Ransomware and patch management: be prepared for the next malware outbreak
According to the U.S. Department of Justice, ransomware is the fastest growing malware threat, with an average of more than 4,000 ransomware attacks occurring daily since 1 January 2016. This represents a 300 percent increase over the approximately 1,000 attacks seen daily in 2015.
As we saw earlier this year, WannaCry ransomware was unleashed on a Friday, and spread rapidly to machines across the globe. Four days later, WannaCry had crippled an estimated 300,000 computers in more than 150 countries. While the reported ransom per incident was relatively low (U.S. $300-$600), Reuters reported that the nonprofit research institute U.S. Cyber Consequences Unit estimated total losses, as a result of business disruption, would range in the hundreds of millions of dollars.
According to FireEye, existing threats (e.g., Backdoor.Nitol and Trojan Gh0st RAT) are now being distributed, taking advantage of the same vulnerability exploited by WannaCry. On networks with Microsoft Server Message Block (SMB) protocol enabled, machines running older versions of Windows are vulnerable to these threats — unless the machines are patched. Microsoft had released a patch (MS17-010) to remediate the vulnerability exploited by WannaCry almost two months before the attack.
Unpatched systems are attackers’ favorite targets. In its June 2017 security update, Microsoft continues to address vulnerabilities that leave the door open for attackers who exploit SMB and other flaws on systems missing critical updates. In this update, Microsoft states, “WannaCry malware is fully addressed by installing the security updates Microsoft released in (the previous update) Microsoft Security Bulletin MS17-010.” Yet the June security update, which is larger than the prior two months' releases, contains patches to address 94 vulnerabilities that are “at heightened risk of exploitation due to past and threatened nation-state attacks and disclosures.”
With an automated configuration management solution like Puppet, detecting whether or not systems are vulnerable to known security flaws is fairly straightforward. Puppet Enterprise’s Package Inspector allows admins to see which versions of any specific services or software packages are installed on their systems, whether Puppet manages the packages or not. Likewise, disabling a service (like SMB v1) across multiple systems can be dealt with quickly as outlined in a related post, Detecting and remediating WannaCry using Puppet.
Depending on the nature of the attack, the impact of ransomware is often negated by the existence of a comprehensive data backup and recovery strategy. According to the chief economist at the U.S. Cyber Consequences Unit, most victims of WannaCry were able to quickly recover infected systems with backups. But the tasks of eradication and restoration cost businesses unplanned time and resources. So the old adage, “an ounce of prevention is worth a pound of cure,” is still relevant.
While there is no silver bullet for preventing ransomware attacks, WannaCry would not have been a global epidemic if the MS17-010 patch had been applied to critical infrastructure running Windows. Intrusion detection and prevention, anti-malware solutions, and phishing awareness are all important contributors to a risk-based approach to cyber security. But consistent application of system updates and patches remains a critical discipline in the war against cybercrime.
Traditionally, patch management has been an extremely time-intensive effort, with the workload often distributed across multiple silos. The ability to identify which systems are running a specific software package or version is important for setting a remediation plan. Using Puppet's automated configuration management solution allows administrators to drastically cut back on the highly manually process of identifying current and out-of-date versions of software on each node, one by one.
Puppet also provides admins the ability to enforce configuration changes across any set of nodes identified as requiring correction, and provide admins continuous visibility into corrective changes and configuration drift. Admins can then target the systems that are most critical to the business and roll out a phased remediation plan, if a phased approach is a better strategy. The ability to execute the plan reliably and without error is obviously vital to securing infrastructure. Using Puppet, changes can be tested and enforced across data centers and cloud platforms, and monitored for drift from newly established baselines.
Together, Puppet and CloudPassage have developed a joint solution that automates security and compliance in any infrastructure, at any scale. Puppet and CloudPassage offer a complete remediation solution that alerts an organization to new vulnerabilities in its systems and automatically remediates them, leaving systems updated and secure at all times.
No one has yet devised a viable strategy that can identify and remove all threats to an organization. Organizations that take a risk-based approach to security understand that layers of controls are necessary to defend themselves against cyber criminals. While patch management is not a silver bullet, neglecting it weakens one of the most important layers of defense in our arsenal. So enforce that good old-fashioned discipline, and patch your systems regularly.
Jeff Schmied is the director of information security at Puppet.
- Try Puppet Enterprise for free.
- Read about agile security using Puppet and CloudPassage.
- Learn how Puppet Enterprise helped those vulnerable to Heartbleed.
Download and read our white paper, Manage Change and Enforce Security in your Windows Ecosystem.