KNOW THE UNKNOWN® Success Story: WannaCry Ransomware WHITE PAPER Challenge Stopping a Worm & Saving Millions Worms like WannaCry and Petya operate as essentially Even the most recent of these attacks like WannaCry and zero-day attacks: they can lie dormant on our networks Petya still echo the basic principles of past-worms, and as and then rapidly spread between devices upon waking up. such, they are both preventable and stoppable. During The consequences of being hit by one is dramatic: precious the Code Red, Nimda, and ILOVEYOU attacks of the early- data is either ransom-locked or wiped and thus often 2000s, businesses that had invested in a NIKSUN-like irrecoverable. This means millions in lost data, restoration solution were able to run a rapid report to get a list of fees, public relations, and stock-holder confidence. all infected devices and cut them off from their network. Instead of thousands of machines being affected, they When FedEx was hit by Petya, for example, their subsidiary were able to resolve the incident with minor losses of TNT Express experienced “widespread service delays” and hundreds or less. This process takes a mere few minutes were unable to “fully restore all of the affected systems and thus could have saved Reckitt Benckiser from their and recover all of the critical business data that was hour-long attack. encrypted by the virus.”1 Shares in the company dropped 3.4% in the wake of the attack.2 Total, 100% visibility is simply the only way to stop these worms from becoming too damaging. It not only makes Consumer goods giant Reckitt Benckiser downgraded the worm trackable and stoppable as it spreads, it can their full-year revenue growth target by 1% due to even allow you to discover it while it is sitting dormant. the same attack. The company’s CEO said around 500 By having a holistic view of your network, you can find out systems, 2,000 servers, and 15,000 laptops were affected exactly where a worm is and where it is spreading to so by the virus, which took a mere 45 minutes to 1 hour to that it can be removed from your network. propagate. Company shares dropped 3% following this announcement.3 There is no other way to get this information. Just as the CDC needs to know who has a virus and where they are A similar attack on ECMC, a hospital based in Buffalo, NY, located so that it can quarantine them to stop its spread, took down 6,000 computers and forced staff to rely on administrators need a full view of your network to find and paper charts and face-to-face messaging. According to resolve malware incidents. Similarly, this 100% visibility is their own admission, remediation costs totaled nearly $10 needed to conduct a thorough investigation ex-post to million.4 understand who let malware onto your network, when and where it happened, and how it took place to better Losses to companies have hit hundreds of millions protect your assets in the future. of dollars. Networks infected by such worms cause widespread service and business disruption, staff While many businesses are not proactive in protecting inefficiencies when calendaring systems go offline, and themselves from such threats, those that are save large-scale data loss when work, emails, and notes are themselves from massive losses. Cyber attacks are a real, wiped out. Such costs will only continue to mount as new known problem with widespread consequences. Taking cyber threats and vulnerabilities are always found. Not the steps necessary to detect and resolve incidents is long after the WannaCry and Petya attacks, for example, absolutely critical to ensuring your company stays afloat. Microsoft announced a newly discovered exploit in all SMB protocols which threatens nearly every enterprise Why Do Cyber Threats Persist Despite across the world. 5 Significant Investment to Counteract The most difficult challenge with these worms is finding Them? them and halting their spread before such massive damage is done. They leave very little trace of their entry The fundamental reason that many cyber attacks still get before they wake-up, making spotting the WannaCry through is because all traditional security sensors still attack before it takes place incredibly problematic. And rely upon known vectors. While many solutions claim to when the attack begins, their spread is extremely fast and supply us with “all the data,” it is important to inquire can take down huge portions of a network within a single whether it is really “all of it” or just “all of that which they day. are aggregating.” 2 Success Story: WannaCry Ransomware any incident that has taken place, we can also watch video For example, log aggregation solutions may suggest “we feeds in real-time and stop security breaches as they occur. have all the data” and, indeed, they can supply us with In fact, we can also set up image processing software that every log that has been made. However, let us think can look for patterns and behaviors and send out alerts, about how the logs are generated in the first place. In the lock doors to trap the intruder, and more. example of a computer, the logs that are generated are a result of someone determining what is important to log in So the obvious answer to our problem of stopping and the first place. It is fundamentally restricted by some input investigating cyber threats, including even zero day attacks, that dictates what to log and what not to log. is to create something like a security camera that watches over every transaction. This is exactly what NIKSUN has The same problematic input is required in event data been doing and perfecting over two decades. NIKSUN collection. Someone, or some configuration, has integrates full (or partial if required for privacy, etc.) packet determined the conditions under which an event is capture with complete analytics at the packet, session, generated. SIEM tools then collect all these events and and all the way to the application layer. With NIKSUN, zero present them to the user for analysis. So yes, they do day attacks cannot be hidden from surveillance because have “all the data,” only if the definition of the data is “all it has already captured all actual activity of the malware. events.” The malware has no way to circumvent being captured if Similarly with flow data, it is determined what flows to it is deposited via the network or if it conducts any activity log and how much metadata to include in the flow record. on the network. Inevitably, when we implement a solution where we Metadata, flow-data, malware, and APT analysis, as well believe we have “all the data,” we need to fundamentally as anti-virus programs and system patches, are proven understand if it is “all” or some subset category of the now to be insufficient to combat such attacks. While such greater “all.” tools are useful in their own right (and all of these types of analysis are also included in NIKSUN’s solution suite), they It should now be clear how zero day attacks succeed. cannot provide answers to unknown threats that operate We may think we have “all the data” but we actually are in the “dark” part of your network – the part that we only given “all the logs or events” that we are collecting. aren’t collecting logs and events about. Analysis can only Hackers, or to be precise crackers, know that this is what be done with pre-known knowledge, so zero-day attacks we are doing. They design their attacks to go around and worms which hide under the typical radar are not the visibility that we have into logs and events. In other easily detected and resolved. Anti-virus programs also rely words, they find a way around these known methods by on having the signature of an attack prior to it occurring, operating in the “dark” parts of our networks. while system patches are only a retroactive fix and cannot find malware that was deposited while doors were open. So how can we succeed here? In order to understand what solutions might actually work, we can turn to the Given that NIKSUN has the ability to record a vast amount physical world to gain some insights. In this realm, for of information, the question becomes if we can find the example, buildings have access logs. Collecting all access information that we are looking for quickly. If we were logs may lead us to conclude that we have “all the data,” to take continuous, 24/7 footage of a vault, for example, but in reality, it is not sufficient to prove who did what, it would be useless without being able to easily search when, where, and how. While access logs may help us through it to find notable events. This fundamental look for a correlation between when someone entered difficulty is exactly what NIKSUN has solved and why it is and what occurred, such a task often requires a supremely the pioneer and industry leader in this space. NIKSUN’s time consuming investigation and yet can never be 100% singular mission is to record all data at the highest rates definite if there are multiple personnel that may match without dropping a single packet and at the same time our search criteria. also index all the data in real-time to allow for extremely fast searching. If a robbery takes place, how can we know that, without a doubt, it was a particular individual who is responsible? But can anyone, not just heavily specialized cybersecurity How can we prove what they did, when, where, and how experts, use such a tool? Over the course of its existence, they did it? The answer to this is to place security cameras NIKSUN has made this possible as well.