Global Ransomware Attack: Latest Updates with our Security Panel
May 17, 2017
Simon Townsend | Chief Technologist | Ivanti
Chris Goettl | Director, Product Management, Security | Ivanti
Phil Richards | Chief Security Officer | Ivanti
Matthew Walker | AVP EMEA Product Specialist | Ivanti
The attack continues to morph and grow - even since we finished our live updates on Monday. So, our security experts will host a discussion on the latest vulnerabilities and how to fix them during this LIVE security panel on Wednesday.
Come with your questions for the security team. During this webinar, you can expect:
- Recap of the current situation
- Response by Ivanti
- What's new since Monday (5/15)
- Detection, prevention, and recovery
- Biggest concerns going forward
- Offer and updates
- Question and answer session
Simon: Good afternoon, everybody. I'm hoping the majority of people can hear me on the call. Thank you very much for attending. This is the second Ivanti Ransomware webinar we have run this week, following the outbreak of the WannaCry/WannaCrypt[LA1] ransomware over the weekend. We ran an extremely well-attended webinar on Monday, which is available online. That webinar was viewed by over 3,000 people and, subsequently, we thought it was good to continue this webinar series and provide an update to you with the same panel of people, 48 hours on.
I think we were having some audio challenges toward the start, but I'm just going to check in with my other panelists who are based in the US. On the panel today, you have me, Simon Townsend. I'm the chief technologist at Ivanti for EMEA. You also have, next to me, Matthew Walker, who is the AVP in EMEA and a security specialist. Phil Richards, our very own CSO. Phil, are you on the line? Can you hear me?
Phil: Yes, I am, Simon. Can you hear me?
Simon: I can, indeed. That's great news. And we also have Chris Goettl, who is the manager of product management for our security division. Chris, can you hear me, too?
Chris: Yes, I can, Simon.
Simon: Excellent, I'm glad to hear that everything is working. Thank you very much. As I said, for everyone who’s joined the call, let's give a very quick recap of what's going on as I'm not sure how many of you attended our webinar on Monday. I'm fairly confident the majority of people involved in IT and InfoSec teams around the globe now fully understand what's going on, but I'm going to ask Phil to give us a very quick recap of what we covered on Monday in terms of this particular piece of ransomware, why it was different, and why it spread so quickly, before we move on to what's happened in the past 48 hours and what we can actually do to try and help. Phil.
Recap of ransomware attack
Phil: For those of you who may have been on vacation, camping in the mountains, or hiding under a rock the past few days, there was a very significant attack that went worldwide, an attack with a malware piece called "Wanna Decrypter 2.0." That is a piece of ransomware that has wormlike capabilities. What that means is it has a pretty strong ability to replicate throughout a network and throughout an environment and encrypt a significant number of files.
The wormlike capabilities come from a few components, one of which is codenamed "Eternal Blue." That actually comes to us from the National Security Administration in the United States and was an exploit leaked or stolen by a hacker group known as Shadow Brokers. This ransomware contains what is known as a “kill switch.” That kill switch was activated last Friday. The purpose behind a kill switch is to stop the attack. So the original attack had a kill switch that was activated last Friday.
There are a couple of reasons this remains such a big deal. First, there are still a large number of machines or systems that have encrypted files. Second, several variants of this virus have come out since Friday, some of which have different kill switch capabilities. Others don't have any kill switch capability at all, so there's no way to turn them off. At last count, the ransomware has impacted more than 200,000 organizations, and the initial virus has received somewhere in the neighborhood of $50,000 worth of ransom in Bitcoins. However, the people who have created that ransomware haven't, as yet, touched any of the money in those Bitcoin purses.
Simon: Thank you, Phil. Hopefully, most of you were aware of that, but I think it's important to review. There's been a lot of talk around the need to patch over the past 48 hours and since the outbreak last Friday, and patch definitely is one of the key areas in which you can prevent this piece of ransomware from spreading, by patching that vulnerability on the SMB share. I know some of our customers have been confused over whether it was more like a piece of ransomware, a worm, or a traditional vulnerability. As Phil summarized, it's more a combination of all three, which is what's made it as deadly as it has been.
