Friday 26 May 2017

Pull the budget and suffer the consequences: the NHS ransomware attack [Link: Information Age]

I was asked to help source an article about WannaCry on the NHS. Here is the article that was published on the Information Age website:


Why wasn’t more done to protect NHS organisations from the WannaCry ransomware attack?

Ransomware infects computers around the world every day. In the last 18 months, instances of it have surged so prolifically that today it is the most common type of malware. However, the WannaCry strain hit the headlines because it brought large parts of the NHS to a crunching halt.

This is the problem with malware, it can have devastating effects. We don’t know what the real-world physical implications of WannaCry have been, for instance, patient treatments. Perhaps we will never know.

At a first glance, it appears almost criminal to be running operating systems that are no longer supported, in the case of the NHS, Windows XP. This was in no way helped by the government pulling the plug on an XP support contract to save money.

The ransomware infection was so serious that the government chaired a Cobra meeting, code for official panic. While patching an operating system is a fundamental security step, there can be a number of issues that complicate the process.

For instance, an organisation with a desktop fleet consisting of thousands of PCs might simply have not set up its configurations correctly, leaving holes in its patching process through which malware can insinuate itself.

Risk register

Some organisations might be reluctant to automatically apply operating system patches because they could cause conflicts with business critical applications. In short, they might be unable to patch for fear of slowing down, or even halting other parts of the business.

In both these cases there should be at least an awareness of the potential risks. It could be that an IT team is stretched thinly and is juggling other issues such as networking or storage, and consequently security slides down the list of priorities. This isn’t uncommon.

In these cases IT should be creating a Risk Register which is essentially a list of system vulnerabilities of why they exist, how they can be remediated and why they haven’t been addressed. This could be because of budget limitations or some other reasons.

The C-level executive team should sign off on the ‘risk register’ to show that they are aware of the issues and have accepted responsibility. This protects IT from any fallout should a serious breach occur, and also illustrates that they are doing their job.

Finger pointing

The WannaCry breach led to a lot of finger pointing and within hours had also become a political hot potato. Many people in the industry were quoted saying that defences are only as strong as the weakest link.

This is a self-evident truth, but in this case a very large condemning finger was pointed at end users. The implication was that a naïve employee or cluster of employees had clicked on an email link which unwittingly unleashed the worm-like WannaCry ransomware.

Phishing emails are increasingly sophisticated and even the most alert and astute end user can be fooled if the mail is targeted and well-crafted. The only problem with blaming end users is that it smacks of scapegoating and is essentially an abnegation of responsibility. However, there has been no evidence to suggest that WannaCry was initiated by an email or spread by user interaction.

First lines of defence

End user education and training is important and should certainly be more than an annual box ticking exercise. As well as patching operating systems, it should be a last line of defence and certainly not the first line.

Any organisation that is serious about IT security will have a range of defences in place to safeguard against these types of attacks. For instance, an email security gateway with sandboxing will filter out ransomware even if a user clicks on a malicious link. A web security filter with sandboxing will protect against drive by downloads, in which someone has to just visit a website to inadvertently download malware.

Web filtering tools in conjunction with a good firewall can detect dubious websites, as well as flag traffic that is leaving an organisation for a questionable destination. Of course there is also heuristic and signature detection, so if malware does penetrate the network it is immediately detected and stopped.

Added to this are a raft of endpoint tools that can protect devices, and we’re not just talking about patching operating systems but also patching browsers, plug-ins and third party software for vulnerabilities. On top of this, admin rights should be removed from endpoints so software doesn’t automatically run by default.

Lack of willingness

In short, the tools are available to protect organisations from ransomware and other types of malware, and they don’t have to be the latest and the greatest either.  The real question is whether the willingness to take security seriously is there? Given the large number of attacks that happen regularly you’d have to say it’s not. For instance, if there’s commitment then budget is always made available to help over stretched IT teams.

Clearly in the case of the NHS the funding was missing, and if the government doesn’t yet fully understand the importance of comprehensive cyber security then who will? Will it take loss of life before someone sits up and takes security seriously?

Exclusive Networks Takes GDPR Message on The Road [Link: CommsBusiness]

I was asked by our Distributor, Exclusive Networks and Vendor, Gemalto for a quote regarding a bus they were using to promote GDPR (General Data Protection Regulation).  This was published on the CommsBusiness website:


Exclusive Networks and digital security company Gemalto are taking the GDPR message on the road. A refitted double-decker bus began its UK tour in York on 23rd May, finishing at Infosec in London on 6th June. The bus will be making stops at key regional centres where channel partners and customers can meet security experts from Exclusive Networks and Gemalto and hear how a six-step process can aid GDPR readiness and compliance.

