Preventing malware infections in critical networks

19th November 2018

Simon Whitburn
Senior Vice President Cyber Security Services

One of the most widely-publicised and damaging cyber attacks to hit critical national infrastructure (CNI) in recent years was the WannaCry ransomware attack.

It dominated headlines after striking on 12 May 2017 and was best-known in the UK for the damage it caused to the NHS where it locked out crucial systems based on older, unpatched versions of Windows. WannaCry encrypted the hard disks of affected systems and demanded payment to certain Bitcoin accounts to release the data.

Infrastructures crippled

CNI entities often suffer targeted attacks from various actors trying to gain control of critical assets or cause disruption in what are usually politically motivated attacks rather than criminal campaigns. However, WannaCry was undiscriminating, spreading itself wherever it found a foothold.

CNI organisations reportedly affected included petrochemical firms in Brazil and China; government agencies in India, China, Russia and Romania; telecommunications companies in South Africa, Brazil, Hungary, Saudi Arabia, Portugal and Russia; and transport operations in Germany, the USA and Russia.

Although the intent in this instance appeared to be criminal rather than political, key national cyber security agencies concluded that WannaCry had been developed and released by a North Korean state-backed group, so widespread disruption may have been the ultimate goal. Cyber risk assessment company Cyence initially estimated that worldwide losses would amount to $4bn, before upping that to $8bn a few days later.

Lessons learned

WannaCry exploited a flaw in an underlying messaging system used by Windows operating systems, for which Microsoft had issued patches two months prior to the attack. Systems that were compromised were those that hadn’t been updated regularly, underlining the importance of a cyber hygiene regime that includes regular updates. It also highlighted the difficulties of patching legacy systems, particularly with custom-built equipment controlled by PCs that have become obsolete.

Another important aspect of WannaCry that’s particularly relevant to government and CNI organisations is that cyber espionage played a big part in its development. The mechanism it used to spread quickly around networks had initially been created within the USA’s National Security Team (NSA), which was stolen by hackers who sold it through the dark web.

The crucial learning point here is that it’s not enough for infrastructure organisations to reinforce defences against disruptive attacks; they must prevent data theft and other breaches too. Fortunately, one benefit of Nominet’s NTX technology is that it can spot and block ‘data exfiltration’, a technique whereby data is hidden inside DNS packets so that it can be moved out of the organisation.

When Nominet NTX is used as a key component of a comprehensive cyber hygiene policy, it can help protect critical networks from disruption and data theft.

Detecting and blocking malware

Nominet’s cyber security tools protect the heart of the UK’s internet infrastructure and UK Government bodies from cyber threats already, but how is it achieved?

Nominet’s NTX platform monitors and analyses DNS traffic – the system that converts domain names to numerical IP addresses to direct data and requests to the right places. Organisations have huge numbers of DNS packets flowing through their networks and many don’t have the time and DNS expertise to hunt through it all for the tell-tale signs of malicious activity.

The NTX platform presents the overall health of DNS traffic on a network in a graphical format that highlights problems at a glance. Data can also be fed into a security information and event management (SIEM), where organisations have one.

Malware programs like WannaCry often try to communicate with command-and-control servers and once the addresses of those servers are known, filters can be set up to trap any requests for those addresses. The platform will prevent WannaCry from contacting those servers and identify the IP addresses of contaminated systems so that they can be dealt with.

In addition, the smart heuristics built in to NTX technology detect anomalies that deviate from normal traffic and highlight them immediately to security teams.

Further help and information

For a clear overview of the cyber threats faced by CNI organisations on a daily basis, take a look at our two-minute video that puts everything into perspective.

Cyber Security Challenges faced by Critical National Infrastructure Organisations

Download Here