WannaCry from the Perspective of AI Driven Network Centric Advanced Threat Protection

May 31, 2017

Many prospects reached out after WannaCry, asking how would the CyGlass AI driven, network centric approach detect and mitigate the effects of the ransomware that took advantage of those systems that had not yet deployed Microsoft patch MS17-010.   Also, how would the proliferation or spreading of the ransomware been limited?

The network centric, advanced threat detection approach would have picked up several suspicious correlated behaviors and elevated their priority in rapid succession.

First, the CyGlass port analysis would have spotted the unusual port 445 activity that exposed the computer to internet directly causing the infection of the WannaCry malware.

From there, lateral movement and critical asset monitoring would have immediately detected when the malware replicated itself and began spreading to other endpoints and servers in the network. This early warning would have helped stop the spread of the malware.

In addition to this, CyGlass would have also detected any calling-home-activities (command & control signaling). If this signaling happens via abnormal DNS tunnelling CyGlass will discover it as well.

Finally, the sequencing and correlation of above events and behaviors into a prioritized “Area of Concern” would have helped security analysts investigate the threat and take remedial action, preventing further spread and containing the damage to fewer computers.

An AI driven, network centric approach like CyGlass is ideal for quickly identifying and correlating the anomalous behaviors which illustrate an evolving threat or ongoing breach. In the case of WannaCry and future cases to come, solutions like CyGlass can play a crucial role in the time to detection and the time to remediation.

Back To Blog
Why CyGlass Product Resources