In addition to the endpoint and network operational efforts for WannaCry, this outbreak presents great learning and response opportunities for analysts in the security operations center (SOC). Understanding and automating these best practices will set you up to handle evolving WannaCry activities, as well as the next fast-moving attack.
Responding to an attack like WannaCry, the SOC must answer three key questions:
1. First Question – Am I affected?
The first process for a SOC is to assess what you have already experienced and gain current situational awareness. This evaluation can come from reports on endpoint and network security events related to the attack, from within the malware, and from the SIEM. In the McAfee ecosystem, here is what you can do:
- Report on Endpoint events. McAfee ePolicy Orchestrator can report out events based on the signatures it has downloaded from McAfee Global Threat Intelligence.
- Conduct Malware analysis. Sandboxing systems like McAfee Advanced Threat Defense can generate reports on unknown variants and share in machine-readable form as a STIX file.
- Perform Automated searching. Leveraging integrations provided by McAfee, IOC data from sandboxes and other sources can be used to immediately mine endpoints (via McAfee Active Response) and the SIEM database (via McAfee Enterprise Security Manager) for related activity. If an event containing an IOC is present in the SIEM database, it can indicate other hosts that are in the process of being locked, hosts connecting to malicious IP addresses or domains related to WannaCry, and related indicators that your own hunters may want to pursue as part of their containment efforts.
- Perform Manual IOC searches. Other sources of intelligence, such as external CERT notices, can also be used for ad hoc searching using McAfee Active Response.
2. Second Question – Is there new activity?
Proactive analysis and hunting using analytics and intelligence allows SOC staff to be on constant vigil for activity related to known WannaCry behaviors, and trigger an action – from active quarantine to a policy-driven scan to an email or SMS alert to drive incident responders. Here’s what you can do in the McAfee ecosystem:
- Enable Analytics-driven monitoring of events and behaviors. IOCs ingested by the SIEM can populate a watchlist for ongoing, forward-looking monitoring for new occurrences. In addition, endpoint trace data sent by McAfee Active Response is being monitored in the cloud for behaviors that are indications of WannaCry activities (persistence, stealth, recon, self protection, data stolen, signal infection).
- Enhance Human investigations. The Active Response threat workspace presents endpoint event findings from the cloud in a dynamic dashboard that can help you drill down and explore event relationships. Similarly, SIEM shows new events in the context of the overall estate, including user context, network flow data, and more.
- Conduct Manual IOC searches. In the case of WannaCry, indicators of compromise (IOCs) are publicly available from several sources, including the US CERT. So in addition to the discoveries within your environment shared by your internal sandbox, you should also be consuming and evaluating these other third party intelligence sources to get the most complete picture of known WannaCry behaviors. When new intelligence emerges from third party or local sources, these can trigger ad hoc searching using McAfee Active Response.
3. Final Question – Am I maintaining protection?
Many tools today can be updated with new IOCs and signature and policy-driven updates and actions. This video of OpenDXL and a threat intelligence platform show one way that this process can be managed. McAfee ePolicy Orchestrator integrations can take action on a variety of endpoint systems, including Security Innovation Alliance integrated partners.
Rapidly spreading malware like WannaCry should be a further spur to SOC teams to improve their access to and use of the intelligence so readily available today. The good news for SOC staff is that many functions that should be performed can be automated, freeing you to do the investigation and extrapolation that only humans can drive. For ideas, please check out these blogs on automation and threat hunting.