Hacker's Playbook Updated with WannaCry Methods

SafeBreach Labs Bulletin

SafeBreach Labs has updated the Hacker's Playbook™ with simulations for WannaCry. Customers can use these simulations to safely test their security controls against the specific tactics and techniques used in this recent campaign.

The WannaCry ransomware exploits a Windows vulnerability and propagates over TCP port 445/SMB. We encourage all security teams to patch MS17-010, disable the SMBv1 protocol, and ensure updates for WannaCry are are up-to-date on all security products.

To assess security control effectiveness against WannaCry, the SafeBreach Continuous Security Validation Platform specifically tests the following endpoint and network security controls:

Playbook #1293 - Transfer via HTTP/S

• Inbound network scanning - Is the WannaCry malware (and related command and control traffic) being stopped at the email/secure web gateway?

Playbook # 1292 - Drop to Disk

• Host/Endpoint security and antivirus - Does your endpoint security/antivirus product prevent local installation of WannaCry?

Playbook #1294 - Exploiting the vulnerability [MS17-010]

• IPS or internal scanning tool - Does your IPS or other internal scanning tool stop the lateral movement and propagation of this worm over the specific ports and protocols in use (445/SMB)?

The SafeBreach Hacker's Playbook™ of breach methods simulates these breach scenarios, and thousands more, without impacting users or infrastructure. Breach methods are constantly updated by SafeBreach Labs, our team of offensive security researchers, to help keep customers ahead of attacks.