According to Exclusive Networks’ vendor alliances director, Stuart Nairne-Clark “many partners are still confused and lack clear understanding on the whole GDPR topic and what it means for them and their customers. Because there is no silver bullet – it’s as much about people and process as it is technology – by coming aboard they’ll get first-hand guidance on what’s needed to become compliant. They will hear directly from Data Protection Officers, understand the essential legal requirement and see how the latest multi-factor authentication, encryption and key management tools aid GDPR compliance. Already large and small organisations from right across the commercial, public and charity sectors are booked on and given it’s such a comprehensive regulation we encourage all partners and their customers to sign-up. It’s the ideal setting to engage with compliance, data protection and encryption experts.”

Andrew Tang, service director – security, at reseller MTI noted that “being a GDPR Practitioner I appreciate there is no precedent for what is coming. Understanding both the regulation and its context is essential if partners are to work with their customers to build an effective GDPR strategy and plan. My customer meetings are now all GDPR related so having the bus clinic pass by the door of many customers, especially the 50% or so who are just beginning to get to grips with the subject, is invaluable. It is doubly invaluable when you consider the only technology set mentioned within the regulation is encryption, and that is something Gemalto does best.”

The Exclusive Networks and Gemalto GDPR Bus clinic will be stopping in York, Leeds (25/5), Chesterfield (26/5), Birmingham (30/5), Milton Keynes (31/5), Oxford (1/6), Reading (2/6), Alton (5/6) and London (6-8/6). Seats aboard the bus are pre-booked and partners can sign-up here. In addition, a survey is being conducted to gauge how far those affected by the regulation have progressed along the road to compliance.

Jason Hart, identity and protection CTO at Gemalto added: “With a year or so left until the regulation is enforced it is essential partners and customers cut through all the noise and understand what they need to do on their road to compliance. Plenty of reports show a general state of un-readiness and lack of understanding. By taking the issue on the road we can reach more partners and customers and get to explain how Gemalto’s data protection, encryption and identity authentication technologies are essential in securing compliance and avoiding crippling penalties.”

Tuesday 23 May 2017

So you have WannaCry 2.0, what next?

So you machine is infected, what can you do?

Immediate Action

  1. Find all the machines vulnerable to MS17-010.  This can be done using scanning tools or wholesale apply the patch to all machines.
  2. On the infected machines, don't pay the ransom - Research suggests that payment will get your files back two thirds of the time.
  3. Try the WannaCry decryption tool and skip to step 5 on.
  4. If the decryption tool fails, re-install your operating system - remembering to patch it.
  5. Install a good malware protection solution, switch on real-time updates and update it.
  6. Scan your machine with your newly installed and updated malware protection software.
  7. Re-install essential applications, remembering to check for patches, and switch on auto updates.
  8. Copy back data from backups, remembering to scan it as you do.  One of your backup files could be infected.

Next Steps

  1. Create a standard user account for general use, and keep the administrator account for configuration changes only.  Although WannaCry did not need administrator credentials, other ransomware does.
  2. Consider Application Whitelisting to ensure only known applications are able to execute on your machine.
  3. If you existing firewall allows it, switch on web filtering to prevent traffic to known malicious sites.
  4. Consider using an IPS (Intrusion Prevention System) to protect your network. 
  5. A Web Security Gateway to monitor and prevent traffic to malicious websites, and sandboxing to scan unknown packages.
  6. An Email Security Gateway can monitor and scan emails, working in combination of a sandbox to scan unknown attachments, and a Web Security Gateway to validate URLs within emails.  Although email was not the delivery mechanism for WannaCry, it is for pretty much 90+% of ransomware.
  7. Check existing backups and/or start doing backups.

Planning for the future

  1. User training is important, but it must be remembered that WannaCry 2.0 wasn't propagated by email and didn't require user interaction to install or spread.
  2. Ensure an open policy for users to report to IT Teams or Information Security Teams with any suspicious behaviour on their machines.
  3. Test the environment with simulated attacks to ensure the People, Process and Technology work hand in hand together.

WannaCry/WCRY 2.0 - What do we know?

On Friday 12th May, we were all made aware of a global ransomware attack, which hit nearly 200 countries, infecting over 300,000 Windows machines.  Named WannaCry/WCRY 2.0, it encrypts your data and demanded a ransom of US$300 payable in Bitcoins (electronic currency).


Looking back to earlier in 2017, shows how WannaCry evolved.

14th March 2017 - Microsoft leased a patch it classified as Critical as part of its month patch cycle.  The patch was called MS17-010 which resolved a vulnerability in the SMBv1 server on machines running Windows workstation and server operating systems.

14th April 2017 - Shadow Brokers leak the NSA hacking tools which exploited the MS17-010 vulnerability.

