Article form April 2017
Everyone in “cyber” and “security” is now talking about how they could have stopped WannaCry and ransomware in general. Depending on which companies posts, updates and documents you read to this specific type of ransomware the reality is that MalwareHunterTeam (@malwrhunterteam) discovered and (@MalwareTechBlog) stopped WannaCry by accident (btw,awesome work guys!).
After the last post I did that addresses some key issues and challenges 90%+ of companies actually face (this is based on) the fact that we do research and also projects that implement SOC, NOC, SIEMs and all other kinds of security event reporting and monitoring solutions since these can use our risk intelligence solution CyberNsight / NeedleStack.
Its always easy to blame customers and partners for breaches, however I don’t really think this is productive nor does it lead to those organizations implementing someone’s product or getting better. If you sell based on blame, FUD, and fear then I would not wonder if those companies actually do nothing or tell that salesperson or company to take a hike. Granted, there are always going to be companies that don’t see the value of security or implementing product x,y,z and to be honest they are very often right.
This “cyber attack” which it wasn’t btw (I’ll explain later) shows us that we need a more proactive and 180 degree way of training, designing and implementing security operations and solutions. It also shows us that many companies just don’t have the right partners selling them yet another AV (AntiVirus, UTM, Firewall, SIEM) while these are absolutely components of secure operations they are not a singular solution to WannaCry or any other ransomware infection. I have been a big fan of a few things I teach i every training (wether MOC or any other engagement):
Proactive Security Teams
The Principle we created way back when in the 90s (MiGo Tech) was very simple. Hacking is a great way to do forensics, analysis and threat modeling. These teams tend to have a more proactive approach to Risk Management, Threats and also Security.
Teams have active members that breach internal systems in order to assume or predict possible entry points into a network or the companies systems and while these sounds costly in reality it is not. If you calculate the costs for buying all the “security stuff” you currently have and evaluate the value of those things, do you see a trend in reduced attacks that are successful?
Do you see that risks are mitigated as a result of those solutions or products? Does it help you find new risks or new types of information and intelligence that is really useful to you, the team and the company? These are some important questions to ask for any investment into a suspected silver bullet solution or “SSB’s” as I like to call them. The difference (I believe) in finding threats is also understanding how they are used or exploited.
This knowledge combined with research tools, and modified forensics principles can speed up the process of finding the “un-findable” is the basis for my research and CyberNsight. I realized that spending so much money on services like Shodan and Threat Feeds did not actually help in the Pre-Attack phase or in identifying where the next attacks were going to come from.
This prediction required a lot of manual research which companies did not see the value in paying for or had the awareness, skills or capability of building up. If we add the fact that many threat feeds are actually free (and this had me wondering many nights why “cyber” companies charged 300k+ for them) then the question quickly becomes how these really add value to prediction and then detection. Both components need people, processes and procedures to work correctly and efficiently. Lastly we have the factor time, resources and skills. All are vital to finding those needles in haystacks.
Threat Types have evolved with the times! In the picture below we see that threats have evolved with electronic weapons and attacks. These iterations in attacks lead to new threats that then require new skills to detect, analyze and stop. Each time a new type of attack shows up, teams must understand the details of those newt attacks and adapt their training, analysis and detection for new indicators of compromise (IOCs).
One thing to note is that new attacks do not always mean completely new vectors, in the case of MitM and SQLi, these attack vectors as well as Phishing have become more targeted based on OSINT and Intelligence information that an attacker or the attackers teams collect from targets, industries or countries.
Evolving threats also leverage specific areas initially than then also evolve with new attacks to “exploit” other human or organizational weaknesses that previous attacks may have identified as lessons learned from previously unsuccessful and successful attack vectors.
This concept should not be new to anyone that has been in the military and will also likely be logical in that we assume that any intelligence, data or component that we use to collect intelligence needs to be trustworthy, available and timely.
When a solution or product does not seem easy to use (relevancy to the process itself) then the question becomes how is the data we collect, process or store even relevant to operations, security and the company or customer’s customers?
We collect data for a reason, usually it is to build awareness and then create defenses and detection rules and actions in case of an attack and if successful, detecting the attack was successful.
Predictive Risk Intelligence Approach (CyberNsight)
In predictive risk intelligence, our objective is to learn from what we collect quickly in order to predict or calculate were the next threats or risks really are. This is a part of the classical intelligence phase in military and intelligence agencies use to “scope out” a HVT (High Value Target).
