On Friday, a ransomware attack called WannaCry struck hundreds of thousands of computers around the world. The ransomware works by encrypting data on a computer, threatening to delete files and records if the victim does not pay $300 within seven days. The attacks were widespread, and included hospitals, railways, telecommunications companies, international couriers and governments.
The spread of the attacks were eventually put on hiatus when a U.K. security researcher, MalwareTech, purchased a domain to help track the virus that ended up acting as a kill switch. The vulnerability was one that had been identified by the National Security Agency (NSA), and leaked last month by a group called the Shadow Brokers. However, organizations already hit by the ransomware remain unable to access key information, and evidence exists of similar efforts. These efforts do not respond to the same kill switch, and are likely to infiltrate organizations more stealthily than WannaCry.
MalwareTech may have given us a respite from this attack, but what can we learn from it, and what can we do to guard against the inevitable future attacks of this nature?
Jonathan Care, research director at Gartner, offers three suggestions:
- Stop blaming. Although it’s tempting to point fingers at others, one of the key stages of incident response is to focus on root causes. Hindsight is always 20/20, and picking apart why systems were not migrated does not dig you and your enterprise out of the mire right now. Windows XP, a system that has been hit hard by WannaCry, can be embedded into key systems as part of the control package, and the firmware may not be accessible, nor under your control. Where you have embedded systems (for example, POS terminals, medical imaging equipment, telecommunications, and even industrial output systems such as smart card personalization and document production) make sure that your vendor is able to provide an upgrade path as a critical priority. This should apply even if you have other embedded operational systems such as Linux or other Unix variants. It is safe to assume that all complex software is vulnerable to malware.
- Isolate vulnerable systems. Systems that haven’t yet been affected by malware may still be vulnerable (see above). It’s important to realize that vulnerable systems are often the ones on which we rely the most, and so a useful temporary fix is to limit the network connectivity. Determine what services you can turn off, especially vulnerable ones like network file sharing, which can be disabled during the duration of this incident. During a crisis of this nature it is better to err on the side of caution, even if business processes are delayed. This is better than total disruption and nonlinear data loss.
- Stay frosty. Gartner’s adaptive security architecture emphasizes the need for detection. Make sure your malware detection is updated and that your intrusion detection systems are operating and examining traffic. Ensure that UEBA, NTA and SIEM systems are flagging up unusual behavior, and that this is being triaged and incident handlers are responsive. Bear in mind that additional resources may be required to handle the volume of incidents, liaise with law enforcement and field questions from the public (and possibly the media). Keep your technical resources focused on resolving key issues, and let external questions be handled by someone else.
“After the crisis, there will be time for lessons learned. There will be time to revisit vulnerability management — and you must. There will be time to look at how you refocus, not just on protective measures, but also on key detection capabilities such as UEBA, NTA and advanced SIEM,” said Mr. Care. “There will be time to do some additional threat modelling, and consider carefully what risks you can afford to tolerate — it’s less than you think. Cloud security may come back into the risk management discussion, and that’s also useful. But right now, you are in the swamp, and the alligators are still lurking beneath the surface. Patch, isolate and stay vigilant.”