Free offer of Ivanti patching software
For those of you who are unaware, we were pretty quick to respond. On Monday morning, we announced we were happy to offer our customers a free-of-charge offer for our patching solutions. The website link is there and says Free Patching. If you go to invanti.com, there is a banner on the main page. Follow the link from that banner to get access to the offer. Fill in your details, and you’ll get the free-of-charge patching software to deploy and help you patch that vulnerability that has caused the pain over the past four or five days. The software entitles you to our patching solutions for 90 days. We ask some very simple questions. We ask how many devices you need to patch, how many workstations, how many servers. We also ask whether you utilize SCCM or not. Whether you use SCCM or not will determine whether you get our patch plug-in for SCCM, or whether you download the native tool, our patching tool, which contains its own vulnerability assessment and deployment technology. There's no limit on that, and as you can imagine, following the webinar we held on Monday, we received hundreds if not thousands of requests for that software. I'm pleased to say we are processing those as quickly as possible, and that is going to run from now until June 15.
We're not trying to sell any software here. We are a patching organization—in fact, we are the largest third-party patch organization in the world—and we see it as morally correct that we help your organizations patch those systems that need it and help you try and understand those machines that haven't been patched. I think the discovery aspect of which machines haven't been patched is just as important for some of our customers and organizations.
I’ll come back to that in a bit and let Chris talk to some of that, as well, but I think it's probably important, since we spoke on Monday, to take a quick look at what's happened in the past 48 hours. The news seems to have died down. I'm based in the UK here with Matt, and if we go to the BBC website today, the news is no longer at the top of the website. It's probably down the list in terms of the top newsfeeds. However, for many of our customers and organizations, it is still a number one priority. A large number of our customers are on lockdown. A large number of customers have had to shut down various IT and business services because of it. Phil, I wonder whether you could touch on what we've seen. We've definitely seen a slowdown, haven't we?
Developments 48 hours after ransomware attack
Phil: Yes, and I think there are a couple of reasons for the slowdown. The first is really the activation of the kill switch, both on the original Wanna Decrypter 2.0 variant, as well as the 2.0 (a) variant, which is another variant that has a kill switch. There are other variants, such as 2.0 (b), that don’t have a kill switch, but because of the kill switches, there has been some slowdown.
Additionally, there has been a very significant effort to patch environments and systems with the specific Microsoft patches that will remediate the SMB issue that is causing a lot of the proliferation and penetration of this particular piece of ransomware. So patching, kill switches, and better behavior on the part of organizations, I think are the things causing some of the slowdown. It doesn't take very long for an organization to realize that a ransomware can cripple that organization critically, so organizations learn from that fairly quickly and put the right controls in place.
Simon: We've had some customers contact us, check in, make sure their configurations were up-to-date. I’m pleased to report some of those customers haven't had an outbreak and haven't seen an outbreak, but we're also starting to see some new variants. We're not going to get into too much detail on what those new variants are and what they can and can't do, but we are seeing some copycat ransomware out there and news that there are variants that don't have the kill switch, as an example. Right, Phil?
Customer responses to ransomware attack
Phil: Yes, that's right. We're seeing multiple variants, and an increasingly large number of them are being able to be detected by certain antivirus and antimalware solutions.
Simon: Excellent. Matt, I'll come to you quickly. What have we seen from a customer point of view?
Matt: We have seen a slowdown in the proliferation of the attack, but we have increasingly seen customers coming to us for assistance who do not have our security patching. We've been able to help them from a support perspective and significantly through our Ivanti community website, which is community.ivanti.com. In fact, that’s had close to 10,000 inquiries, so it is a very helpful place to go. We have our free 90-day Patch license offer, which is being taken up in great numbers, to help organizations take back control of their IT environment. The strong interest in that offer indicates organizations are taking the need to implement a sharp update of their security patches seriously as part of, in some cases, a defense and depth strategy. That is actually leading us on to talk about controlling and managing what software actually executes in the environment, too, which is particularly relevant to crypto-ransomware.