14th April 2017 - WannaCry/WCRY 1.0 was released

12th May 2017 - WannaCry/WCRY 2.0 was released


WannaCry/WCRY 1.0 was a spam campaign, which delivered its payload via compromised or malicious Dropbox accounts.  To all intents and purposes, it felt like a typical ransomware attack, delivering an email with a link, the user clicking on the link to download the ransomware, the ransomware would exploit a vulnerability (in this case MS17-010) and then encrypt the data.

Why is WannaCry/WCRY 2.0 different?

It is believed that WannaCry/WCRY 2.0 was not distributed via email, nor was it caused by clicking on a link.

WannaCry/WCRY 2.0 scans for Windows machines that are running SMBv1, and will try to infect them.  I say try to infect them, because if the machine had the MS17-010 patch installed, it could not be infected.  The ransomware will exploit the vulnerability, install and encrypt the data.  WannaCry/WCRY 2.0 also has a worm like characteristic, where it will scan the local network and random external IP address to see if they are running SMBv1 and try to infect them as well.

The clever part of this ransomware, is that it requires no user interaction to initiate it or to spread it.

What as the criminal gain?

Some organisations have been monitoring the Bitcoin wallet and they estimate that the financial gains from this attack is in the region of US$65-70,0000, which doesn't sound like a great deal.

Whose vulnerable now?

Using Shodan it's possible to search for Windows machines on the internet using the SMBv1 protocol.  Of course, it doesn't show if these machines have been patched to prevent MS17-010 from being exploited.

Sunday 14 May 2017

So you have Ransomware, what do you do?

I've put a lengthy blog post about ransomware, but you just want a quick and simple answer?

Your machine is infected and your have this screen:

  1. Don't pay - Research suggests that payment will get your files back two thirds of the time
  2. Re-install your operating system - remembering to patch it!
  3. Create a standard user account for general use, and keep the administrator account for configuration changes only.
  4. Install a good malware protection solution, and update it
  5. Scan your machine with your newly installed and updated malware protection software.
  6. Re-install essential applications, remembering to check for patches, and switch on auto updates.
  7. Copy back data from backups, remembering to scan it as you do.  One of your backup files could be infected.
Going forward:
  • Be mindful of any email attachments or links within emails
  • Continue to update malware protection, operating system and applications
  • Ensure backups are happening to prevent data loss, and even consider multiple backup destinations
  • Only use the admin account for configuration changes
This advice is more based for home users, but your can see the relevance to organisations as well.  For a more detailed look at ransomware, and what approach a organisation can take, have a look here.

Saturday 13 May 2017

The Anatomy of Ransomware - and How to Prevent from Impacting You

After the global cyber attack with ransomware, there is much advice out there suggesting the problem would have been prevented with point products, training or procedures.  I'm going to outline a generic ransomware attack below, so that the defences can be understood.  I'm going to outline what you can do as a home user, corporate user, or corporate IT team.

Delivery of Ransomware

Depending on the research you read, you can see that 93-98% of ransomware is delivered by email.  The remaining delivery methods can be via websites, whether a drive by download, malvertising or malicious website; or via removable media.

As a home user, a good quality endpoint protection solution would be recommended.  Try not to click on email attachments, dubious weblinks or using removable media you are unsure about.  Look to only have standard user profiles and not administrator rights on your everyday profile, and enter the admin credentials when needed.

As a corporate user, the advice is similar to a home user, try not to click on email attachments, dubious weblinks or using removable media you are unsure about.

As a corporate IT team, email and web gateway solutions should be protecting the email and web traffic.  The endpoint should have good quality multi layered protection.  Ensure that users do not have local administrator rights.  Sandboxing solutions on the network would analysis the unknown traffic coming into the network and ensure the email, web and endpoint vectors are covered.  Consider device control solutions if removable media is a big entry point into the network.  User education can help, but it needs to short and regular, and not many hours once a year.

Exploit the Endpoint

The ransomware's next task is to find a vulnerability on the endpoint, in order to exploit it and install the ransomware.  This is when the advice is to patch your operating system, or check and install the updates to your machine.  It's lesser known that the other software on your machine also has vulnerabilities, such as the third party software, like Java, Adobe Reader, etc, as well as the internet browsers and add-ons.

As a home user, change the settings on the operating system and software to automatically check and install the updates. Consider removing applications that are rarely used, as some may not check for updates until they are used.

As a corporate user there is typically little you can do, as this should be controlled by the administrators.  If you are able to run the updates, check regularly.  If you are able to install applications, consider what you are installing and switching on auto updating.

As a corporate IT team, ensure there is a robust patching regime.  Ensure patches are deployed to Microsoft operating systems as close to "Patch Tuesday" as possible, to prevent there being a "Hack Wednesday".  Ensure the patching regime goes beyond operating systems, covering off the third party applications, browsers and add-ons.  Consider Application Control solutions to limit the applications on the endpoints.  With the server environment, consider using IDS/IPS or "Virtual Patching" solutions in order to protect the servers until patch remediation can be carried out in a scheduled maintenance windows, allowing for testing of patches prior to deployment.

