(This post is part 2 of 2. Yesterday we wrote about the unfair fight between attackers and defenders. Today: simple tools and techniques.)
If you WannaCry after this weekend's explosion of worm-ridden ransomware afflicting healthcare providers, go ahead; you're not alone.
The good news is that there are concrete steps you can take to assess your organization's level of exposure to WannaCry a
nd the vulnerability it exploits. In this post, we'll share some free, basic tests you can perform using tried-and-true open-source tools. We sell fancy tools to collect and assess networked clinical device inventory, but as technologists and IT administrators ourselves, we're always inclined toward whatever tools get the job done fastest. In this post we'll cover a simple set of tests that you can start running in under a minute.
Good Old Nmap
If you're the person tasked with finding WannaCry vulnerabilities in your clinical network, we'll assume you already know what Nmap is. Let's use it to find some devices that are running vulnerable versions of Windows!
Step 1: "Hey, U Up?"
The WannaCry worm uses TCP port 445 to propagate itself, so the first thing to do in our search for potential targets is look for hosts that listen on this port. Here we point Nmap at a single host, 172.16.128.155, but we could just as well specify a network like 172.16.128.155/24.
Yep, that host is listening on port 445, so it merits closer investigation.
(What just happened: -Pn tells Nmap to skip a "discovery" check that may falsely exclude hosts that are up but don't respond to ping; -p445 tells Nmap to check only TCP port 445. On clinical networks, we try to tread as lightly as possible because fragile legacy devices hate being snuck up on. When used in exactly this manner, Nmap sends just enough data to the remote host to know whether it's actually listening on port 445.)
Step 2: Nmap has Plugins?
Most casual users of Nmap don't know that it comes with a script interpreter that makes Nmap endlessly extensible. The programmer who literally wrote the book on Nmap scripting recently added (and has been updating) an Nmap script for testing MS17-010 to his GitHub script repository. We'll use that script to test the same host as above.
Get the script (along with others):
$ git clone https://github.com/cldrn/nmap-nse-scripts.git
$ cd nmap-nse-scripts
Step 3: Test and Repair
Code in hand, we then run the script called smb-vuln-ms17-010 to perform the test. Uh-oh:
And there you see it: this host is vulnerable to WannaCry. No thank you!
By now you know the remediation for this particular vulnerability: patch Windows if you can. If you've found your way to a medical device, contact your manufacturer rep to insist on their documentation related to WannaCry. (Questions include: what compensating controls do they recommend? Are you allowed to update it yourself?)
Fast forward an eon. Here's how the same machine looks to Nmap after Windows updates:
Ah, much better.
Next Steps: Go Beyond Basic
We love Nmap, but one-shot investigations using Nmap from the command line don't easily scale across huge, diverse populations of clinical devices. If you're using BlueFlow, you can filter your entire labeled asset population by manufacturer, model, tag, prior risk score, owner, location, and other fields, then launch a targeted probe for only those devices: "Tell me if any of my PACS systems sold by Manufacturer X are vulnerable to WannaCry." "Test all hosts in clinic Y that we've tagged as containing ePHI."
Many other tools — e.g., all commercial vulnerability scanners — have WannaCry tests too. We recommend deploying a clinical-aware, network-centric inventory system like BlueFlow before fully embracing unconstrained vulnerability scanning, so that you always know what you're pointing that thing at. BlueFlow™: Know What You're Pointing That Thing At.