Simon: You raise a good point there, Matt. It's not just about Patch, and I think we are going to come to that in a second. Detection, prevention, and recovery. Phil, these words sometimes get misused. You know, Ivanti commonly talks about how prevention should come before detection and that we should prevent with things like Patch and application whitelisting, so you have less to detect with things like your AV and any other detection-based tools you have. But discovery is just as important, particularly post an attack like this, correct?
Detection, prevention, and recovery
Matt: Yes, so let's cover this. These three terms help us provide a fence or scope around the types of activities that help identify and remediate what's going on with this ransomware. We mentioned antivirus and antimalware solutions earlier, and I want to ask Chris Goettl to talk a little about some of the issues or items Symantec has brought up, and how that relates to this particular question. Chris?
Chris: Yesterday, Symantec issued a press release talking about the fact that they have, throughout their customer base, seen 22 million attempts to infect systems by the different variations of this ransomware, attempts which have been deflected. That’s great, but the interesting part of that is its 22 million attempts across 300,000 endpoints. When you figure that out, it comes down to an average of 73 attempts to infect and try to ransom per system. It's hard to imagine 73 phishing attempts on a user to get ransomware onto a system. To me, that says there were either a lot of systems that were not patched against that SMB exploit, or there might still be many not patched.
This is one of the pieces that was really important to us and one of the reasons why we made this free offer to not only our existing customers, but also to anybody out there who is being affected by this attack or is at risk of being affected by this attack. Microsoft released a new version of the MS17-010 update for Windows XP and Server 2003. That has been updated in all of our Windows catalogs, so we can support it through the SCCM platform, which Microsoft does not do. They've made the patch available, but they haven't updated their systems to push it out. You have to do that yourself. We've updated it in our catalog. We've added our own proprietary products to our catalogs, as well, so we can support those legacy systems. If you look at feedback from security groups like the Chertoff Group and the Department of Homeland Defense, they're strongly recommending getting that patch into place. They're also suggesting that in areas of the globe that have been hit hardest, it's because of a lot of legacy systems, a lot of end-of-life operating systems like XP and 2003, for which that patch has not been available since March.
The MS17-010 patch
Simon: Chris, you look after all of our security portfolio, right? In particular, you have grown up with what was the Shavlik Patch business. You mentioned the MS17-010, this famous patch that everyone's going to know the name and number of moving forward. But we've had some customer operations that have been struggling to find it. Do you want to fill us in on why that is the case?
Chris: Yes, Simon, that is a really good question. Microsoft has undergone a lot of changes since Windows 10 release. They've moved to a cumulative roll-up model. There are a lot of advantages to this model, and there's also a bit of confusion going around. MS17-010 is the bulletin Microsoft released in March that addressed many SMB vulnerabilities disclosed through the Shadow Brokers League, which is where a lot of the proliferation of this attack is coming from. The ransomware is able to propagate much quicker with wormlike capabilities because this SMB protocol allows it to do so. That's why people need to make sure this patch gets updated and in place.
For anything Windows 7 and later, if you're on any of the server OSs or workstation OSs for Windows 7 and later, you need to make sure you have, for March, April, or May, either the security-only bundle or the cumulative roll-up, which, for any one of those three months, will include those SMB updates. Making sure you have the OS bundle for any one of those months will cover you.
This weekend [5/13/2017], Microsoft released the additional bulletin for XP and 2003, so we're making this free offer available to anybody out there who needs to address those systems as well, to help make sure they continue to plug that gap.
The biggest confusion here is people are looking for MS17-010, the individual bulletin, but for any system on the market today, you're not going to detect it on the system as that. You're going to be looking for the security bundle or the cumulative roll-up for each system. As long as you have that for March, April, or May, you're including that update in that roll-up.
Simon: Outside of this particular bulletin and outside of this particular attack, Chris, understanding what patches are missing and which of those critical patches are missing across the complete IT estate, i.e., across all devices, workstations and servers, can be quite difficult without certain tools. Am I right?
