There isn't a cybersecurity professional in the world that is not sick and tired of hearing about WannaCry and NotPetya, and with good reason as the NSA's EternalBlue exploit and DoublePulsar backdoor tool were known to the cybersecurity community well before either attack was launched.
The lessons imparted by WannaCry and NotPetya range from the no-brainer type – make sure your computers and systems have all their security patches – to who will ultimately pay the price for a company being subjected to these or similar attacks in the future.
With that said, the list of those ultimately responsible for the amount of damage done by the WannaCry and NotPetya malware this summer is long and distinguished. It includes the good folks at the National Security Agency (NSA) who detected the flaw, but withheld that knowledge so it could use the vulnerability as a potential weapon. The NSA also has the dubious honor of holding the second place on the list for not properly protecting its hacking tools thus allowing The Shadow Brokers to swipe and eventually reveal EternalBlue and DoublePulsar to the criminal world, for which they are assigned a fair share of the blame.
However, the agency did summon the wherewithal to inform Microsoft of the vulnerability in Windows 7 and Server 2008 R2 (x64) for which the company issued a patch in March, (however, as one cybersecurity researcher noted, Microsoft could have moved faster).
However, the two groups that should shoulder the bulk of the responsibility are the IT administrators who did not implement Microsoft's patch when it became available and the cybersecurity teams that were made aware of the vulnerability, but did not see it as a threat.
That was the analysis put forth by Sean Dillon, senior security researcher with RiskSense and Rapid 7. The latter in its 2017 Q2 Threat Report noted that security analysts were initially thrilled to get their hands on the hacking tools revealed by The Shadow Brokers. But after the researchers realized the tools were old and not obviously dangerous because they attacked known and patched vulnerabilities they infosec world moved on to other projects.
“Unfortunately, we were the only ones [to move on]. Attackers did not move on; they realized that even though we thought we were safe against these non-zero-day, unexciting attacks, we were not,” the report stated.
Dillon, who was the first to reverse engineer WannaCry, said cybersecurity firms were slow to act on the initial data dump that included EternalBlue, but were quick to show up later with products to help mitigate the situation once it got out of control.
“The response to these dumps could have been better by the industry,” Dillon says, but pointed out that Microsoft is the main culprit by not reacting quickly once it knew the vulnerability was made public.
Microsoft issued a patch that covered EternalBlue with its usual March security update, but the company waited until after WannaCry became a major issue to patch out of support products like Windows XP, he said, adding that Microsoft may have known about EternalBlue as early as February 2017.
“Antivirus companies need to be on the ball and take more threats, even those that are patched, more seriously,” Dillon said.
Taking advantage of the human element in a company's cyber defense has long been a part of the hacker's arsenal taking advantage of people for years, most notably in phishing and business email compromise attacks that have led to ransomware being installed or money transferred to thieves. So in the same way companies try to train workers to not click on unknown links, cybersecurity staffers must learn to look beyond an initial threat and think like a cybercriminal. Malwarebyte's Jerome Segura noted that this has, so far, not met with a ton of success.
“Despite continuous awareness campaigns, the same old tricks are being used again and again. What will it take for users to know that enabling macros is a bad idea? Sadly, social engineering is a tested and proven technique that is likely to continue to be one of our biggest headaches,” he says.
Microsoft did issue a list of lessons it learned from these attacks, which included having a business continuity and recovery plan in place, modern file sharing and cloud storage services were not affected by the attack so should be used, and endpoint protection coupled with identity and security management is absolutely a must-have along with a layered security approach to proactively defend against future attacks.
Dedicated cybersecurity companies and their employees are not the only entities that still need to learn a few lessons from WannaCry and NotPetya. A survey by Tripwire conducted at Black Hat 2017 of 108 security professionals found that the majority do not think their organization has done enough in the wake of those attacks to prepare for the next wave that is bound to come at some point.
The survey found that 68 percent do not feel confident that their enterprises made the improvements needed to protect against similar type attacks. The biggest hole in their security those surveyed believed they had to deal with was network device discovery with 28 percent saying they are failing in this area. Other points of concern were:
· Vulnerability management (14 percent)
· Administrative privilege management (6 percent)
· Audit log reviews (6 percent)
Tim Erlin, Tripwire's vice president of product management and strategy said, this lack of response to WannaCry and NotPetya is not only dangerous, but foolhardy.
“No matter the size of your organization, you must treat cybersecurity seriously. If you were lucky enough not to have been directly affected by WannaCry or Petya, take it as an opportunity to get your cybersecurity house in order. Remember, you don't have nine lives. All it takes is one data breach or another WannaCry and your company has lost data, money, credibility and most importantly, customer trust, which is one of the most difficult things to recover,” he says.
Taking some positive steps after such massive and well publicized attacks is also important. For example stopping a company's IT and cybersecurity departments from turning on each other while trying to assign blame is also a necessity, says Imperva CISO Shahar Ben-Hador. This is not only important for company moral, but will help when another attack takes place.
“When an organization succumbs to an attack such as the recent WannaCry or NotPetya, it's not an issue of blaming an individual or group. Instead, it should be an opportunity to test and improve the relationship between Infosecurity and IT and the overall process – in this case - of patching systems,” he says.
In fact, being able to limit exposure to such attacks actually comes down to how well these two groups get along, communicate and realize each needs the other to protect their firm. Where such teamwork really comes into play is with detection and remediation.
“In many cases, InfoSec needs to detect in a timely manner that the organization is vulnerable and IT needs to patch and remediate in a timely manner. If this process doesn't work quickly enough, the process owners own the failure and they are in both the infosec and IT groups,” he notes.
Bob Noel, director of strategic relationships and marketing for Plixer, concurred saying he sees ownership of cyber incidents moving up the corporate food chain, saying a major shift in how organizations perceive and respond to massive attacks has taken place. Whereas in the past a data breach or successful ransomware attack was considered the sole responsibility of the CISO and his or her technology department, now blame is climbing up the ladder to the C-suite.
“Breaches like WannaCry and NotPetya, however have caused severe damage to many companies resulting in lost productivity and revenues. Boards of Directors are beginning to worry much more about massive damage to the brand and the financial liability caused by high profile breaches. This shift in attitude is changing cybersecurity from being a tactical, department-led function to a strategic CEO-led responsibility,” he says.
What should scare everyone from the lowliest corporate worker on a network to the CEO is that EternalBlue is not even the most dangerous or reliable, for a hacker, to utilize, says RiskSense's Dillon. Several other tools that were part of the initial dump of NSA content are potentially much worse going after flaws in Windows 10.
“It's interesting that these have not been used,” he says, adding that this might not remain the case for long as there are rumblings some nation-states are gearing up to put them to use.
Rapid 7 backed up Dillon saying EternalBlue which targeted SMB is not the only one that could be used by attackers.
“Several other exploits in the batch target mail services, some target IIS web servers, and others target Remote Desktop Protocol (RDP). Many of the vulnerabilities are older, but that doesn't mean that attackers can't, or won't, find a way to take advantage of them; plenty of targets that are still out there make it worth their time and effort,” the company says.