TAMPA, Fla., May 17, 2017— ReliaQuest, a leading provider of IT security solutions, has made available its WannaCry threat-detection content package for a number of security tools. This content, made of specialized security rules and alerts, is designed to help organizations detect potential indicators of compromise related to this recent ransomware attack or potential copycats.
This content was developed by the ReliaQuest Threat Management team to alert on known behaviors of this specific ransomware within the most commonly used security tools. The first rule detects domains associated with the WannaCry attack, and the second looks for telltale outbound Server Message Block (SMB) traffic using port 445. It can be accessed with instructions by technology, including SIEMs such as ArcSight, LogRhythm, McAfee, QRadar and Splunk, as well as other security technologies including Carbon Black and Snort.
As part of ReliaQuest’s co-management offering, the company began deploying custom versions of this content into its customers’ security environments as soon as news of the WannaCry attack broke on Friday, May 12. This action enabled early detection of ransomware traffic, allowing security teams to take quick action to mitigate its spread. In addition to these detection measures, ReliaQuest recommends implementing specific prevention measures, such as patching MS17-010, disabling SMB v1, and blocking port 445 from the internet.