How to Detect SMBv1 on Your Network

I was inspired to post this after an interaction with infamous SMBv1 slayer Ned Pyle on Twitter.

Ned was kind enough to share my previous blog post, a review of ExtraHop. I figured the SMBv1 feature itself is worthy of it's own post and so here it is!

I had the good fortune of being an ExtraHop customer when WannaCry was destroying techies weekends around the world. If you are an IT Pro, you'll likely remember that Friday and the trail of devastation it left. I have talked about it with many techies who relayed stories of working all weekend patching their systems and setting up war rooms to quickly deal with a possible breach.

For many it exposed the difficulty in deploying patches quickly, the harm of not patching timely enough, a lack of follow through with patching compliance and the lack of real time detection of a breach.

I was in a meeting when the question was posed. "Do we have anything that can show us what in our organization uses SMBv1?". Having spent a lot of time in ExtraHop's dashboards I remembered there was an SMB metric for both server and client side SMB traffic.

I took a look but unfortunately there was no way to identify the specific versions of SMB traffic. I reached out to one of ExtraHop's Rockstar SEs, Paco and he got the ball rolling.

 

Within a couple of hours, we got it! A simple SMBv 1 Servers and SMBv 1 Client dashboard. We could set a time range and plot out exactly how much SMBv1 traffic was in our environment. We could also drill into the traffic and identify the exact servers and clients with this traffic.

The bundle for this is available for download HERE. If you are an ExtraHop customer, get it now! I was recently told it is now one of the most popular bundles available from ExtraHop, which is pretty cool!

We also got a new Ransomware detection for WannaCry based on it's characteristics. We got these quicker than an Anti-Virus definition from our AV vendor.

If you are not familiar with ExtraHop, they are in the business of wire data analytics. They sniff every packet that traverses your network. Go ahead and read my review to get a greater sense of what that means and gives you but in short, relative to WannaCry it was our only true source for real time info on:

1.) What on our network used SMBv1

2.) Conclusive data to determine what impact would disabling SMBv1 have on our business

3.) Immediate detection of a WannaCry breach allowing us to quickly stop any potential spread

I was lucky to get a demo of ExtraHop's latest security offering Reveal(x) at Citrix Synergy this year. They have built on top of their great work to provide even greater value and visualization of your enterprises health and security. ExtraHop can benefit every single IT department. I am a really big fan.

By the way, if you'd like to see a list of products which require SMB v1. Ned has that cover, you can find that HERE.

Sponsors

Rory Monaghan

Microsoft MVP,  Citrix CTP,  VMware EUC Champion & vExpert. 

Partners