When a nationstate or hacker group wants to find out about a target in its campaign, it looks for risks that can be threats, threats that can be exploited and exploited systems that can lead to the “motherlode” or goal, data, etc. What predictive risk intelligence and analytics really does is help you map risks, compare with evidence and then use that really early information to test theories, probe systems and see who is collecting what and how your risk exposure really is to the world at large.
Being predictive takes a new approach to threat and risk detection and deterrence. There is no fanciness to this, its hard work and takes time. This is were we come in, after implementing all kinds of SIEM, IDS, IPS, UTM and whatever they call the technologies of AntiVirus and Threat Intelligence Feeds today, they are not predictive in nature.
Even if “sandboxing” is sold as the next best things, risks are not detectible if they don’t have some type of signature or behavior pattern that can be matched with a database. This is why being predictive makes the most sense, if you can see threats and risks as they are being created and tested, you are way ahead of the game here.
Our solution in this case speeds up analysis of risks by up to 90%, leaving the last ca. 10% already analyzed so that teams and partners can concentrate on the highest likelihood of potential risks based on the multiple types of data we collect via our own sensors and technology as well as OSINT tools that we obviously don’t charge for because they are open source…
What we do charge for is pre-analysis, data collection standardization, push API and proactive search technology and engines.
Our Risk Intelligence Training System (NeedleStack)
Our specific training system leverages the unique approach and our solution to predictive risk intelligence, showing users, companies and entities how they can use our platform to speed up the process of risk identification and then export those findings to any system like SIEM, Log Management, GRC or any other type of console or systems the customer may have.
There are also pre tested scripts, queries and areas that we recommend to look at in order to find new and evolving attack groups, campaigns and software that may be relevant. Lastly we show customers how to build searches that result in analyzed and scored results that provide tangible results to potential risks and attacks before they actually happen.
Some components that we look at are:
Scoring returned results (some say proprietary, we say Bayesian, Neural or Probabilistic Analysis)
After using our patented and copyrighted approach (HDN, M.Goedeker 2017) we then use all the information and analysis options that we have to score results and find out probabilities of results being relevant to the customer or team.
We have our own solution that enables detailed analysis, flexible scoring and reports as well as exported findings via API and other file types to any solution that can read those file types. The possibilities are endless when you consider that the entire system is open to various types of data, analysis and scoring can be dynamic or customized. We believe this is the worlds first predictive risk intelligence engine (PRIE).
Details on how WannaCry works
The picture which is taken from the user @CyberAppy shows some details on how the specific initial version of WannaCry works and is executed.
My initial Scan of Ransomware before WannaCry
I did multiple talks last week before WannaCry actually happened to show people how you would go about looking for Ransomware risks and the search (1level) took about 1-2 seconds to come back with results.
Keep in mind that you will want to look on the DarkWeb for potential threats as on the normal net you will find may “hits” that are marketing and not necessarily relevant for your search and analysis. The reason for this is that groups that really know what they are doing will “typically” not want you to find them and their work before its released or sold to the highest bidder.
Related to this hacking into multiple social media accounts is another item you can find very easily on the Darknet.
If you like what you have seen and understand the value of this powerful solution, lets have a discussion and figure out how to implement NGSD (next generation security defense).
(so thats it for this post, if the stuff was interesting and adds value please let me know and email us at [email protected])
(As always this post, the information, our solution pictures and website are subject to copyright 2017 Hakdefnet) Other pictures are copyright their respective authors.
Update, one of the folks that sinkholed the domain that caused WannaCry saw an attempt via China to steal the domain. Wether this means China is behind it is still way to early to say but its certainly an interesting piece of info. The pastebin link from @MalwareTech is here: https://pastebin.com/r5fh2GxL
The link to IP info is here: http://ipinfo.io/22.214.171.124
Looking at the details of the IP in net craft we see the following information:
As you can tell, there really isn’t much data to go on but the resource that attempted the domain takeover was in fact from a China IP. More detailed analysis would be great to see if this IP turns up in other attacks and currently we did not have any hits previously in other attacks that we have seen. The network is however very active and similar IPs did show up in other ransom ware attacks, what this means, not conclusive yet….
In addition there is also a Bot on twitter (@ransomtracker) that looks at payments to the wallet associated to the WannaCry ransom ware:
We are providing a free social media followers list of the ransom tracker bot so that you can see who is following the bot. If there is a user you associate with the ransom ware please let us know and we can do a detailed analysis.