Organisation & Compliance
This is what happens in a SOC

Review: WannaCry

You have been hacked!
2017: “WannaCry” ransomware was the probably biggest cyber attack in history. More than 230,000 computers in 150 countries were hacked. What happens in a Security Operations Centre (SOC) during such an attack? We show each step using WannaCry as a real-life attack.
  • March

    Microsoft publishes the patch MS17-010 to resolve the relevant security issue.
    The SOC analysts inform their customers about the availability of the new patch and ask customers to patch.
  • April

    The networks of the customers are regularly scanned for vulnerabilities. The SOC knows now which customer patched already and which did not. All customers that did not patch yet are reminded to do so.

  • 12th of May – Friday afternoon

    WannyCry attack starts and spreads in 99 countries within a few hours.
    The SOC team contacts all customers.
  • 13th to 14th of May – Saturday, Sunday

    WannaCry spreads further: the combination of “worm” and ransomware reaches 150 countries.
    The specialists in the SOC stay in contact with the IT security responsibles of their customers. A free of charge extra network scan is offered. All customers make use of this offer.

  • 15th to 16th of May – Monday, Tuesday

    The regular working week starts. All systems of all customers are running reliably and without any problem. The IT security responsibles also start their week smoothly.
  • Result

    More than 230,000 PCs were infected.
    No customer of RadarServices experienced problems with WannaCry thanks to the early detection of the vulnerability and the sustainable monitoring of patches. Moreover extra scans during the weekend allowed extra security and peace of mind.

  • March

    Microsoft publishes the patch MS17-010 to resolve the relevant security issue.
    The SOC analysts inform their customers about the availability of the new patch and ask customers to patch.
  • April

    The networks of the customers are regularly scanned for vulnerabilities. The SOC knows now which customer patched already and which did not. All customers that did not patch yet are reminded to do so.
  • 12th of May – Friday afternoon

    WannyCry attack starts and spreads in 99 countries within a few hours.
    The SOC team contacts all customers.
  • 13th to 14th of May – Saturday, Sunday

    WannaCry spreads further: the combination of “worm” and ransomware reaches 150 countries.
    The specialists in the SOC stay in contact with the IT security responsibles of their customers. A free of charge extra network scan is offered. All customers make use of this offer.
  • 15th to 16th of May – Monday, Tuesday

    The regular working week starts. All systems of all customers are running reliably and without any problem. The IT security responsibles also start their week smoothly.
  • Result

    More than 230,000 PCs were infected.
    No customer of RadarServices experienced problems with WannaCry thanks to the early detection of the vulnerability and the sustainable monitoring of patches. Moreover extra scans during the weekend allowed extra security and peace of mind.