Importance of tracking patches across all systems
Chris: Yes, absolutely. It's a big challenge to visualize and see that. A lot of people we've talked to are having challenges ensuring every system has the update, and a big reason people are getting hit is they don't have good discovery capabilities to identify where all systems are on the network. Any system that isn't visible to you and isn’t managed properly is one more area where you could get reinfected, and that could attempt to propagate out, as well.
Virtual systems, especially those that tend to be offline frequently, for example if you have people running VMware Workstation, or if you run a large virtual infrastructure with a lot of systems that typically remain offline until they're needed, those systems are a challenge. This is an area where our data center solution for patching systems allows you to assess the offline VMware VMs as well as the online. You can assess and deploy updates to offline VMs and templates and catch a lot more of those.
The VM sprawl is a huge challenge for people right now, as they try to identify where every system is and make sure the update is applied before it comes back online. Otherwise, you could have reinfected systems and start to proliferate that vulnerability or that exploit out again.
Simon. Yes, good points. Phil, do you have anything to add on that side of things? We have had customers come to us and ask, "I've been infected, so how can I not only understand more about how your solutions could have helped prior to the attack, but also what recommendations you have around recovery?"
Importance of privilege management and application control
Phil: Yes. Antivirus and patching, as you mentioned, fall in more of the detection and prevention space. Also in the prevention space, we have application control, which I know we'll talk about in greater detail later. This is essentially application whitelisting. New executables, such as this ransomware, would not be able to execute in an environment where only whitelisted software executes. In addition to all of that, there is the privilege management capability. The way that helps is this: when ransomware infects your computer, it reaches out to all of the files and mount points you have mapped into your computer and encrypts every file that it has write permissions to. Privilege management allows you to limit the amount of damage this kind of ransomware can do by not providing access to all files all the time.
There is something else we need to talk about as well, which is a backup strategy, i.e., having your files backed up, and not only backed up, but backed up in an offline kind of configuration so your backup doesn't get encrypted. The ability to do practice restores, so you're confident from an organizational perspective that you can restore your files if and when they need to be restored, is another part of the recovery process. So kind of putting a bow around it: there's antivirus, patching, application control, privilege management, and backup and recovery.
Simon: Yes. you raise an interesting point. We have a team here called our Software Integration Team, and they are almost like an internal team. They can do a whole host of testing and integration work for us, and, in this particular example, they were able to do some analysis on the attack that happened. What they found was the payload coming down and the way things were being kicked off on an unpatched machine was typically using a standalone executable and a mixture of registry entries, a VBScript file, and a .zip file that was self-unpacking, which really kicked off and did the majority of the encrypting of the data packages. So your point about application whitelisting really is a key point, because if you have application whitelisting in place, that initial executable and the initial scripts introduced by users that are unknown and not on a whitelist, whether they are scripts, .zip files, PowerShell files, or executables themselves, are ultimately going to be blocked. The payload is prevented from being executed in the first place, which I think is really important, not just for this attack, but for the zero day in the future things that could or couldn't happen out there.
Simon: We still have the offer running until June 15, so if you haven't registered for that or if you haven't been on the community site, please check that out.
If you have any questions, what we're going to do now is flip over and start taking those questions. As I said on Monday, we had somewhere in the region of 3,000 people registered for the webinar, and the numbers are very high for this one, as well. I think what's important is that we go through and answer some of the questions we have seen come in from Monday's webinar and also today’s. If you’ll bear with me a second, I'll take a quick look at what questions we have queued up.
Phil: Simon, Phil Richards here, we have McKay Allen here who's actually monitoring all the questions, so I think we can turn that part over to him, if you're comfortable with that.
Simon: I'm more than happy. I didn't know whether we had him back on audio. McKay, are you there?
McKay: I'm here Simon, yes. I don't know what happened at the start there, but we're back.
Should organizations pay ransoms?
Let's run through some of these questions. First up, we're getting this question a lot, and this is showing up all over the place, not just among our audience and customer base. Should you pay the ransom? Everybody's read different stuff on that. Is that a good idea? What are your thoughts on that?
