Lessons Learned from the WannaCry Ransomware Outbreak
On Friday May 12, 2017 news broke of a widespread ransomware outbreak known as “WannaCry” or several similar variations of similar names. Much has been written about the outbreak itself related to the apparent origins being rooted in the confluence of vulnerabilities stockpiled by the United States’ National Security Administration (NSA), which were stolen and linked by the “Shadow Brokers” organization, and hacking tools developed by the Central Intelligence Agency (CIA) that were subsequently published online by WikiLeaks. The overall outbreak has led to much finger pointing between governments and technology vendors, and in my opinion, there is plenty of responsibility to go around in this instance.
However, there is a broader story associated with this outbreak which I believe is the first of many to come as a result of cyber weapons being stolen and made available in a public forum. It also highlights a few key issues that need to be addressed. First, much of the damage could have been limited had organizations implemented decades old best practices such as Concept of Least Privilege. Second, the incident boldly highlights a need for the global community to come together to establish norms for proper behavior in the digitally connected world. Cybercrime is a truly global issue which doesn’t respect borders. The Internet by design is borderless. Therefore, having different rules, regulations and law enforcement entities in each country to police this global network will always be challenged. As I will highlight throughout this blog, this is an issue I wrote about in my book Building a Comprehensive IT Security Program, published in 2016.
A Fundamentally Different Crime
In many ways, cybercrime is nothing new. As long as human history has existed, there were those who would steal from others to enrich themselves. However, there is a major difference now, which I referenced in my book.
“The business of crime has become much less onerous and dangerous in its latest evolution. There was a time when criminals had to go where the assets they wanted to steal were located and risk immediate arrest, death, or dismemberment in the course of their crime. Modern criminals can attempt to rob thousands of banks while wearing pajamas and sipping coffee in the comfort of their own home.” -Building a Comprehensive IT Security Program 2016
This does not mean the motivation has changed. Ransomware attacks bear much resemblance to kidnap and ransom crimes that we have known for centuries. However, it would be difficult to gain a ransom from thousands of companies or individuals before the Internet existed.
Further, proximity is no longer necessary in order to commit a crime, individuals can attack others anywhere in the world from anywhere in the world. By removing the need for proximity, bad people can target innocents anywhere. As a result, as long as you are online, you are not safe. You cannot simply move to a different neighborhood, state, or country in order to be protected.
In their recent blog Microsoft stated:
“The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.”
There is much legitimate debate about what governments should or should not be able to develop with respect to cyber weapons in the interest of national security. Regardless of whether you are inclined to agree with Microsoft or you side with governments seeking to protect their ability to develop offensive weapons in cyberspace, there is a need for the global community to come together and negotiate norms and enforcement mechanisms to govern online behavior. Even if governments are not precluded from developing and stockpiling these weapons, there is no doubt that governments have a responsibility to protect weapons they develop, either cyberweapons or traditional ones, from falling into the wrong hands. Further, it is incumbent on the global community to devise ways to apprehend and punish those who would steal weapons of cyberwar and use them to inflict harm on innocents. We would not accept anyone stealing chemical or nuclear weapons and selling them to terrorists, and publishing hacking tools or zero day vulnerabilities online is no different.
In my book, I talked about the challenging nature of the global landscape as it relates to cyber crime.
“How can we work together to make the cyber world safer for all of its inhabitants? What types of things make sense for us to collaborate on and where do we draw the line? The answers to these questions will differ between individuals and companies and certainly between countries, regions, industries, and sectors. However, where common ground can be found, there is value in collaboration.”
The time to establish these norms is now. It will be difficult work and the mechanism to accomplish this is not clear. What is clear is having disparate laws governing artificially segregated portions of the Internet is not working. Perhaps this could be facilitated through the United Nations or some global cybercrime treaty, but it is time to establish these norms and build an effective mechanism to prevent these things from happening and to aggressively pursue and prosecute offenders when they do. A Digital Geneva Convention is not a bad idea. What will come out of it and what the rules will be is unclear to me at this time, but the time to start the global conversation is now.
Example: Enforcing GDPR
The European Union’s General Data Protection Regulation (GDPR) is the first regulation which attempts to reach beyond traditional jurisdictions in order to protect data belonging to European citizens wherever it exists. In May of 2018, when enforcement goes into effect, we are likely to quickly see the first attempt to enforce data protection regulations between countries, but how that will happen and how effective it will be still remains to be seen.
