Attacks never really go away
Many enterprise organizations are currently evaluating the Vectra Cognito platform, and over the past weeks, several customers detected WannaCry attacker behaviors. Just because the headlines stopped, doesn’t mean that the attack did.
WannaCry was first reported by the media in May of this year and we had customers who detected and responded to outbreaks within minutes. A couple of days after the initial impact, it was reported that stopping the WannaCry command and control server limited the effectiveness of WannaCry in the wild. While that may have been be true, organizations are still detecting instances of WannaCry within their enterprise networks. While this is a smaller scale than the attack in May, it is important that enterprises continue to monitor their networks for what is proven to be a fast propagating ransomware attack with the potential to cause damage very quickly.
Focus on what attackers do
Good news is that our patented, AI attacker behavior models detect the precursors of WannaCry including lateral movement, reconnaissance behavior and command and control communications. Detecting these precursors enables our customer’s security teams to contain and remediate infected machines before the WannaCry attack propagates throughout their organization and cause damage.
By detecting attacker behaviors instead of looking for the malware used in the attack, Vectra Cognito detects WannaCry without signature updates or prior knowledge of the attack. This is because the things an attacker must do to compromise, destroy, or steal information on the network follow the same progression of attacker behaviors across the attack lifecycle, enabling Vectra Cognito many chances to detect an attack before it causes damage.
For example, before ransomware can encrypt files, it needs to locate file shares on the network. For WannaCry, this means looking for internal servers exposed to Eternalblue, the vulnerability on Windows system used in the attack. This requires performing internal reconnaissance. Vectra Cognito detects reconnaissance behavior and correlates this reconnaissance with other associated behaviors that are part of the ransomware attack to pinpoint the hosts at the center of the attack. Hosts infected with ransomware are a critical risk to your network so Vectra Cognito will rank them with the highest threat and certainty scores to prioritize those hosts for immediate response.
Want to know more?
Vectra Cognito will detect Petya, NotPetya, and other forms of ransomware in real time equally as well as detecting WannaCry because Cognito detects what the ransomware does, not what it is.
We have a lot of customers who have detected and stopped multiple ransomware attacks this year. Vectra Cognito has enabled these enterprises to reduce their time to detect and respond from days to minutes.
Kevin Moore is the senior vice president of worldwide field operations at Vectra. He brings nearly two decades of worldwide sales and sales operations experience.Author profile and blog posts