Phil: Let me give you my perspective on this. There are a couple of different things. First of all, let's talk about this particular infestation. This ransomware infection has been so wildly successful, it has surpassed the expectations, I believe, of the criminals, and the criminals have gone dark. They are not collecting money out of their Bitcoin purses, and they are not providing unlock keys for ransoms that have been paid. As a result, paying a ransom simply will not get you any kind of unlock codes for your encrypted files, so for this particular ransomware, paying the ransom certainly would not yield anything.
Some ransomware criminals will provide unlock codes, others will not. The other thing is, from a social perspective, it's better to not pay the ransom. The reason criminals put these kinds of software out there is because they want to get the money. If they don't have a way to get the money, then the software becomes useless, and they won't go through that process. In general, I think it's a bad idea to pay the ransom. In this particular instance, it's a really bad idea.
McKay: Great. Another question we're getting a lot is, how did these computers get infected to begin with? Most of the time these are phishing email scams, right? Do we know exactly what the offer was that people clicked on? Do we have any sense of that? And am I correct that this is generally how these things happen and how this one spread so quickly?
How does infection happen?
Phil: A lot of these come from social engineering or phishing email campaigns. In this particular case, there have been reports that a few days ago, several DocuSign email addresses were compromised, Those DocuSign credentials were used to create fake DocuSign "You need to sign this contract" types of emails and sent to DocuSign users. It was actually started from a couple of different breaches, which then created this proliferation and wild success of this ransomware, including this one from DocuSign.
McKay: Great. Any other thoughts on that? Simon or Chris or Matt?
Simon: There are, obviously, other ways the attack could have come through. This particular one and the reason why it spread as much as it did was because of the vulnerability and lack of patching, but it could have been someone actually hacking into a system and planting it there. It could have been misuse by an employee, for example. It doesn't always come through phishing. It doesn't always present itself as an email that a user has clicked on accidentally.
McKay: Matt, anything from you?
Matt: Yes. As we've seen, the proliferation has slowed down a bit. People may not be paying the ransoms, whereas in the past, there was guidance from some organizations to pay up and you'll get your data back, which raises ethical issues itself. What we are seeing, and what we’re being asked by some of our customers, is what next? At the end of the day, this type of attack is a certain attack data on organizations to hold them ransom for money, but what if you were going to hold them ransom for infrastructure? This is where the same sort of defenses used to protect against this type of attack could also be very effective in preventing much more serious types of attacks on infrastructure. The same preventive methods we've talked about are good practice to stop what could be more significant attacks in the future.
Simon: Okay, Great. McKay, what else do we have?
McKay: There are a lot of questions here. One question, let me read it verbatim. "What impact can this have on information that is already protected with the FIPS 140-2 encryption?" Getting kind of specific and in the weeds, but Phil, what is your sense of that?
How does ransomware impact encrypted files?
Phil: Okay. Let’s backtrack a little bit. FIPS 140-2 is DoD specific, or DoD compliant encryption. Some of the files on our systems are encrypted on purpose. We do that because we need to have them encrypted, or we're sending them over the network, or for whatever reason, they need to be encrypted. This particular standard means they're encrypted to a high degree of strength. If we have files that are encrypted at rest, or encrypted where they are sitting on the file system, and you get a ransomware, what's going to happen is the encrypted file is going to be re-encrypted. It's encrypted twice, and the ransomware encryption is the one you won't be able to break. You still have your data encrypted underneath the encryption so it's re-encrypted data.
Encryption is a way of scrambling the data, so it's been scrambled once, and then it's been scrambled a second time. The data is locked out from you as a user. You won't be able to access it, even if you encrypted it previously.
McKay: Okay, great. Now, we have lots of questions, and this is probably for you, Chris, about the scope of the trial we're offering of our patch tools. Is this for certain types of patching only? What exactly are we offering as part of this offer that runs until June 15? Can you scope that for us a little bit, Chris?
Scope of free software offer
Chris: Yeah. So that's a great question, and, you know, just to be clear, you know, this is for...it's not just for customers of Ivanti. It is for anybody who's affected by this type of attack.
