It’s been over a week since the WannaCry ransomware attack that affected the UK’s NHS and yet again it brings into sharp focus the woeful levels of IT security across our public institutions.

The press is full of stories of “viruses” and “worms” rampaging through networks – generally accompanied by a fatalistic acceptance that there’s little we can do to stop it. The truth is very different. But, it depends upon a change in thinking and a willingness to put the money into the right things.

If we look at the way ransomware attacks work, it’s clear that it’s a multi-stage process. For example, a small payload hits the network – maybe from an attachment to a mail or through a web link. Often, the initial payload looks innocuous and is, therefore, not recognised by traditional AV/AM systems.  The payload then “calls home” and pulls down the really damaging stuff.  Very often, the initial payload then deletes itself.  The main payload then goes to work.  This can involve starting new processes, duplicating applications, side-loading dlls and searching for other vulnerable devices.

At this point, the network (and system(s)) is compromised and most (if not all) network based security tools are blind to what’s going on.  There are no signatures to match, no known URLs to block, no clue.

Let’s take a step back here and look at what is really happening.  The payload (ransomware) has to make certain changes and do certain things to be effective.  It is well known that there are many things that malware can do in order to compromise a system.  Generally, several of these things in concert are required for success.

So, instead of trying to identify the payload and block it at source, just stop it doing anything.  The payload then becomes irrelevant.  Focus on the actions it’s trying to take (which the compromised system usually wouldn’t take) and stop them.  This is what behaviour-based security is all about and there are numerous solutions available today that do just that – extremely well.

On a personal note, I witnessed a demonstration of a commercially available product that easily stopped a ransomware attack. When we looked into the details, there were 17 steps in the “kill chain” that the ransomware had to successfully complete. You only have to stop one of them to prevent successful compromise.

In summary, if you can’t upgrade your operating systems from XP (or similar) because it’s (say) embedded in the MRI scanner or PoS terminal or you have little resource to manage system patching, then behaviour-based security is certainly one of the optimal methods of securing your environment.