Jun 20, 2017
How Tanium customers mitigated the risks of recent ransomware attacksBy Charles Ross
Tanium has been used across some of the largest networks in the world to mitigate the risks of several recent vulnerabilities, including WannaCry, Intel AMT and the HP Audio Driver Keylogger. For each vulnerability, we offered customers the freedom of choice to determine the best mitigation strategy for their business. Patching was an option, but not the only available option. Here’s a detailed look at our most noteworthy accomplishments, and five steps your organization can take now to avoid being caught in the next attack.
(Image: Peter Linforth / Pixabay)
The level of dread you feel when you hear the word is in direct proportion to the number of endpoints you’re managing. Patching ranks high on the scale of thankless chores in IT because it combines a high risk of failure with a low chance of getting any accolades for doing it right. Nobody in your business notices whether or not you’ve kept up-to-date with patches until an attempt to do so brings down a business-critical application. And who wants their name attached to something like that?
This, in a nutshell, is how we ended up with WannaCry. The troubling aspect of WannaCry is the timeline of events leading up to the ransomware. In late 2016, a hacker group known as Shadow Brokers emerged and announced an auction for leaked NSA hacking tools. Upon learning of the leak, Microsoft began working on a security update. Microsoft even took the unprecedented step of canceling Patch Tuesday in February, for the first time ever. Unfortunately, WannaCry samples started showing up in the wild during the month off. Microsoft released the SMB updates for WannaCry in March 2017. WannaCry made its (unceremonious) arrival on May 12, ultimately affecting some 230,000 endpoints in 150 countries.
WannaCry is certainly not the last we’ll see of the leaked NSA tools and exploits. In fact, reports are surfacing about a new SMB worm called EternalRocks and a new cryptocurrency miner known as Adylkuzz. And, they can succeed in bringing your business to its knees for one simple reason: you haven’t kept your systems and software up to date.
According to the 2015 Verizon Data Breach Investigations Report, 99.9% of attacks exploited are from vulnerabilities that had been identified for more than a year, some of them as far back as 1999. (Verizon didn’t calculate this stat in the 2016 report, but noted the number hadn’t changed year-over-year.)
Mitigating risk: How Tanium can help
Tanium has been used across some of the largest networks in the world to mitigate the risks of several recent vulnerabilities, including WannaCry, Intel AMT and the HP Audio Driver Keylogger. For each vulnerability, we offered customers the freedom of choice to determine the best mitigation strategy for their business. Patching was an option, but not the only available option. Noteworthy accomplishments include:
- Real-time detection of SMBv1-enabled machines in multiple customers with multi-hundred-thousand endpoint environments.
- Disabling of SMBv1 via registry changes accomplished in less than four minutes.
- Real-time detection of systems requiring patches contained in the MS17-010 bulletin, even when not domain joined/connected.
- Deployment of terabytes worth of aggregate patches within hours, with no impact to networks (includes non-domain joined/connected machines).
- Reboot action sent to all machines requiring reboot (post registry change or patch).
- Saved actions put in place to catch any new machines coming on-line requiring SMBv1 disablement, patch, or reboot.
- Real-time reporting of remediated and vulnerable systems with trending over time (via Trends).
- Intel AMT vulnerability manifest greater than 50% across our customer base.
- Intel AMT mitigation (disabling of the service which allows the vulnerability to be exploited) was accomplished in less than two minutes across the enterprise by Tanium.
- Thousands of endpoints with the HP keylogger were found across several customers and remediated within minutes.
We had two large customers who initially tried to use SCCM to address the patches issued by Microsoft in response to WannaCry – and had to stop due to crushing network congestion issues caused by SCCM. These customers shifted to Tanium for the patch deployment and were able to complete their entire enterprise in less time than it had taken to create the SCCM packages.
Several customers found vulnerable assets which were not domain joined at all and, as such, would have never gotten properly patched without Tanium.
Nearly every customer was confident they had SMBv1 disabled enterprise wide. Yet, we had no customers with zero SMBv1, and the average across customers was 7%, spiking as high as greater than 50% of endpoints with SMBv1 enabled.
In many cases, legacy processes held back improved capabilities. We saw many cases in our WannaCry response where the process took eight hours from the time approval was given to mitigate WannaCry to when Tanium issued the corrective actions to mitigate the threat. From trigger-pull to completion was less than two minutes.
Five steps your organizations can take now
In light of what we’ve learned from these recent examples, here are five steps your organization can take now, so you’re better prepared to avoid being caught in the next attack:
- Assess your organizational obstacles. Are your security and IT ops teams working in tandem? If not, where are the areas of friction and how can these be addressed?
- Know your environment. If your CIO stops by and asks you to tell him how many unpatched devices are on your network, can you answer accurately? Will your answer be based on current state, or on information you gathered a week ago?
- Consider how often legacy processes are holding back the improved capabilities of the technology you use.
- Declutter your infrastructure. One of the oft-cited issues in the WannaCry incident was the challenge of updating operating systems in an environment laden with legacy apps. If you’re running a business-critical application which requires you to keep an outdated OS on life support, it’s time to rethink your vendor relationships.
- By various estimates, up to 83% of ransomware attacks originate when an employee clicks on a malicious link, opens an infected attachment, or visits a compromised website. Investing in ongoing training for employees to protect against phishing attacks should be your first line of defense.
Are your security hygiene practices as strong as they can be? Is your organization ready to withstand the next attack? Learn more about how we can help. Schedule your security hygiene assessment today.
- This time, it’s personal: WannaCry and the psychology of the cyber-accountability gap
- Windows 10 migration: don’t let complexity hold you back
- “WannaCry” / “wcry” ransomware outbreak: How Tanium can help
- Intel AMT vulnerability: How Tanium can help
About the Author: In his role as Chief Customer Officer, Charles Ross leads the team responsible for delivering the Tanium vision to our customers: scalable endpoint management to operate and secure their business reliably and quickly. Prior to Tanium, Charles worked at McAfee, where he held a variety of leadership roles in pre-sales engineering, solution architecture and IT security. Prior to McAfee, Charles worked as an Enterprise Risk Consultant for Deloitte & Touché. Charles holds a Bachelor of Science from the University of Florida.