Researchers from Cisco’s Talos Intelligence Group offer advice on how to thwart wiper malware, which attempts to destroy systems and/or data.
A shameless plug for Cymmetria here, as the MazeRunner platform will detect wiper malware attempting to move laterally around an organisation…:
As to a wiper’s effectiveness, the two researchers believe it correlates directly to the speed at which the malware can destroy digital information, in particular:
- Backups: Most wipers delete the volume shadow copies and the actual backups.
- Boot section data: The first 10 sectors (master boot record) are either erased or overwritten with a new boot loader.
- Data files: An organization’s data is an obvious target. Ventura and Lee have found that wipers either overwrite the file’s header or overwrite a certain amount of bytes at random throughout the file. In either case, the affected files are rendered useless. Additionally, the authors caution both data-wiping methods destroy the master file table (NTFS for recent versions of Windows), further reducing the likelihood of data recovery.
How to mitigate a wiper malware attack
The researchers admit mitigating a wiper attack will require more than existing technology and suggest organizations take the following steps.
1: Cybersecurity incident response plan (CSIRP): Rapid response is predicated on knowing what to do, and that’s where CSIRPs come into play. From the TIG white paper: “The CSIRP needs to have clear definition of roles and responsibilities. These cannot be limited to the cyber security department, or even to the IT department. … Everyone in the organization needs to know their role, and what kind of decisions are expected from them. This includes the legal and public relations departments.”
2: Cybersecurity-aware business continuity plan: Most businesses have continuity plans for challenging situations—physical and digital. Ventura stresses it is crucial to include recovering from wiper attacks in continuity planning, in particular, protecting the organization’s backup infrastructure. To accomplish that, they suggest:
- Running backup software on non-Windows systems;
- Segmenting the backup network; and
- Using different usernames and passwords.
3: Risk-based patch management program: Ventura emphasizes the importance of reducing a company’s attack surface by keeping all software up to date. However, applying software patches can be problematic, which is why IT departments need to carefully weigh the risk of being vulnerable vs. the risk of affecting business.
4: Network and user segregation: One of the most important aspects of damage mitigation is network segregation, which is neither simple nor easy to accomplish; Ventura may have a solution though: “Intent-based networks can make this task [network segregation] much easier and quicker. Even if the network segregation is not applied during business-as-usual operations, having the capability to perform emergency segregation can make the difference between an attack having a severe impact on the business, or just being a minor disruption.”
Security professionals do not have that option with user segregation. The Talos white paper categorically states that user segregation must be at the core of a business’ operation. Some thoughts on how to obtain user segregation are:
- Every user does not need to log on to every computing system;
- Privileged credentials should not be used on regular workstations or servers; and
- Privileged credentials must be segregated and only used on trusted workstations specifically built for administrative tasks.
5: Cybersecurity technology stack: Businesses should not trust their digital environment to a single cybersecurity technology. As to why, Ventura repeatedly stated wiper attacks are designed to detect prevalent antimalware technology. Organizations need overlapping layers of security in order to complicate and obfuscate their digital defenses. To increase an organization’s cybersecurity technology stack, the author suggests using the following:
- EDR technology to reduce time to detect and time to recover from wiper malware attacks;
- Sandboxed execution, which allows security team members to analyze software behavior before allowing it on the company network; and
- Network-level tools, such as intrusion detection systems and intrusion prevention systems, capable of detecting and stopping penetration attempts by adversaries.