Installation of Ransomware

The installation of the ransomware will typically be disguised as a system process, so can go undetected by traditional or single layers of defence.

As a home user with the administrator rights removed as mentioned before, the software may not be able to install.  Again a good quality anti-malware solution may help prevent the ransomware from being installed.

As a corporate user there is typically little you can do, as this should be controlled by the administrators.

As a corporate IT team, look to Application Whitelisting, so unknown applications can't be installed.  Also giving the known good software will check fingerprints of applications, so even if the ransomware is masquerading as a system process, it will not be allowed to execute.  Again good multi layered anti-malware protection and limited local admin rights will help.  Sandboxing solutions should detect this traffic, and consider tools that can monitor file integrity, analyses the memory or offers memory injection protection.

Command and Control

Once installed, the ransomware will typically talk back to the "Command and Control" servers, communicate with the ransomware and customise what the machine will do, such as detect language settings of the computer and then get the correct interface installed in the matching language.  A Chinese demand for a ransom would not be very effective to a machine using Russian language.  There can be communication of the unique encryption key as well.

As a home user, beside the reliance on the endpoint protection having a good malware detection and possibly a host based firewall, there is very little that can be done at this point.

As a corporate user, the situation is much the same as the home user, as there is little that can be done.

As a corporate IT team, the use of Next Generation Firewalls and/or web gateway solutions should be able to see this traffic travelling to and from the network, and prevent the communication.  Logging or SIEM solutions should be able to take the feeds from various point throughout the network to detect this activity.

Data Encryption

The ransomware will now start to encrypt a portion of each of the files, allowing it to work quickly through all the files.  It will check for connected devices, so it will be able to encrypt network file shares and removable media connected to the machine.  It also knows to leave the operating system files, so the machine is still able to run and demand the ransom.

As a home user, beside the reliance on the endpoint protection having a good malware detection and possibly a host based firewall, there is very little that can be done at this point, aside from ensuring that there are system backups.

As a corporate user, the situation is much the same as the home user, as there is little that can be done.

As a corporate IT Team, the anti-malware solution may be able to detect this and stop it from running, or the use of application control could have prevent the application from executing as mentioned before.  Beyond that the the dependence will be on having system backups.

Ransom Demand

At this point, whoever you are, all is lost with out system/data backups.

The advice is not to pay as research currently shows that the payment of the ransom will to the decryption of the data around two thirds of the time, and increases your possibility of being targets again.

The Advice

As a home user, don't click on links without validating if they are legitimate, get a good quality endpoint protection solution and patch your computer regularly.  Remember to backup your data, whether to the cloud, portable hard drives or USB devices, and try not to physical devices connected when not in use.  Make your account a standard user, so the administrator password is required for tasks that are altering the configuration of your computer.

As a corporate user, don't click on links without validating if they are legitimate, but work with IT, if you think you have.

As a corporate IT Team, ensure the endpoints have good quality malware protection that can be centrally managed and centrally logs information.  Ensure there web and email gateways installed and configured.  If you don't have a NGFW, consider getting one and using the features available.  Patch the operating systems, applications and browsers on endpoints and servers.  Consider investing in Device and Application Control solutions, if you don't already have them.  Sandboxing solutions will help deal with the unknown and new threats, so are well worth the investment.  Review the rights the users have on their devices, as they typically don't need to be local administrations.  SIEM solutions with security features will help detect this early on.  End user training is important, but keep it short and regular for it to be effective.


Ransomware attacks will continue to happen, but stopping the chain of events as soon and as quickly as possible will minimise the damage.

I hope this guide has been useful in helping understand how ransomware works, and the measures that can be taken to prevent if from impacting you.  If you have any questions, please feel free to email me:

Wednesday 10 May 2017

Wargames on a Warship - Arbor Networks/Nuvias

Today I attended an event on the HMS Belfast hosted by Nuvias, with Arbor Networks running a technical session.  The location itself is cool and I've been a few times for other security vendor events, but this was something a little different.

Arbor Networks are a leader in DDoS mitigation solutions, and our distributor partner is Nuvias who carry a number of networking and security solutions.

Today, we got to see the DDoS solution up and running, but not just a product demonstration.  We got to attack websites with commonly available toolsets and defend using the Arbor APS solution.

It was an informal event, where the name badges only had your first name, and no organisations or job titles were displayed.  It allowed us all to chat and share without an agenda.  I met some great technical people today, and we got to play with some cool toys.  After a few hours, we got into the swing of being in a team, depending our website and attacking another teams website.

My conclusions from the day were the vendor and distributor know their stuff, the solution was easy to get your head around, technical people in the channel are friendly, and for some reason I was better at attacking websites than defending them.  Maybe I ahve hte wrong coloured hat!!