My first day in a SOC made me WannaCry

In the time I’ve been at GDT, I’ve had 3 different roles, and the training for all two of those was relatively uneventful. First I was a networking intern with GDT Labs, where the training was just following another engineer around and learning what he did. Then I was an associate network engineer and the training was the exact same as  when I was an intern.

Then came my training to be an engineer within GDT’s brand new Security Operations Center (SOC). If you want to visualize my job, this is the room I sit in. Trainings are supposed to be boring, but the very first day I started, the world was hit with a cyber attack unlike anything we have never seen before.

Enter Player Two: WannaCry

For the uninitiated, WannaCry is a ransomware attack that burned through computer systems all through Europe and the US. The worm spread from computer to computer, using an exploit created by the NSA, encrypting the user’s files and demanding payment to unlock the computer. The total losses are expected to top $4 billion.

When the attack first hit, I was being taught how to use our monitoring interface, which alerts us when things start to go wrong. I changed a setting to make the text smaller, and suddenly alarms started pouring in from almost every network we monitor. TCP 445 SMBv1 suspicious traffic detected”. The words popped up on every alert, we had no idea what was going on.

I didn’t know it yet, but I was about to get the greatest tutorial on risk mitigation in the history of the world. The senior security engineer took one look at the monitoring tool and immediately got to work, explaining every step to me. First, he asked “how are we affected?” and I didn’t know the answer to that. The biggest thing we needed to know was where our vulnerability was. What are our indicators of compromise? How do we detect which devices have been affected?

The key is to remain calm. If you panic, you’ve lost. We start from the beginning, how did this get into our network? How is it moving through the network? How do we prevent it from moving? How can we identify which files are malicious?

Once we followed the cyber kill chain all the way through, we came up with a plan to stop the attack (block internet port TCP 445, temporarily block internal network transmission on TCP ports 445, apply security patches), and a plan to fix the devices that had been affected (restore from nightly backups). We also blocked internet traffic from the known command and control servers (as reported by malware researchers at Talos).

What did I learn from this?

First, I learned that I prefer the chaotic unexpected training. There is just so much more to learn when you’re getting your hands dirty.

Second, InfoSec is a community, and in times of major worldwide cyber-crisis, Twitter is your prime source of information (but only if you’re following reliable resources).

Third, the NSA sucks for not disclosing these vulnerabilities before they were stolen by the Shadow Brokers.

Last, PATCH YOUR COMPUTERS. The subsequent NotPetya attack took advantage of people that didn’t patch their devices after the WannaCry attack, and it was not as easily stopped.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.