Gods of war
In the wake of the Petya/NotPetya Ransomware/NotRansomware outbreak, security researchers and vendors are cashing in with blog posts, analyses, and expert advice on how to avoid becoming the next victim. The aim of all this noise is, partially, to help organizations understand the details of the attack, how it succeeded (is succeeding), and what controls can be implemented to avoid or mitigate damage. Realistically, though, a certain amount of disseminated information is organizations looking to gain market share and piggyback off others’ misfortunes. It’s the cybersecurity equivalent of ambulance chasing.
Now, to be clear, security organizations need tools and technology to operate. Without a security information and event management (SIEM) system or next-generation firewall, for instance, understanding the traffic on one’s network and blocking suspicious activity is a bit like playing Pin the Tail on the Donkey—you never know where you’ve landed until the game is over. In the case of cyber attacks, “game over” could mean terabytes of lost or corrupted data. Managing cybersecurity is, definitively, serious business, and enterprises understand this, which is why whenever a tools vendor promises a “solution,” executives sit up and take notice.
When it comes to the Petya/NotPetya attack, the attackers’ goal is allegedly to wipe out enterprise systems rather than pad their Bitcoin wallets. Conventional wisdom, like keeping software and applications patched, would not protect an organization in this case, a fact that is confusing to non-security people since the security community has been saying, “if you’d only patch…” since the beginning of software time immemorial. In the absence of proactive controls, what’s an enterprise security to do?
Cyber threat intelligence (CTI) has long been touted as a means to understand emerging threats to one’s organization. Grown out of military intelligence, CTI helps companies identify not only the types of threats, but potential threat actors (who, where), actors’ motivations, tactics used in campaigns, and when cyber attacks are most likely to strike. Having all of this information tied up in a nice package could be extremely useful. It’s like knowing that a blizzard is going to hit in the middle of winter; with proper warning, schools and business can close proactively and keep people off hazardous roads during the height of the storm, snow removal services can be arranged so that daily activities can resume as soon as possible, households can stock on up food, hospitals can be appropriately staffed, homeless shelters can add extra beds, etc. In the case of a blizzard, you cannot stop the onslaught, whereas with a cyber attack, ways to prevent breaches do exist. And this is what cyber threat intelligence technologies are built on—the hope that with enough information your organization won’t be affected.
With Petya/NotPetya, the noise accompanying the attack (which likely will continue for weeks until the next big thing hits) includes media outlets and threat intelligence firms trying to accurately identify the perpetrators and probable motivations. We’ve seen claims of ties to BlackEnergy, to Germany, to a Ukrainian software accounting firm … yet none of this information, even if it turns out to be accurate, would have done much to stop this particular attack. Every new blog post tries to pinpoint who and how, but attribution is really hard. Even if the attackers are eventually identified, so what? International laws make it extremely difficult to find and prosecute cyber criminals.
At the heart of the problem, once again, are security foundations. Threat intelligence can be a part of foundational security, but not every person who knows how to use TOR is, in fact, an appropriate threat intelligence product entrepreneur. Threat intelligence is significantly more than collecting, aggregating, and correlating mass amounts of data from diverse and expansive sources. However, the numerous pop-up threat intel firms with un-vetted and unsubstantiated data from across the web muddy the waters for quality vendors and organizations looking to buy a truly effective tool that can contribute to a threat intelligence program (yes, threat intelligence is a program, not a tool).
On top of that, security teams need to (once again) be attending to the security basics: segment data, block unnecessary ports, turn off unnecessary services (especially older, unsupported services like Windows Server Message Block v.1), and then back up, back up, back up (preferably onto air-gapped networks if the data which need securing is highly sensitive). Security teams’ attentions needs to be on designing, architecting, and maintaining systems rather than buying the newest promise of next-gen fortitude.
Without a doubt, some innovative and smart entrepreneurs will develop new, effective technologies that may become part of security teams’ defense strategies (we have plenty of good tools to choose from already). That said, organizations should not pin their hopes on any one tool, or even collection of great tools. Security doesn’t come “out of a box”; it’s a process, set of policies, and group of talented individuals constantly and consistently attending to the foundations of security that will improve organizations’ chances of avoiding cyber attacks. Every new technology procured needs to go through a custom configuration process that addresses the organization’s requirements. This means, first and foremost, that the organization—the business, not just the security team—understands what it possesses that it must protect, and creates prioritization around those assets.
This due diligence may seem mundane (especially compared to the hype surrounding worldwide security incidents), but (once again) understanding the organization’s environment will help the security team focus on what’s important, implement the right controls and processes, and avoid ambulance chasing. Hurrying to purchase the next best tool is only a temporary solution to a long-term problem. Whether it’s cyber threat intelligence or a newfangled “ransomware blocker,” don’t be enticed by that which is too good to be true. Good, old-fashioned blocking and tackling will be most effective against the lion’s share of security threats.