I wrote about the Wannacrypt ransomware attack a couple of years ago. Also known as Wannacry, this attack involved a major Windows vulnerability, which allowed attackers to access systems, encrypt data rendering it off-limits and demand a ransom payment to release said data.
Unfortunately, Wannacry remains a significant threat.
SEE: Windows 10 security: A guide for business leaders (TechRepublic Premium)
I spoke with several industry security experts including: Andrew Morrison, principle, Deloitte Cyber Risk Services; Dylan Owen, senior manager, cyber services, Raytheon; and Josh Mayfield, director of security strategy, Absolute, to determine the current status of Wannacry and tips to guard against it.
Why is Wannacry still a threat?
Scott Matteson: Is Wannacry still a threat?
Andrew Morrison: WannaCry is clearly still a threat for the large number of unpatched systems. Bad actors can now easily detect unpatched systems and direct WannaCry at them to conduct targeted attacks.
This narrative is not new. In fact, WannaCry used the same system as NotPetya. The actual toolkit that was used and stolen from the NSA is still likely a threat for creating variants of attacks and circumvent attacks. While the patches address the toolkit, using it to find new vulnerabilities is still a threat. Users think they are safe because they patched what they saw, but the threat evolved using the same toolkit, and they can be hit again.
Dylan Owen: To some degree it still is. According to data generated by Shodan, there are more than 400,000 devices in the US that are still vulnerable to Wannacry. Manufacturing systems could be particularly at risk, as many of those systems run on older versions of Windows or embedded Windows. Companies are wary to patch these older systems because the process may cause production capabilities to halt.
SEE: 10 dangerous app vulnerabilities to watch out for (Free PDF) (TechRepublic download)
How the threat evolved
Scott Matteson: How has the threat evolved?
Andrew Morrison: The Wannacry threat has evolved to the entire machine. What started as a nation-state attack evolved into targeted strategies. Threat actors are not just acting in opportunistic ways anymore. Rather, as demonstrated by WannaCry and NotPetya, they can take toolkits and do reconnaissance. In return, these next attacks will be harder to defend against, making recovery nearly impossible.
Dylan Owen: From malware to crypto-mining code to distributed denial of service (DDoS) attacks, hackers are adept at creating variants to infect vulnerable systems.
Josh Mayfield: Different strains of ransomware continue to grow, but let’s face it, WannaCry was beta testing. The real threat comes in the form of ransom that doesn’t even ask for cryptocurrency, but for actual conquest: Give us this resource, or we will destroy it.
Ransom-style cybercrime becomes a much more profitable opportunity if you seize control of the millions of GPUs around the world who can become your own personal gold-bar goose. This is why we see “ransom” looking more and more like enslavement. This slave-raiding malware will only advance. Which is more lucrative: Robbing a bank or having a money machine from the Department of Treasury?
SEE: Internet and email usage policy (TechRepublic Premium)
What needs to be done
Scott Matteson: What are companies doing about it?
Andrew Morrison: At a high level, WannaCry highlighted the need for better vigilance and hygiene. In other words, it taught organizations what needs to be patched and how quickly this must be done. In order to stay ahead, organizations must conduct audits of their patching processes, then look into tools and policies to make the practice more effective. A good example of this is the current movement towards stronger automation in patching.
The second piece is recovery. Organizations are trying to prepare systems, data, and business processes to withstand attacks through air-gapped recovery solutions so there is an entry point that is sanitized and cleaned. From there, the next entry opens and assets can be stored. This ensures vulnerabilities and malware are unable to propagate there because the network connection is removed. Furthermore, this allows a place for critical data to reside and be used to bring systems back.
Removing critical assets to offline cold storage is something more organizations are doing, and something Deloitte Cyber encourages to establish immunity-based defense to recovery. This approach is much less costly than paying ransom to get data back because the organization owns it.
Dylan Owen: We can expect to see a rise in targeted attacks against systems that are difficult to patch, like air-gapped or industrial control systems. As the attacks become more sophisticated, so should our defense systems.
Companies must proactively patch their vulnerable systems. However, if a system cannot be patched, companies should isolate the vulnerability behind a firewall. Since attacks like WannaCry use port 445 to identify vulnerabilities, companies should block its visibility from the internet. If the port isn’t routable, then malicious actors will have a hard time knowing who to target. Lastly, while this may not be possible for all companies, they should look to upgrade and replace vulnerable Windows systems with newer, protected versions.
Josh Mayfield: Companies are following the standard narrative: Hiring consultants, implementing a few changes, buying a bunch of security tools, and crossing fingers. IT complexity has become so severe that we just can’t see though the densely packed tangle to pinpoint weaknesses. And when we do find weaknesses, we are often conflating “gap” with “no security product.” So we go shopping, never realizing that changes to our existing tools (e.g. making them resilient) would improve their odds of success from creative and motivated criminals.
SEE: Launching a career in cybersecurity: An insider’s guide (free PDF) (TechRepublic Premium)
Scott Matteson: What best practices should IT departments follow?
Dylan Owen: Be proactive. IT departments should consistently monitor for vulnerabilities and develop a vulnerability management program to establish a clear process for addressing threats. Specifically, the IT team should replace outdated Windows systems and back up critical systems to ensure that stolen or tampered files can be recovered. Additionally, the team must test to ensure that information can be recovered in the event of an attack. Testing back-up systems is often a missed step, yet it’s crucial in determining a company’s capability to rebound after an attack.
Josh Mayfield: It is prudent for IT departments to focus on resilience. According to Gartner, global spending on information security is predicted to exceed $124 billion in 2019, yet we’re still witnessing significant breaches in today’s security landscape–further proving that complexity is a clear and present rival of cybersecurity. Most organizations have risk profiles and commitments with their vendors, especially those handling PHI as a third-party. Yet, when you multiply the number of connections, data flows, EDIs, and other exchanges, something is bound to be neglected in the Gordian knot.
Without knowing where to look, it’s impossible to identify the finer associations (data schemes), and as a result, relationships involving access control, and authorization/authentication become anyone’s best guess. Visibility is key. But then what? You’ll probably find—with your new unimpeded view—a graveyard of broken, disabled, and failing agents and controls.
How does one stay resilient when the technology cannot withstand the slightest perturbation on the device? By persisting the critical controls necessary to deliver a resilient environment.
To edge toward resilience, we must ensure that someone watches the watchers. We must elevate to an Olympian vantage point to survey each control’s effectiveness and its ability to stay alive. Security is far from a snapshot of correct configurations, it is the maniacal pursuit of resilience, bouncing back from injury and being armed with controls and agents boasting of their immortality. That’s what persistence brings, an unmistakable path to resilience.