FortiGuard Labs Threat Research

Automating Security Operations: What It Takes to Defend Against Something Like WannaCry

By Douglas Jose Pereira | May 23, 2017

A major challenge facing security vendors today is that most solutions and products are developed based on knowledge of previous threats that already exist. This makes many security solutions reactive by their very design, which is not a tenable strategy for facing the volume of new attacks and strategies arising today.

This arms race of identifying new threats, then reacting has been the primary strategy since the dawn of malware: A new virus is identified and then security vendors write the antivirus signature to block it; a polymorphic virus breaks loose and vendors build unpackers and emulators to detect the malicious code.

The biggest problem with this approach is that cybercriminals are attempting to overwhelm security vendors with the sheer volume of new threats and malware variants arising every day, many of which security professionals are unaware of until it is too late.

For instance, the below graphs show the number of attempted hits and worldwide distribution of the secondary exploit used in the WannaCry attack (CVE-2017-0144) that were blocked by Fortinet.

You can see the number of hits spiked to over 7 million and impacted most of the planet within days before trailing off as security firms tightened their defenses and companies updated their software.

Now compare that to the 22 million attempted hits for the DoublePulsar tool that WannaCry used as the primary vector for attack.


That’s nearly 30 million attempted hits within a day for just the two attack vectors used by WannaCry.

Compounding the volume and complexity of today’s threat landscape, security solutions need to continually protect against a growing list of known vulnerabilities, many of which are over a decade old and are still being successfully exploited.

Ultimately, organizations need to consider a new approach to their cybersecurity strategy – one that provides layered defenses capable of spanning the entire attack surface and automates traditional defensive measures with highly integrated and advanced proactive security systems.

WannaCry is a prime example of an automated and devastating malware variant that provides insight into what it takes to successfully defend today’s networks against cyber outbreaks. As such, below is a high-level overview demonstrating the various ways that the Fortinet Security Fabric integrates and automates multi-layered protections to defend organizations from both existing and novel attacks like WannaCry:

  • Advanced Threat Protection: Previously unidentified threats like WannaCry are flagged and analyzed for suspicious behavior, enabling the Security Fabric to automatically stop breaking threats. Working together as an integrated whole – FortiGate, FortiClient, FortiSandbox, FortiMail, and FortiClient can identify, monitor, and block new threats and proactively share the protections with the rest of the security solutions across the infrastructure.
  • Intrusion Prevention Systems: WannaCry leveraged the known Doublepulsar backdoor to gain access to the networks and bypass edge protections. FortiGuard IPS signatures stop exploits like this before they are used to compromise the network edge.
  • Internal Segmentation: Any devices infected outside of the organization’s security infrastructure and then connected to corporate networks could act as a Trojan horse, enabling malware to attempt to spread laterally throughout the organization. Internal Segmentation Firewalls contain the infection and enable security teams to act on these “Trojan devices” so they can’t contaminate the rest of the network.
  • Security Information and Event Management: FortiSIEM’s File Integrity Manager automatically tracks changes made to files on infected devices and systems, both inside and outside of the network architecture. This means that as WannaCry starts to encrypt files, FortiSIEM can automatically flag these file changes so they can be acted upon.
  • Application Controls: As WannnaCry attempts to reach out to its Command and Control servers over TOR for instructions, App Controls cuts off communication and break its ability to perform additional tasks.
  • A Total Security Fabric: All of the threat data gathered from Security Fabric components are processed and redistributed, enabling the Security Fabric to dynamically generate and automatically apply local and global threat intelligence to the organizations’ entire security infrastructure. This dynamic integration also provides a total view of the organizational environment, enabling security teams to quickly pinpoint and act upon any indicators flagged by any of the systems mentioned above.

Given the growing sophistication of cyberattacks, it is easy to understand that within a couple of years it will be impossible for a business to have an online presence without building a full-fledged security architecture from the ground up.  Such an architecture must integrate the operational, security, and performance diagnosis of the environment, baseline those behaviors, use that intelligence to look for anomalies, and exchange local and global threat intelligence to automatically identify threats within the environment.

The Fortinet Security Fabric can deliver this defense-in-depth for a wide range of operating systems, applications, networks, and business. And in the near future, Intent based security will make sure that whatever protection the business needs, it will get - securely delivered, accountable, traceable, and with the integrity of the data untouched. And in the case of a breach, the ability to understand where and how you were successfully attacked and learn from that exposure to make critical adaptations is crucial so that the time to detect, analyze and respond can be decreased every time, especially for repeated attacks. Threat Intelligence platforms must be able to work together to deliver "data illumination,” leveraging a broad security fabric framework that can pinpoint specific high priority events, coordinate actions to mitigate that attack, and then automate those actions for ongoing protection.

For more on WannaCry see other Fortinet Perspectives:

Sign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging threats.