WannaCry: Anti-virus is not enough

Despite almost every organization using antivirus software, there are many victims of the WannaCry ransomware.

The anatomy of an attack

Looking at today’s threats, relying on antivirus just isn’t enough anymore. Techniques for bypassing antivirus programs are becoming more sophisticated and user-friendly, making it very difficult to detect. To understand the infection technique of today’s attacks, we need to know the anatomy of an attack. These consist of the following components: A vulnerability, an exploit and a payload.

WannaCry: Anti-virus is not enough

The vulnerability

The vulnerability is the part of the software that contains the security flaw. The WannaCry malware exploits a vulnerability in the Windows SMB service. This vulnerability was discovered early on by the NSA and was used to infiltrate organizations and foreign governments. After the The Shadow Brokers leaked the offensive NSA tools, malware makers began implementing them.

The exploit

The exploit is the code written by the hacker to exploit the security vulnerability. It is a small piece of computer code that in this case leads to an ability to take control of the computer.

The payload

Once the attacker has control of the computer, it is time to tell the computer what to do with it. We call this the payload. When the NSA used this Zero Day, it was most likely used to set up backdoors. However, the WannaCry malware uses this vulnerability to encrypt all files on the computer.

WannaCry infection

Now that we know the anatomy of attack, we can use it to prevent it. The best way to prevent an attack is to remove the vulnerability. This can easily be done by installing the Microsoft updates.

Most malware, ransomware and even the majority of “Advanced Persistent Threats” use vulnerabilities with publicly available exploits. Even the most current threat, the WannaCry ransomware, uses a commonly known exploit within the Windows SMB service. Microsoft released a patch for this flaw in March, meaning infection could have been prevented by proper patch management.

Vulnerabilities can also be introduced by defects other than outdated software, for example, misconfiguration of software. By implementing a Vulnerabilities process, known vulnerabilities become visible and can be addressed. Even if the patch management process has been implemented and is working correctly, vulnerability management must be performed to verify proper implementation of the patches. If there is no vulnerability, attackers have nothing to exploit and attacks will not be successful.