Friday, May 12, 2017 was certainly a “Friday, the Thirteenth” for the owners of more than 230,000 computers from more than 150 different countries. WannaCry, the ransomware infected and locked out those devices, demanding ransom payments in cryptocurrency Bitcoin. This attack, the largest ransomware cyberattack in history is probably not the last we will see. As this blog is being written, a new variant of WannaCry is already creating a new round of havoc!
As this cyberattack is progressing, a few questions come to mind. How can the network monitoring device manufacturers, such as cPacket, help the Internet Service Providers (ISPs) to proactively identify, warn, and perhaps mitigate this attack? What lessons can be learned from this attack to increase awareness and prevent future attacks? And no less important, even as the current threat passes, how can we tell if our network is truly clean? Let us explore.
Any malware/ransomware/virus thrives on infecting as many hosts as possible, as fast as possible, creating one of the first fundamental indicators, namely abnormal network behavior. Specifically, WannaCry establishes TCP connections over port 445, searching for a vulnerability in the Windows’ SMB protocol version 1 (an old version) and delivers the EternalBlue exploit. This infection by replication activity generates huge SMB traffic. It also tries to connect to a website that is hardcoded in the ransomware’s code. These are the important clues that monitoring equipment at ISPs can leverage to identify and help take further actions.
How can cPacket help?
Customers deploy cPacket devices in a distributed architecture. This distributed architecture helps in identifying the location of traffic abnormalities, tracking and sending alerts to the security devices (IPS/IDS). The IDS/IPS can also query the cPacket devices (cStor) to extract the raw packets and relevant KPIs related to a specific network abnormality. For example, in the case of WannaCry, cPacket’s devices would have identified higher-than-usual network traffic hitting a specific URL. This would have violated the automatic baselines setup for network activity – throughput, burst, SYNs and session duration. Any/all of these would have triggered alerts from the cVu devices (deployed in different points in the network) to cClear, the central management console. Working in conjunction with IDS/IPS, these alerts would have triggered the IPS/IDS as well to perhaps take a policy action.
Network monitoring tools, such as cPacket’s cVu, can act as an early-warning system to ensure IT & Security Policy Compliance. Compliance is not a do-it-once-and-everything-will-be-compliant scenario, often, the policy violators that escape the policy enforcement are those devices that were recently powered on after many months of being powered off – think of the laptops and desktops that are lying around because they are old and one fine day, your colleague got a bright idea to re-purpose those devices and powered it on. Network tools help by sniffing the packets on the wire and look for applications, protocols and network behavior that violate IT and Security policies of a corporation or ISP.
cPacket cVu’s can also test whether your network is truly clean. For instance, the SecOps admin can initiate cSearch, a federated pattern match and search function on cClear that searches all the traffic flowing through the distributed cPacket infrastructure, in real time, and its attached cStors for specific patterns. cSearch can be initiated natively on cClear or triggered remotely via APIs from an IDS/IPS that has access to the malware signature knowledge base. This helps in augmenting end-point security as well.
By providing wirespeed monitoring at 1 Gbps to 100 Gbps as well as distributed monitoring points throughout the network, cPacket’s devices, built around its proprietary ASIC, deliver the breadth and depth of coverage crucial to proactively detecting and mitigating threats such as WannaCry.