Let me give you an example. Today, my wife received a letter from a former employer informing us that their benefits provider had been compromised. They did not know who was affected or the scope of the breach, which tells me they did not have an effective Critical Asset Protection Program in place, but they did know W-2’s belonging to several employees, containing names, addresses, income information, health insurance information, and identifiers like Tax Identification Numbers (TIN) and Social Security Numbers (SSN) were stolen. My wife is not a European citizen, but some of the people she worked with certainly are. However, the breach happened in the United States. If this happened a year from now, to what extent could GDPR be enforced and penalties be levied against her former employer?
Regardless of the outcome of particular cases like these, this incident highlights the importance of a global treaty to govern data privacy as well as the proliferation of cyberweapons.
Protecting Yourself in a Dangerous World
In light of the recent outbreak, it is important to highlight some best practices that individuals and organizations should follow in order to protect themselves. As Microsoft rightly stated in the above referenced blog post, “this attack demonstrates the degree to which cybersecurity has become a shared responsibility between tech companies and customers. The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect.”
Many of these best practices are not new, but they are practical steps that those who are seeking a teachable moment from this news can leverage to harden their individual and organizational defenses.
Patching Vulnerable Systems
Microsoft is right. Regardless of what you think about the NSA and CIA leaks that made this attack possible, the vulnerability that allowed this ransomware to propagate was not a zero day exploit. A true zero day exploit refers to an exploit for which a patch does not exist. The patch for this vulnerability was released in March of 2017. The breadth of this outbreak proves that we are not diligent enough in patching our systems.
This is important. Every organization should be patching systems regularly and running frequent vulnerability scans to identify and patch vulnerable systems. As a community, we must demand that this relatively inexpensive process be an essential part of our security programs. If we’re warned that drinking a substance is dangerous and we drink it anyway resulting in an illness, who is to blame? This situation is no different. Not performing regular vulnerability scans is akin to drinking everything under your sink without reading the warning labels. You will get sick and possibly die. It’s simply a matter of time. Performing vulnerability scans and not patching vulnerable systems is akin to reading the warning label and drinking Drain-O anyway.
Concept of Least Privilege
WannaCry spreads through a known Microsoft vulnerability. I am not going to comment on the specific mechanism of how this spreads, but ransomware and worms both often reach out over the network to find all of the resources an infected machine has access to. Therefore, the Concept of Least Privilege is an important best practice to limit the impact of rogue software as much as it helps to limit the damage done by a single rogue insider.
Concept of Least Privilege essentially states that a user should only have access to the minimum amount of resources necessary to do their job. However, many users across many organizations have access to things they don’t need. In fact, many organizations give users Administrator or root level access when they don’t need it. This allows ransomware and worms to propagate easily throughout an environment and spread to a wide breadth of systems. Lateral movement is much more difficult for attackers when credentials are limited to necessary access privileges.
Clicking on Emails
It has been reported that the most recent outbreak is not caused by Phishing emails, or emails designed to trick a user into installing malicious software by clicking a link or opening an attachment. However, the vast majority of infections do spread that way. Now is a good time to remind all users to be very careful of anything they receive from an unknown stranger. This is very much like the “don’t take candy from strangers” best practice taught to children around the globe. If you don’t know the person giving you candy, don’t eat it. Also, if you don’t know the person sending you an email, don’t click it. We cannot say this to users enough.
Defense in Depth
Most organizations have a myriad of technologies deployed to protect their environment from infections. Endpoint protections like antivirus or next generation endpoint protection products are an important piece of the puzzle. So are Web Gateways and Email Gateways, which provide another layer of protection. However, none of these things are effective if they are not kept up to date, deployed universally and managed properly.
Ransomware is not going anywhere. Simply put, if you don’t not have multiple copies of your data stored in locations that are not connected to each other, you could lose it at any moment. While some advanced strains of ransomware lie dormant long enough to render backups useless, most do not. However, many organizations do not have frequent and comprehensive backups so the data that is not properly backed up is lost. Business Continuity and Disaster Recover planning as well as an overall Incident Response plan that includes procedures for responding to a ransomware outbreak is strongly recommended.
The recent outbreak, if nothing else, should serve as a reminder that we live in a dangerous world. Many people go about their daily lives on the Internet, surrounded by strangers around the globe, in a shockingly naïve way. Know that nothing shared online is completely private, and you cannot be too careful about who you interact with and how you interact with them. There have always been bad people in the world that mean you harm. However, while you are on the Internet, they are sitting next to you. Behave accordingly. Remain vigilant and protect yourselves, your organizations, your clients, and your communities. We truly are in this together.