Shulou(Shulou.com)06/01 Report--

Ineffective protection is the bigger problem exposed by WANNYCRY.

A lot of people have talked to me about a question before-- what do you think of the response problems we exposed in the WannaCry incident? However, from my personal point of view, under the unified guidance of the State Cyber Information Office and other relevant emergency agencies, the manufacturer's emergency response to WannaCry is generally successful, and we have effectively curbed its large-scale spread on the Internet side, and also effectively prevented the secondary disaster of "poisoning" on Monday.

In fact, ineffective protection is the bigger problem exposed by WannaCry events. Because WannaCry itself is a threat that should be preventable through basic security actions, it is not a new blackmail software. In fact, there has been a corresponding version before. But it has had such an impact because it uses the US military-grade loophole exposed on April 14, 2017, but Microsoft released a patch for it as early as March 2017. In other words, none of the infected machines were patched in these two months.

We also need to see that the ransomware itself is not a threat suitable for emergency response, because the actual consequence of the ransomware is that the files are encrypted and will not be decrypted without paying a ransom (but in this WannaCry incident, on the one hand, we found that the way in which the original unencrypted files were deleted is not as rigorous as other blackmail software and can be recovered. On the other hand, French researchers have found that Windows encrypted API has certain vulnerabilities, which can be partially restored if it is not rebooted. For most of the blackmail software, the effectiveness of file recovery and memory decryption are actually very small.

What's more, through this "Piga" incident against Ukraine, which pretended to be blackmail, we can find that it is not for blackmail itself, but by generating a random key that cannot be decrypted by itself to encrypt the victim's file. the aim is to destroy the entire system. Once this kind of damage occurs, the emergency can only be carried out by backing up the data, if there is no backup data, and once the corresponding protection effect is not achieved on the protection side, and the whole threat begins to spread, then the whole emergency cost will be unconvergent.

It can be seen that ineffective protection is our current bigger problem exposed by WannaCry events. Once a large number of incidents break out because of ineffective protection, then the whole pressure will be transferred to the situation awareness system and the corresponding research and judgment strategy.

Effective protection

A very big feature of the previously very popular "dark cloud" is that it is a * family with a Bootkit mechanism, making profits through hooliganism and DDoS. According to monitoring, it has formed millions of node infections in China. It not only realizes loading by infecting MBR, but also has a series of very complex driving mechanisms, which can interfere with the reading and disposal of MBR by security products. Once the * is written into MBR, it will form a stubborn infection and will be very difficult to deal with.

In fact, no security product can guarantee that it can absolutely identify which threat, but we can extract the corresponding threat behavior. After shutting down the entire virus library, if you perform a "dark cloud" on terminal protection, it will intercept the behavior of modifying MBR so that its boot chain cannot be established.

Protection effectiveness reduces disposal cost in an all-round way

The WannaCry blackmail virus is not a new form of threat, but a form of threat that has been inherited from history, and has become a typical form of threat only with the popularity of bitcoin and dark networks in recent years. Therefore, since the person who wants to blackmail must carry out file operations in batches, in principle, batch file operations by untrusted programs is a threatening behavior.

Terminal protection requires a set of built-in analysis mechanisms including behavior analysis and bait files. If you take the WannaCry to the terminal protection product for execution and turn off the virus library detection, it will not be able to achieve effective encryption.

Effective protection of endpoints

In this case, the effective protection of the endpoint can be formed through host hardening, host boundary defense, unknown threat defense, unknown threat identification, APT traceability and fixed-point clearance. Within an industry system, when a large number of problems can be found at the defense endpoint, the relevant security events that need to be played by the upper situational awareness system will be fully converged. Therefore, it is a very unwise decision to abandon endpoint security outside situational awareness. Endpoints are not only the collection support of situational basis, but also an effective means of implementing situational strategies.

From log retention to full element collection

In the past, systems based on SIEM and SOC actually relied on log retention. The essence of this kind of log retention, whether the corresponding object is a payload or a data packet, in addition to the system log of the application layer, it is more based on the matching results of the detection engine and the rule base. We have introduced many times that malicious code detection is actually a system maintained by multiple branches of normalized detection, accurate detection and unknown detection. In terms of traffic, it is actually the result of the formation of quintuples and detection names, which means that all objects that cannot be detected are released. But under such complex conditions, we have to assume that the first wave is undetectable, just like in a military struggle, the enemy's Fmuri 22 stealth aircraft is coming, and we can't find it. So can we achieve subsequent effective interception and effective stop loss?

Reliable flow collection

At this time, there is the problem of how to collect reliably on the traffic side, which is not only the traditional single packet detection, but also forms a comprehensive collection capability for IP, domain name, URL, file, session, account information, etc., including flow detection, packet detection, beacon detection, file detection, in-depth detection and behavior analysis. Finally, from the perspective of the situation, it forms the value of supporting threat information, threat behavior and threat distribution.

The whole traffic collection is mainly divided into three steps:

First, to achieve the corresponding full-element collection, that is, from the traditional five-tuple collection capability to the thirteen-tuple collection capability that Americans call it today.

Second, it is necessary to extract a large amount of application-side information, and then detect the corresponding objects in multiple dimensions.

Third, in addition to the detection itself, it is also necessary to realize the depth capability based on scene empowerment.

Reliable acquisition-- all elements acquisition

Traditional protocol parsing is actually based on the release of all unrecognized malicious code to form a simple log. From the point of view of all-factor collection, we actually need to expand the detection object, for example, we need to retain a large amount of information from the relevant host information, domain name information, agent and other aspects of http traffic. If there is Payload in it, then we need to further parse the Payload accordingly, regardless of whether the file is malicious or not.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.