[BreachExchange] Who are we kidding? WannaCry is not a first

[Audrey McNeil]

https://www.helpnetsecurity.com/2017/05/17/wannacry-not-first/

On Friday, May 12, 2017, the world was alarmed to discover that cybercrime
has reached a new record, in a widespread ransomware attack dubbed WannaCry
that is believed to have caused the biggest attack of its kind ever
recorded. The details of the attack are all being reported as we go, as
security teams scramble to recover and law enforcement agencies dig further
into the evidence.

To say that this is the biggest ransomware attack ever recorded is true,
but it’s a very shallow truth. Beneath the success of this attack, and many
others of its magnitude, lay the same age-old issues: unmanaged
vulnerabilities.

Most of the time, fancy names like HeartBleed, and ShellShock, are
unpatched security holes are well known and even old. None of them should
even affect a modern-day, security aware operation – and every operation
nowadays is “security aware” to the basics.

Believe it nor not, the same applies to EternalBlue. An exploit leaked by
those calling themselves the Shadow Brokers, who supposedly leaked it from
the NSA. A fancy zero-day if I have ever seen one, but bottom line, it
could have been patched back in March 2017 and become another irrelevant,
solved issue. But as it turns out, the resistance to patching, even when
critical, is more widespread than anyone would have imagined.

Wait, I know, you’re thinking “yes, but the worm combination” – right. And
I’m thinking 2001, Code Red worm, 359,000 hosts infected for skipping
Microsoft Security Bulletin MS01-033, for which a patch was available a
month prior.

The wildfire spread of the WannaCry ransomware across industries and over
100 countries all over the world is a current day reality check. Even in
this quickly evolving threat era, it still comes back to the basics –
managing risk. So where in the risk equation has the security community
gone astray?

Security risk never sleeps

How could anyone sleep when they are one malicious email away from
potential systemic havoc? And it’s exactly because of risks like WannaCry
that security professionals are more worried today than ever before.
Ransomware is not another nuisance, financial malware, or stolen data they
still essentially own. It’s more like an abrupt blackout; a disaster that
needs to be contained and remediated while every minute piles up the costs.

Before the epidemic popularity of ransomware attacks that became most
evident in 2016, CISOs attested to being most concerned with a data breach.
Then came a major ransomware hike and took that to a whole new level: data
denial of service. And no, paying the criminals is no magic pill that makes
everything okay again. It’s the mere beginning of incident response and
rethinking the entire security risk equation.

Evolving risk? Recalculate route

Assuming nothing, I will state the textbook risk equation: Risk = Impact x
Probability.

Now let’s look at what transpired during the Wannacry outbreak thus far as
an example to illustrate why it is high time for a drastic recalculation of
risk.

Organizations have known about Windows XP end of support since April 2014 –
over three years ago. It was customarily preceded by multiple notices about
the upcoming termination of support in order to allow security teams to
upgrade in a timely manner. So, what would make anyone ignore that and not
upgrade? What about those running supported version – why would they forego
the critical MS17-010 bulletin from March 2017? The answer is risk
management.

Only the affected organizations know why they did not upgrade or patch the
systems that eventually opened the (back)door their WannaCry disaster. My
assumption here is that back in 2013-2014, when WinXP was about to end, the
“P” factor in the risk equation was considered to be relatively low.
Ransomware existed, but awareness about it had not yet risen to the level
that made it an archenemy of business operations. The “I” factor was also
not as certain at the time; not the way it is certain today. Upgrading, on
the other hand, was easy to calculate and the costs and disruption probably
looked hefty. Between the risk of applying the patch, and the risk of not
applying it, one was mistaken as a safer bet. Conclusion: change nothing,
accept risk.

If you’re not moving ahead, you’re going backwards

So far, textbook, really, nothing new here – except – it is also textbook
to elevate impact to extreme when human lives are in question, which in
numerous cases in the Wcry attacks, they were. That alone should have
modified the numbers on everyone’s risk equation at least 3 years ago, and
for the more imaginative, between 5 and 8 years ago, seeing that ransomware
was widening its strides even then.

Ransomware attacks have been on the rise in the past few years, reaching
new records in 2016, with over 40,000 attacks per day, and a 6000% increase
in related email compared with 2015 numbers. We can’t say we didn’t see
them coming.

Fast-forward to 2017, Vault 7 leaks, and then Shadow Brokers, and we can
appreciate that already elevated “P” factor has shot up to maximum, as did
a much more explicit impact of ransomware attacks learned from previously
affected organizations. How is that “R = P x I” looking now? I think we now
know the reply.

Can you see the cat?

Yes, the copycat. I hope so, because that’s what usually comes after the
first breakthrough. We have not seen the last of the WannaCry attack yet,
and already mutant variants have emerged, literally within a matter of
days. After seeing the nefarious success of WannaCry, the likelihood of a
repeat case rises considerably.

The threat is real, and it’s very impactful, but the action items are still
simple:

Bolster patching policies
Schedule, safeguard, and test backups
Upgrade before support ends
Don’t skip building an incident response team, and adapt IRPs
Stay up to date on the latest information on WannaCry, including indicators
of compromise (IOC).

In the wake of this chaotic new reality, it all comes down to basics:
managing risk in the age of cyber epidemics.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170517/62656f70/attachment.html>