- WannaCry reveals the limits of established IT security strategies
- The rapid spread suggests a combination of different infection strategies
- Industrial companies need continuous monitoring solutions that detects and reports not only hazards, but any anomaly
16.05.2017, Leipzig, Germany - The Ransomware WannaCry spreads like a wildfire. More than 200,000 computers in more than 100 countries have been infected within a few days. In its aftermath the search for the causes has begun, and classic IT security companies see their hour as a savior in need. But the cause of this rapid infection wave actually lies precisely in the algorithms of established IT security solutions: They protect from already known threats – and are powerless against unknown or modified attacks.
Sandro Gaycken, Director of the Digital Society Institute at the International Business School ESMT Berlin, already warned about the basic problem of common security strategies when it comes to attacks like WannaCry: »It is very likely that the cyber attackers will modify the attack mechanism, or that there are still mechanisms we don’t know of«, the IT security expert explains in an interview with news broadcaster n-tv. The threat is not harnessed yet. How could it? For decades, IT security solutions have been based on a huge list of known threats. The result is a never-ending cat and mouse game.
WannaCry suggest new attack concepts
Wanna Decryptor, as the malware is originally called, is an encryption program. The program installs itself on a computer, encrypts the data and authorization and releases them only against a ransom. These so-called Ransomwares usually work long term and usually appear isolated. The extent and speed of the spread of WannaCry are unique, and presumably only the beginning of new attack vectors and cyber criminality activities.
»The rapid spread of the current attack can be explained by the program not only reaching computers via the typical paths of emails, their attachments or contaminated web pages, but also spreading itself actively through SMB communication«, Dr. Frank Stummer of Rhebo states. »This combination with worm virus functionality, which after the installation actively sends itself to other computers in the network and contacts of the infected user account, WannaCry could jump to other networks, which led to production and infrastructure failures in various industrial enterprises and critical infrastructures.«
It’s about recognizing the unknown
Traditional security solutions such as firewalls and virus scanners are not immune to this form of attack mechanism. They neither recognize unknown threats - so-called anomalies - nor do they have sufficient insight into the actual code structure of the malware.
»Industrial companies must farewell the illusion that they can adequately secure their industrial control systems (ICS) with firewalls, virus scanners and intrusion detection systems. The attack vectors of cybercriminals are becoming more specific and sophisticated. Detection is often only possible after the milk has been spilt.«, Dr. Frank Stummer criticizes the current blindness of established security solutions.
Rather, industrial companies need a solution that continuously monitors their ICS for anomalies and reports any deviation from the standard communication in the controlled network. At this year's Hanover Fair the German Federal Ministry for Information Security (BSI) described self-learning anomaly detection as a central security strategy for the Industrial Internet of Things and Industry 4.0. With this approach the attack with WannaCry would have been recognized at an early stage. It would have been reported immediately as a different communication structure in the network, so that counter-measures could have been initiated at an early stage.
»Monitoring must be consistent. This means that any suspicious action in the ICS must be reported - regardless of whether this is already listed as a threat or not. Any other concept will be insufficient in the future. And WannaCry has just started this future.«, Dr. Stummer is convinced.
About Dr. Frank Stummer
Dr. Frank Stummer is co-founder and business developer at the German technology company Rhebo. He promoted at Fraunhofer Institute for Systems Engineering and Innovation Research before setting up his first company for network security, ipoque, in 2006 and successfully leading the company as a CFO.
Rhebo is a German technology company specializing in the reliability of industrial control systems by means of surveilling the entire data communication. Its founders, Klaus Mochalski (CEO), Martin Menschner (CTO) and Frank Stummer (Business Development), each have more than 10 years of experience in the development and marketing of network management and IT security technologies. Klaus Mochalski and Frank Stummer were previously founders in the management of IT security companies ipoque, and Adyton Systems, which together now have more than 150 employees. During the same period, Martin Menschner was the responsible CTO at Adyton Systems as well as project manager for ipoque in the areas of network security and deep packet inspection.