NotPetya, Ransomware, and the Fallacy of the Open Network
The NotPetya ransomware attack that’s infecting systems this week has resulted in innumerable disruptions and headaches for businesses worldwide. It’s yet another reminder of the need to take a better approach to network segmentation by enforcing the principle of least privilege at the network level, in an identity-centric way.
As widely reported, this attack combines the EternalBlue exploit previously used with WannaCry with another propagation technique that leverages Window’s remote system administration tool, WMIC. Before I drill down into the WMIC propagation mechanism and address how organizations need to rethink their reliance on authentication, let me suggest two blogs to read:
- Cyxtera’s CSO Chris Day has written a concise summary of the Top 10 Things You Need to Know about NotPetya
- Microsoft’s article on NotPetya provides a timely and detailed discussion on how this attack is constructed and operates.
How does NotPetya ransomware propagate?
Key takeaways from Microsoft regarding propagation include that:
“Once the ransomware has valid credentials, it scans the local network to establish valid connection on ports tcp/139 and tcp/445.”
“As the threat targets ports 139 and 445, customers can block any traffic on those ports to prevent propagation either into or out of machines in the network. You can also disable remote WMI and file sharing.”
Let’s ask ourselves some basic questions
Why should regular user machines be able to perform a port scan across the subnet? And why should regular users be able to remotely execute WMI commands, which are designed for admin usage? The correct answer is that they shouldn’t be able to do either of these functions under any circumstances – there is simply no reason for them to have this network capability. Even for administrators, who do have legitimate need for this kind of network access, why should they have this access 24×7? Where are the Zero Trust model’s tenets requiring that authentication should occur before connection, unauthorized resources should be completely invisible and all connections should be encrypted? Further, open, uncontrolled access is unnecessary, given that legitimate usage of it is only required occasionally.
Out with the old
The problem is that traditional network security solutions are neither dynamic nor identity-centric, and are unable to properly adapt and provide this kind of access on a periodic basis for authorized users. They simply aren’t aligned with today’s security requirements, resulting in networks that are far too open – for all users, 24 hours per day – to accommodate the occasional usage by a few users.
In with the new
What organizations need is to treat network access, especially for high-risk system services like WMIC, as a privilege and to adopt an adaptive network security solution. With an identity-centric approach to network security that leverages the Software-Defined Perimeter (SDP) approach, organizations can block the propagation of attacks like NotPetya, while keeping business and administrative users fully productive. With an SDP solution in place, regular user access to these sensitive network services can blocked, while administrative access can be temporarily granted, for example only after a one-time password is entered, or only if an active Service Desk ticket exists for that user and that system.
Our customers have successfully deployed AppGate, our enterprise-ready SDP solution, in exactly this kind of way. Business and DevOps users are fully productive, yet access to all unnecessary network services is blocked. Sysadmin users are also fully productive, with the network automatically adjusting their access based on their task at hand. As WannaCry and NotPetya have shown us, giving users broad network access (and relying on single-factor authentication) is simply unnecessary, and represents a significant security risk. Organizations must take an adaptive and identity-centric approach to security, enforces at the network level. We’d prefer that organizations not learn the hard way… Traditional network security isn’t designed for today’s IT reality.