Regarding the products we're offering—when you fill out the form, the first question you’re asked is whether or not you're running SCCM. If you are running SCCM, we can offer you our additional third-party plug-in, which gives you access to our extensive catalog of third-party updates and the XP and 2003 MS17-010 updates Microsoft released publicly. That's for people who are on SCCM. They have already plugged the gap on many of the platforms out there but have legacy systems they need to patch along with all the other third-party updates that are out there.
We talked a little about phishing as one of the ways this might get introduced into an environment. That phishing scam could come through browsers, through Flash Player, through all different types of vulnerabilities that could target a user. It's very important not to focus on this SMB update only, but to also focus on the types of updates that commonly get used in phishing exploits like that or drive-by downloads, things like that.
If you're not using SCCM, then we offer you our proprietary software. It's our own native solution. It can do everything from the Microsoft OS to Microsoft applications and our extensive third-party catalog. In either case, it's not 50 systems, it’s not 100 systems. You'll be asked to give us a specific count of how many systems you need to manage. We'll give you a full license of our software for that 90-day period for the total number of systems you need to update. This is not a trial. This is a full short-term license of our software that enables you to update everything on your systems, from the OS through the third-party stack.
McKay: That's a good point. I think even we've talked about it as a trial, but in reality it's different than a traditional trial.
Are ransoms ever refunded?
We have some questions about the scope and about ransomware generally. We received lots of these questions on our website yesterday and Monday, too. In these scenarios, and specifically with this attack, do the people who pay the ransom ever get any money back? When they pay it, is there any guarantee whatsoever that they will actually get the data out they're trying to get, that they paid the money to get? Does it fix anything?
Phil: A couple of good questions there. The answer to the first one is the people who are dealing with this ransomware are criminals. They're not into giving money back, so there's no such thing as a refund. There's no way to get that money back. In fact, one of the things about Bitcoin is they are atomic transactions in Bitcoins. Money that goes out and gets paid to a specific Bitcoin wallet is gone. There's no way to recover it. The criminals would have to issue a refund, and they typically wouldn't do that.
The second part of your question was, are they getting anything for paying the money they're paying? As we mentioned before, for some pieces of ransomware, you will be able to get an unlock code. For this particular piece of ransomware, that's not the case. There will be no unlock codes for at least the Wanna Decrypter 2.0 original version. I don't know about the A or B or other variants, but at least with the original one, there is no way to get an unlock code.
Chris: And you can also see, as in previous ransomware situations, if the same system gets ransomed for a second time, they're not going to give you that one back. They're going to make you pay again, so reinfection is also a problem. Even in a case where they let you pay the ransom, gave you a key, and you've unencrypted, if that same system gets hit, you're doing it all over again, so it's not a good situation.
Phil: That’s a really good point to bring up. We talked about encryption happening in layers. If a file is encrypted multiple times, it has to be decrypted multiple times. It has to be decrypted the same number of times it was encrypted. If a common file on a server, for example, gets encrypted by user one and user two, both user one and user two have to decrypt that file before it's available for use.
McKay: We have a lot of questions also about how the layered security approach could prevent this in the future and fix vulnerabilities. We've talked about patching a lot, but let's talk through whitelisting. You know, there's AV, there's a ton of stuff here. Talk about this layered approach. Where should someone start on this journey, and where should they end up? I know that's a big question.
How layered security helps with protection
Simon: Phil, I'll come to you, but if I can start with that. Patching definitely needs to be number one. I think what we've seen this week has proven that. It's not only about a layered approach. I think it's also about looking at the business, looking at what your users require and what they need to do their jobs and continue to be productive. There's a balance between risk versus, dare I say, versus effort, as well. We'll come onto whitelisting in a second, because whitelisting can require a tremendous amount of effort, which is why some people don't do it.
In my mind, once you've looked at patching operating systems and applications, the next best step is to look at your business and your user estate and try to ensure your users have the correct level of privileges. Far too many organizations, in fact Windows doesn't lend itself very well to this anyway, but far too many organizations allow users to be local administrators on their Windows endpoints. Being a local administrator on a Windows endpoint means I can run any executable. I can run installers, I can run and extract .zip files, I can run PowerShell scripts and VBScripts.
