15 May What does ClassiDocs do in the case of a WannaCry?
Defence against such a nefarious agent or actor is difficult to do, especially if you are behind on your patching (or running unsupported Operation Systems). Putting aside those concerns for now, just what do you do when/if this happens to you?
I’ve always said (during my consulting and Enterprise Cyber Security gigs) that your response is just as (or more) important than your prevention activities. A properly structured security organization has both sides documented, tested and ready to roll – how to protect against the inbound threat, and assuming it gets in, what do you do then?
Same goes for any major IT action (Disaster Recovery for example comes to mind) – you reaction and plan to move forward is as important as the initial planning.
So, will ClassiDocs ‘block’ malware/ransomware/viri? No, it will not. We made a conscious decision to leave that part of the puzzle to folks who are much better at it than we are.
Ok, so – what do you do then? Well, we follow the path of ‘what do you when/if it happens?’. In this case, we provide an early warning system to the folks that care about nefarious activities.
These ransomware attacks primary wreak havoc on encrypting files that you are using/need, and hold them hostage for money/bitcoin. I have a soft spot in my heart for healthcare providers specifically, and they have taken the brunt of these attacks. In my mind, any dollar that isn’t going into patient care is a dollar wasted, so I am motivated by that.
After we were working with one hospital provider (who had not been hit yet, but had it high on their concern list), I worked with development and said, “Hey, if we’re already on the endpoint machines, and the servers – and we’re watching files whiz by all day long classifying them – can’t we tell when they are encrypted or otherwise unreadable? (indicating either someone is encrypting files by hands – plausible, or a system/process is mass encrypting files – ransomware primarily’).
The dev team swung into action and a day later I had my panel! So, with ClassiDocs today, out of the box – not an option or an add-on, an administrator can set a threshold (these days I would recommend 1-3%) of number of files encrypted before firing off alerts and ‘doing something’. So in this case, when our agent sees that more than 1% of the files we scanned a few minutes before are no longer readable (indicating encryption), we will execute a command on the PC (disconnect from network, Force Logoff and shutdown for example) AND fire off alerts to the SIEM agent in place that this workstation failed the threshold and someone should definitely look things over.
Maybe, sometimes a little aggressive :).. However, we feel that is justified in this environment and administrators are free to select whatever happens (maybe its just an alert, maybe something else) – at the end of the day, we see something strange going on, and we did something about it. This covers Desktops, Laptops, win10 Tablets and of course servers.
We feel this is a great second line of defence for the organization, and pretty simple to implement. We are the only vendor in the Data Classification space that allows administrators to selectively action orchestration or integration from other platforms based on data conditions – by far. We cover the desktop side and the server side – again something no one else does!
PS> Even if no ‘action’ is taken on the PC itself, the administrator will know what files were encrypted, and what they were classified as last time. Giving them a great understanding just what was encrypted – and maybe if they should care. Again, a unique and unreplicated solution in the marketplace.