How to Protect Your Organization from WannaCry Right Now
May 15, 2017
Friday saw the beginning of one of the largest global cyberattacks to date. The malicious software known as WannaCry quickly spread via users unknowingly clicking on an infected link, poorly configured perimeter controls, or via insecure remote desktop sessions. By the end of the weekend, it had crippled multiple international business and government computer systems, most notably Spain’s large telecommunication company, Telefonica, and U.K.’s National Health Service.
WannaCry is yet another example of the criticality of staying up-to-date on server and desktop patching, implementing defense-in-depth, and training your users to recognize and respond to threats. This is the first installment of a three-part series in which we will 1) recommend some immediate actions you should be taking, 2) tactical action items to further your defensive posture, and 3) strategic action items to make your environment proactively resilient to these types of attacks so that you can focus on more important things for your business.
Nine Steps to Protect Your Organization from WannaCry
- Do Not Open Any Suspicious Email: Many organizations are surprised to learn their users are often the weakest link in your cyber security. Be sure to remind your users not to open any suspicious emails or attachments. If in doubt, do not open.
- Make Sure You Are Up-to-date: Make sure you are up to date on all Windows patches for your servers and workstations. In particular, ensure that you have MS17-010 installed.
- Patch or Retire Unsupported Operating Systems: If you have older, unsupported operating systems (e.g. Windows XP, Windows Server 2003), patch those as well with MS17-010. Microsoft made an exception to release the patch for unsupported operating systems due to the massive impact of the WannaCry malware. If you do not need the older operating systems, retire them. Consider isolating them with strict access control if there is a limited use for such systems. Even if you are able to patch this particular vulnerability, when a new variant comes out that exploits a different vulnerability, you will again find yourself without adequate protection since Microsoft is not obligated to provide patches for unsupported OS.
- Check Your DNS for access to “kill switch” Domain: Make sure that the “kill switch” domain is reachable from your network. As an alternative, set up a DNS sinkhole and redirect to an internal website with the “kill switch” URL.
- Disable SMBv1: If you are unable to patch, or as an added layer of defense, test and disable SMBv1 if it is not required in your environment. Follow Microsoft’s guidance for your operating system. Be sure to test your applications and services thoroughly to minimize operational impact.
- Check Your Perimeter Defense: Your firewalls should be configured to deny all inbound traffic by default and allow only the necessary ports. Block 139 and 445 TCP from the outside: There is rarely a good (if any) business reason that those ports should be open to the world. If you have an IPS or other deep packet inspection engine, ensure the signatures are up-to-date. Check with your vendor to see if they have provided a signature specifically for the WannaCry malware.
- Check Host-based Malware Solutions: Ensure all of your host-based anti-virus and anti-malware solutions are up to date with the latest signatures and definitions.
- Check Spam Filters: Ensure your spam filters are up-to-date with the latest signatures and definitions.
- Remind Your Users Not to Open Any Suspicious Emails or Attachments: This is not a typo. It's repeated from #1 due to the importance of this step.
WannaCry will be contained, but variants are already in the works. In our second and third installments of this series, we will discuss additional tactical steps and strategic plans that every organization should consider to proactively protect themselves from an attack that they should assume is coming.