This screen has popped up on critical infrastructure around the world this past week. Unfortunately, attackers have successfully hit corporations worldwide – this time by not only encrypting important files, but by also encrypting the master boot record rendering the system useless.
NotPetya, a variant of the Petya Ransomware, has been retrofitted with additional mechanisms to spread to other computers on the same network. The Internet of Things is particularly vulnerable given the fixed and therefore unprotected nature of these devices halting things from chocolate factories to energy grids and industrial control systems. The epicenter is in Ukraine, but has afflicted 65 countries spanning Europe, Asia, Africa, and the USA.
Machines are infected either by using a dropper (program that installs malware) or by the worm-like functionality of spreading to your computer from a nearby infected computer.
Critical System Protection Protects the Internet of Things
Symantec IOT customers leveraging Critical System Protection (CSP) are protected against both methods. By use of the CSP behavioral engine, protected devices already have a set of least-privilege policies that enforce any action on the system to be checked via specialized policies – and if abnormal, will be stopped. Least-privilege policies are incredibly important because they allow for privilege escalation prevention. Privilege escalation is when attackers give themselves more power in the network i.e. regular user -> administrator which allows them to do more damage. By employing CSP, attackers are prevented from doing this.
CSP has software installation policy restrictions and executable modification prevention, which protect from initial infection via the dropper. This is a form of system hardening, which significantly reduces the vulnerability surface, decreasing the likelihood that an attacker will break it. In fact, all three of our out-of-the-box strategies (Basic, Hardened and Whitelisting) will protect against the initial infection.
Petya’s retrofitted spreading mechanisms are clever; they attempt to use stolen administrator credentials on Psexec and WMIC (Windows Management Instrumentation Command-line) to install software. However, even with administrator privileges, CSP prevents infection by blocking the behavior of installing remotely via Psexec or WMIC.
But even if attackers attempt to use other methods to spread, CSP’s network micro segmentation practice enforces security policies that are specific to any workload. This means that lower security workloads are not allowed to communicate with higher level security workloads, preventing any attacker from spreading malware to more secure parts of your network if they somehow compromise a device.
Even with the additional methods implemented over WannaCry, both dangerous malwares can be prevented with Critical System Protection without an administrator, an internet connection, or generally any involvement. Of important note is the ability to reliably prevent this, as well as future attacks due to CSP’s unique approach to secure your devices.
What makes CSP the best fit for IoT endpoint security?
CSP is an ultra light-weight (<1% CPU) and compact (~20MB footprint) application that can be installed on a Linux, QNX, or Windows machine, with broad compatibility back to Windows 2000. At a high-level, CSP learns the behavior of all applications and enacts policies to dictate what applications, files, programs, can or cannot do; this concept is known as confinement jailing or sandboxing.
These sandboxing policies are often hand-crafted by the administrator, but can also be automatically profiled using machine learning on hygienic processes – as such, zero-day attacks, unusual memory allocations, or unrecognized network traffic can be prevented on a per application basis. Of particular note is that this goes beyond application whitelisting, because even if a signed malware happens to execute, CSP automatically isolates the process and blocks it from maliciously interacting with any other part of the system.
As attackers use fixed-function nature of IoT devices against itself, Symantec Critical System Protection is the answer in pioneering the use of fixed-function behavior to spearhead unbeatable security in a form-factor purpose-built for Industrial and Embedded IoT devices, (industrial control systems, SCADA, DCS) and more.