On Friday, May 12, 2017, the world was alarmed to discover that cybercrime has reached a new record, in a widespread ransomware attack dubbed WannaCry that is believed to have caused the biggest attack of its kind ever recorded. The details of the attack are all being reported as we go, as security teams scramble to recover and law enforcement agencies dig further into the evidence.
To say that this is the biggest ransomware attack ever recorded is true, but it’s a very shallow truth. Beneath the success of this attack, and many others of its magnitude, lay the same age-old issues: unmanaged vulnerabilities.
Most of the time, fancy names like HeartBleed, and ShellShock, are unpatched security holes are well known and even old. None of them should even affect a modern-day, security aware operation – and every operation nowadays is “security aware” to the basics.
Believe it nor not, the same applies to EternalBlue. An exploit leaked by those calling themselves the Shadow Brokers, who supposedly leaked it from the NSA. A fancy zero-day if I have ever seen one, but bottom line, it could have been patched back in March 2017 and become another irrelevant, solved issue. But as it turns out, the resistance to patching, even when critical, is more widespread than anyone would have imagined.
Wait, I know, you’re thinking “yes, but the worm combination” – right. And I’m thinking 2001, Code Red worm, 359,000 hosts infected for skipping Microsoft Security Bulletin MS01-033, for which a patch was available a month prior.
The wildfire spread of the WannaCry ransomware across industries and over 100 countries all over the world is a current day reality check. Even in this quickly evolving threat era, it still comes back to the basics – managing risk. So where in the risk equation has the security community gone astray?
Security risk never sleeps
How could anyone sleep when they are one malicious email away from potential systemic havoc? And it’s exactly because of risks like WannaCry that security professionals are more worried today than ever before. Ransomware is not another nuisance, financial malware, or stolen data they still essentially own. It’s more like an abrupt blackout; a disaster that needs to be contained and remediated while every minute piles up the costs.
Before the epidemic popularity of ransomware attacks that became most evident in 2016, CISOs attested to being most concerned with a data breach. Then came a major ransomware hike and took that to a whole new level: data denial of service. And no, paying the criminals is no magic pill that makes everything okay again. It’s the mere beginning of incident response and rethinking the entire security risk equation.
Evolving risk? Recalculate route
Assuming nothing, I will state the textbook risk equation: Risk = Impact x Probability.
Now let’s look at what transpired during the Wannacry outbreak thus far as an example to illustrate why it is high time for a drastic recalculation of risk.
Organizations have known about Windows XP end of support since April 2014 – over three years ago. It was customarily preceded by multiple notices about the upcoming termination of support in order to allow security teams to upgrade in a timely manner. So, what would make anyone ignore that and not upgrade? What about those running supported version – why would they forego the critical MS17-010 bulletin from March 2017? The answer is risk management.
Only the affected organizations know why they did not upgrade or patch the systems that eventually opened the (back)door their WannaCry disaster. My assumption here is that back in 2013-2014, when WinXP was about to end, the “P” factor in the risk equation was considered to be relatively low. Ransomware existed, but awareness about it had not yet risen to the level that made it an archenemy of business operations. The “I” factor was also not as certain at the time; not the way it is certain today. Upgrading, on the other hand, was easy to calculate and the costs and disruption probably looked hefty. Between the risk of applying the patch, and the risk of not applying it, one was mistaken as a safer bet. Conclusion: change nothing, accept risk.
If you’re not moving ahead, you’re going backwards
So far, textbook, really, nothing new here – except – it is also textbook to elevate impact to extreme when human lives are in question, which in numerous cases in the Wcry attacks, they were. That alone should have modified the numbers on everyone’s risk equation at least 3 years ago, and for the more imaginative, between 5 and 8 years ago, seeing that ransomware was widening its strides even then.
Ransomware attacks have been on the rise in the past few years, reaching new records in 2016, with over 40,000 attacks per day, and a 6000% increase in related email compared with 2015 numbers. We can’t say we didn’t see them coming.
Fast-forward to 2017, Vault 7 leaks, and then Shadow Brokers, and we can appreciate that already elevated “P” factor has shot up to maximum, as did a much more explicit impact of ransomware attacks learned from previously affected organizations. How is that “R = P x I” looking now? I think we now know the reply.
Can you see the cat?
Yes, the copycat. I hope so, because that’s what usually comes after the first breakthrough. We have not seen the last of the WannaCry attack yet, and already mutant variants have emerged, literally within a matter of days. After seeing the nefarious success of WannaCry, the likelihood of a repeat case rises considerably.
The threat is real, and it’s very impactful, but the action items are still simple:
- Bolster patching policies
- Schedule, safeguard, and test backups
- Upgrade before support ends
- Don’t skip building an incident response team, and adapt IRPs
- Stay up to date on the latest information on WannaCry, including indicators of compromise (IOC).
In the wake of this chaotic new reality, it all comes down to basics: managing risk in the age of cyber epidemics.