IT has typically given users those powers, in some cases, because those users are remote. They need to change their IP address. They need to install business or productivity applications, and they don't want additional support calls, and they don't want to prevent users from being productive when they're more mobile. Some business line applications organizations use were written so long ago they require admin privileges. They need to read and write to parts of HQ local machine or the file system that belongs to the system. So what we have is a number of users roaming around, and while their systems may be patched, they're still local admins. For a large majority of ransomware attacks, they need admin privileges to run. By looking at whether you can remove admin privileges from your user estate, you can significantly reduce the risk associated with some of the ransomware attacks we've seen over the past 12 to 18 months. Removing admin rights and local admin privileges is one thing. That's easier said than done, but there are solutions out there, including our own, that allow IT to have far more granular control of when a user can run an executable or a task with elevated privileges.
Once you've done that, then we’re into a conversation around application whitelisting. Phil and I talk about this on a regular basis. Historically, trying to implement application whitelisting has been very difficult and very time consuming. I only have to do a very basic search on the Windows 10 device in front of me now, and there will be 56,000-plus .ocx, .dll, and .exe files on my system. To try and create that list in the first place and then manage it on a day-to-day basis across my estate is incredibly difficult. Which is why there are solutions, again including our own, that use various techniques to implement forms of application whitelisting that allow organizations to put application controls in place without having the administrative headache of creating a whitelist in the first place. Phil, do you have any more to say on that?
Phil: Yes, just a little bit. I think you covered application control well, Simon, but let’s talk a little about privilege management and how that impacts this kind of virus proliferation. Several of you may have seen reports about encryption or lock screens on systems showing schedules at airports and train stations. Those machines certainly weren't victims of any kind of phishing scheme, or anything like that. Typically, what happens in these kinds of situations with this kind of virus is a user's machine at the airport or the train station has been infected. Because the user has local administrative privileges, the virus was able to, through the SMB exploits it takes advantage of, identify and attack these static machines, which don't do anything other than display timetables and schedules, and was able to lock those systems, as well. That's one of the reasons privilege management is so important. Privilege management will help arrest the proliferation and penetration of this kind of virus to other machines within your organization. That's why privilege management is an important control in this kind of space.
McKay: Great. We have a couple of in-the-weeds questions, and then we'll close with one final question. What about disabling SMB version 1.0 server on PC—how to do that? Thoughts on that, Phil?
Reasons to disable SMB version 1.0
Phil: SMB version 1.0 is an older version of SMB. SMB stands for Server Message Block, which is a protocol that allows computers to map drives to one another and that kind of thing. SMB version 1.0 certainly has a number of vulnerabilities in it. This particular set of vulnerabilities, which come from Eternal Blue, exploits SMB version 1.0 but also exploits subsequent versions of SMB, as well. While shutting down SMB version 1.0 is a good step, it will not, by itself, stop the proliferation of this virus in your environment.
McKay: Okay. People have asked this on our site in the last couple of days quite a bit. Is there any way to see this sort of thing coming, or does it just show up and you better be ready for it and that's why it's important to get that security stack and fix your vulnerabilities as we've talked about? Is there any way to predict this in the future, or is this something you have to be totally ready for?
Can ransomware attacks be predicted?
Phil: Well, a couple of things. There are some warning websites available. They provide files called IOCs or Indicators of Compromise. It's kind of like predicting an earthquake, though. Usually the earthquake center will know about an earthquake maybe 30 or 45 seconds before it hits. You can know about it in advance, but I’m not sure it's enough time to be able to do a lot about it. Having these IOCs for different kinds of viruses is helpful. You can put them on your edge routers, and that signature then is blocked from your entire network, which is a valuable thing to do, but you have to react quickly to make that happen.
McKay: All right. Let's go around the panel here before we close, and the way we ended Monday's panel discussion was with an action plan for people. What should they do today? If you have vulnerabilities, it sounds like what you're saying is start with patching, but let's go around to everyone. What should we do today, in the short term, Chris, to get started, if someone on this webinar is thinking, "Man, I have vulnerabilities I need to fix"?
