly into the efforts made to contain (and subsequently eradicate) a threat. It’s a two-way relationship, though, as efforts to contain a threat may in turn spawn further behaviour to analyse.
Working to establish a clear understanding of the task at hand, Fujitsu’s Cyber Threat Intelligence (CTI) team asks specific questions that should inform how to best respond:
- What was the initial infection vector?
- Are there any specific hacking tools being used? What is their purpose?
- Which attack vectors have been impacted? Are there more that we don’t yet know about?
- What persistence and further spread mechanisms are being installed on victims’ computers?
- What tactical, technical solutions could be implemented to protect customers whilst patching is underway?
- Are there any new outbreaks or intelligence to indicate there will be?
Obtaining a variant of the active malware can be vital in finding answers to these questions.
Fujitsu’s active presence on closed intelligence forums meant we were able to get hold of a WannaCry variant, and by analysing that were able to confirm what was already being reported – such as the citation of Windows’ Server Message Block (SMB) protocol as an attack vector.
We also shared our sample with our security vendors to help ensure signatures could be developed for this particular sample rapidly and, in turn, benefit the customers we provide security services to.
Perhaps the most critical factor of accurate detection and analysis is to rely on experience and maintain focus.
The urgency during a major incident to rapidly engage protections or provide assurances to customers can easily lead to the wrong decision being made.
This is one measure of maturity in the security incident response space: to make quick and decisive decisions but based on real data or contextual intelligence.
Patching the wound
Typically, as well as recommending increased vigilance to any potential attack vector such as suspect emails, a patch (if available) is offered as a first defence against a spreading threat.
However it’s a known issue, particularly within enterprise environments, that patching can’t always be performed as soon as a vendor releases one. There are processes and procedures that need to be followed, and they can prevent the rapid release of updates.
In light of this, our CTI service aims to offer other tactical solutions that can be carried out in the meantime, as well as working on how best to deliver a technical solution in a corporate environment.
With WannaCry, we were able to make use of our analysis findings to give specific solutions to help stem the attack’s impact. Having confirmed reports of the SMB vulnerability, for instance, we could assuredly recommend customers disable SMBv1, block SMB from the internet and deny any network layer access to SMB port 445 where it isn’t required.
Containment is of course just one part of this phase, and with time bought the focus moves to further research of the malware and liaising with the intelligence community to learn more about delivery mechanisms and the source of the infection.
All the while, SOC staff monitor and respond to any questions (there tend to be plenty!) arriving into the Fujitsu CTI mailbox.
Time to take stock
In reality, to call what follows the containment and eradication phase ‘post-incident activity’ is perhaps a little misleading: in the case of a major attack such as WannaCry, the threat is considered to be on-going and monitoring for new variants continues.
Focus remains high, alert calls continue to run, the CTI team are kept on call, and any and all developments are monitored just as closely. There’s always a risk of a new variant of the malware being created and deployed – as was the case with WannaCry.
It is a time, however, to take stock and evaluate how the situation has been handled.
Often, there are a few simple rules that hold true:
- Don’t panic
- Be thorough in thinking through, trying out and testing your incident response plan
- Don’t jump to conclusions on the first bit of data that comes available – keep your focus and dig deep
- Ensure robust policies are in place to aid recovery – this is of course particularly important in the case of ransomware attacks
Looking back on our response to WannaCry, this approach provided the balance of robust defence and quick thinking needed to stem the tide of what could have been an even more infamous event.
With cyber attacks an ever-growing occurrence, it pays to have a clear plan of action – and one that is agile enough to respond to a rapidly-shifting threat landscape.