Addressing Bad Rabbit with TufinNovember 6, 2017, Joe Schreiber
Mitigating Malware Risk with Tufin
Tufin clients were able to immediately address the spread of WannaCry during the initial infection. When analysis concluded that port 445 was the attack path across network devices, Tufin clients immediately identified their access rules susceptible to WannaCry, conducted impact analysis of removing those rules and mitigated accordingly. Enterprise-wide visibility, on-prem or cloud, and automation were key components to this rapid response.
One Familiar Bunny
Bad Rabbit borrows from prior ransomware attack Nyetya. Initially spread through drive-by downloads marketed as an Adobe Flash update from compromised websites. Bad Rabbit encrypts the end user’s hard drive, demanding a payment of bitcoin through a Tor site. Leveraging open source functionality attributed to Mimikatz, Bad Rabbit couples a hardcoded list of usernames and password with any results from the Mimikatz-esque memory search to brute force access to other machines through open ports 137, 139 or 445.
How to Stop Bad Rabbit from Burrowing
Bad Rabbit is introduced into the network by any end user that engages with a compromised website; note that endpoint protection may detect and prevent the attack. If the endpoint security mechanism fails, it’s important to have another layer of protection in the network. To eliminate Bad Rabbit’s ability to traverse network zones, organizations need to identify existing access rules that use port 137, 139, or 445. Organizations should understand the ramifications of denying the access by which Bad Rabbit spreads and either seek to remove the access rule or closely examine the firewall traffic. Complex networks may face a greater challenge in retaining connectivity between network zones and critical business applications during these access changes. Tufin’s automation and orchestration are critical solutions to ensure continuity in connectivity despite changes in the network.
Best Practices in Combatting Malware
“Malware attacks and ransomware attacks are a consistent and persistent autonomous threat. It is critical for organizations to apply best practices in network segmentation to ensure that when vulnerabilities are automatically exploited, that the spread across the network is contained. Achieving visibility across the network provides the path for effective segmentation strategies, inclusive of malware risk mitigation best practices.” – Reuven Harrison, CTO, Tufin
Bad Rabbit is the most recent example of malware that has had broad and significant impacts on enterprise networks and it certainly will not be the last. Tufin recommends the following best practices to proactively mitigate the risk of malware spreading across your network.
- Identify and eliminate risky or unused access rules
- Segment your network and develop an iterative segmentation approach that balances security with manageability
- Identify network segments that contain sensitive data or high counts of vulnerabilities and use those to prioritize your risk mitigation plan
- When forensics show how malware spreads, develop a process to identify access rules that can spread malware across network segments, and prioritize by the above
The ability to understand the impact of policy and access change requests and automate them will prevent disruption of the network during a cyberattack. Tufin Orchestration Suite™ users have the immediate capability to search across all access rules across any port to identify the rules that provide the access that next malware may use. With Tufin you’ll have the visibility and automation to make remediation faster with less errors and disruption.