What protection measures can I start today?
Chris: It's a good point, you know, with AV, coming up to speed shortly after all this occurred. That was one of those things where it was kind of a hurry and get caught up, but by that point there were already a lot of infections that had happened. It reinforces the need for additional layers of protection, being able to patch anything that's critical as quickly as possible.
Having whitelisting in place would have blocked the payload from trying to execute in the case where AV didn't detect it and stop it, so having layers in place. To Phil's point about prediction, it's one of those things where when the disclosure came out originally, when Shadow Brokers leaked the information, I think there were a lot of security experts who agreed we're going to see this come back around. The when of that was hard to predict, but it was expected that it would come back around.
Another one that happened recently that people are going to want to keep on their radar is the Intel vulnerability that was identified. At some point, updates will be available for the driver level of that, and that's one of those early points where you can see this is something you’re going to have to worry about down the road. Once that update is available, have an action plan for rolling that out to systems. So again, the multilayered approach—making sure you patch and get application control or privilege management in place to help reduce the risk is a huge thing in ensuring these things don’t impact you as badly as we've seen this time around.
McKay: Perfect. Simon, Matt, Phil, anything to add in terms of an immediate action plan? Anything to add to what Chris said?
Simon: Anything from you, Matt?
Matt: I think we've covered most things on the webinar today. I do think what this attack has prompted is people looking at the patching of their systems, which certainly leads to a wider consideration of a defense-in-depth strategy or a multilayered approach to security. Back to what we're seeing from customers, historically, certain vertical groups in the public sector and certain institutions in the private sector, such as banks, have always had a strong security posture. I think now, increasingly, organizations in general are looking at the bigger picture, and patching is just the start.
Simon: Agreed. I think it's going to be interesting, McKay, to see how businesses look to IT for more information in the coming weeks. Businesses are going to be very keen to understand from IT whether IT has a good grip on where the organization is at? How vulnerable are they? What additional risks may still exist, and what needs to be solved?
It's going to give IT, hopefully, an opportunity to really start to take stock. That includes not only understanding and discovering what patches they have or don’t have, or whether they need a more mature security posture and do more in-depth defense.
There are also things like how are you going to deal with the machines and operating systems still out there? The NHS is going to have to ask itself, "If I have machines and applications that are tied to Windows XP, and I haven’t moved those applications on because of application compatibility or device compatibility, how are we going to overcome that moving forward?" As much as we would like Microsoft to continue patching these legacy systems, businesses really do need to keep their systems, devices, and operating systems up-to-date. There's a whole conversation to be had around operating system migrations and making sure IT is able to manage the multitude of devices that are now out there in an organization.
Phil: You know, Simon, that's a really good point. This one patch happens to be very important today, but this is not a once and done. This is not a silver bullet. If you only apply this one patch, you're not protected from every variant of malware out there. It's an escalation game, a game of one-upmanship with the criminals, and it's important for each organization to make sure they're maintaining current configurations and an accurate count of patches, and make sure they have a process around those patches. Even more important than being the first one out with a patch is maintaining a standard process, so that your systems get patched on a regular basis.
McKay: Gentlemen, thank you very much for doing this again. We did this on Monday, and a lot of people showed up. We've had a large crowd again today and a lot of good questions. We’re grateful to everyone who took the time to attend. I would refer you to the links on the screen. The first is for the free patching offer Chris discussed. Please go there. The offer will be available until June 15. The second link is to a blog post you can link to from our homepage on ivanti.com, which has daily updates, including the recording from Monday's panel discussion. Our panelists are contributing content to that every day, answering Is there anything new today? Is there anything new on the ransomware attack? With that, gentlemen, any final thoughts from anyone on the panel?
Phil: Just a reminder from me that this is a battle with criminals, so when you patch your systems, you're fighting crime.
McKay: That's a great motto, I like that. All right gentlemen, thank you very much. We appreciate it, and thank you everyone for joining us today. We hope to see you on another Ivanti webinar panel discussion very soon. Have a wonderful, wonderful day.