NotPetya graced the cybersecurity community with an unforgiving entrance one month after WannaCry struck businesses around the world. Now, a year later, experts agree anniversaries for cyberattacks are nothing more than a date on the calendar.
However, if ransomware anniversaries are good for anything beyond a morbid nod, it's a lesson.
In 2017, a new standard, if not breed, of malicious attacks struck the internet and its population of vulnerable users. Successful attacks bolstered the varying missions of attackers because they highlighted just how many organizations have vulnerabilities lying around their systems. Bad actors' goals, ambitions and mechanisms for success were emboldened by a world of IT with a lackluster security posture.
By 2021, cybercrimes will have cost the world more than $6 trillion and ransomware attacks are expected to hit an organization every 14 seconds by 2019. Bad actors are gaining momentum, and nation-state actors, like the ones behind NotPetya, have the resources and time to perfect their craft.
Now, however, every attack is named and "you just drown" in cyber hysteria.
Christine Gadsby
director of Product Security Operations, Blackberry
Ultimately every organization, or even computer user, needs to define the level of risk they are comfortable with. Once that's done, it becomes clear that security is simply a measure of reducing that risk. It's not a perfect prevention or predictive tool, but it's one that could stave off a cyberattacks.
CIO Dive spoke with five security experts one year after one of the most damaging cyberattacks in modern history. Here is what they said:
1. Don't cherry pick basic cybersecurity protocols
For many security experts, notice of NotPetya's global tirade was just business as usual, according to Christine Gadsby, director of Product Security Operations at Blackberry, in an interview with CIO Dive. However, "I was really tired at the end of the day," she said. For Gadsby, the grandeur of NotPetya went beyond the computer data it wiped.
Gadbsy credits media coverage for adding to NotPetya's hysteria. Prior to mainstream publicity highlighting maturing cyberattacks, they largely infected victims under the radar. But now every attack is named and "you just drown" in cyber hysteria, she said.
Security experts largely agree the basics are the foundation for a solid security posture, yet organizations still fall short when attacks like NotPetya arise. This is partially due to "cherry picking" the basics, said Gadsby. Instead, companies need to adopt a mantra of security because "it's a culture, it's not an afterthought."
For organizations that are slow to digitally transform, quantifying accountability is hard when legacy systems are still a part of the equation. They are tasked with trying to understand the financials of keeping an outdated system online or pursuing new technologies.
"Most information security practices, most IT areas, from what I've seen, are historically understaffed."
Robert Anderson
principal, Chertoff Group
The next NotPetya attack is going to use the same strategy as before, predicts Gadsby. The mass hysteria from last year left hackers asking "what opportunity just got created for me," she said. It is likely attackers will prey on organizations that have either failed to or are slow to patch.
Much like any new cyberattack that exposes a vulnerability in a new light, it becomes "candy" for malicious actors, said Gadsby, because once it's out, it becomes irresistible for manipulation.
While an anniversary strike is unlikely this week, Gadsby said NotPetya's legacy will live on through its impressive scope and the features its designers were able to piece together.
2. Find a flaw? Patch it immediately
NotPetya and WannaCry became two peas in a pod because of the proximity of the attacks. But both served as a lesson in discipline, Grant Bourzikas, VP and CISO of McAfee, told CIO Dive in an interview.
A cyberattack is inevitable for a company that is unsure of its security posture. Organizations must first perform a software inventory to know what's in their own environment, said Bourzikas.
Understanding existing assets and having a strong control of configurations sets organizations up for stronger cyberdefense. Security, after all, is just reducing risk, according to Bourzikas.
But an unpatched system is like a watering hole for attackers. If a hacker knows something about an organization's systems before they do, attack deflection is hard, if not impossible. Part of enabling threat intelligence is relying on signature-based security solutions when attacks work around new technologies. Signatures can effectively "blacklist" a malware attack, he said.
But all of this leads organizations to the introduction of "pseudo ransomware," according to Bourzikas. NotPetya, a ransomware disguised as a wiper, differentiated itself from for-profit attacks and ones designed solely for destruction, like NotPetya.
3. Security isn't a one-person job
Security and efficiency have always battled it out for dominance but now they need to share the same spotlight. About 40 years ago, people "were just happy everything worked," said John Barchie, senior fellow at Arrakis Consulting, in an interview with CIO Dive. Security and redundancy was not an immediate focus until users experienced their servers going down for days at a time.
The people who lived through having no access to data for four or more days in the 1980s were the ones to become religious about backups today because "that was the thing that burned them," according to Barchie.
But backups are not the only thing to save a company from a malware attack. It also begins with an organization's leadership.
"Blame, while it might feel good, is rarely useful."
Adam Firestone
chief engineering officer, Secure Channels, Inc.
One person in an organization should not be solely responsible for security and no system should be built that is reliant on one person for protection, he said. However, neglecting CIOs is only adding to dysfunctional cybersecurity, he said. They are key in translating the cost of security into a return on investment.
Barchie hails Maersk's response to their NotPetya damages as the right way to respond because the shipping company decided to design cybersecurity into overall business strategy, making it a competitive aspect of its business. After all, cybersecurity is just as important as overall digital transformation because weak security puts a bullseye on the back of an organization.
4. Use the tools that are available now
Individual cyberattacks, let alone anniversaries, "are kind of 'so what,'" according to Adam Firestone, chief engineering officer at Secure Channels, Inc., in an interview with CIO Dive.
Building solutions that take advantage of existing technologies is just as important as looking for new ones. This creates routine, and transparent, security that "mere mortals" can use, said Firestone.
In addition to using tools already available, like antivirus software, encryption, backup and application provenance technologies, organizations need to be more in tune with their online behaviors. By doing so, users can understand where they go on the internet and when particular email hits their inbox, they can almost always use "wetware" techniques to determine what is "kosher" versus what isn't, said Firestone.
Most malicious activity focuses on gaining unauthorized access to data, violating confidentiality. Integrity attacks seek to change data without authorization. NotPetya was, on the other hand, an availability attack, but a particularly vicious one. While denial of service or ransomware attacks seek to render data unavailable to its rightful owner, NotPetya erased it entirely.
About 40 years ago, people "were just happy everything worked" and partially ignoring security.
John Barchie
senior fellow, Arrakis Consulting
It is therefore important to embrace solutions that scatter vulnerable data. AWS S3 provides 11 nines of durability because it distributes data "all over the universe," according to Firestone. Instead of focusing on a single piece of hardware and investing in a solution that is "completely divorced from what you care about," redundancy makes it much easier to replace data compromised by a wiper attack.
Security remains less tangible for organizations because it requires experts to prove the negative, making it hard to decide what security to solutions to buy and to evaluate their necessity. When this process becomes disorganized or frayed, blame gets assigned. And "blame, while it might feel good, is rarely useful," said Firestone.
5. Train employees — it's cheaper
The moment organizations begin tending to their technical infrastructure after a cyberattack, it's "like showing up after a bad car accident," said Robert Anderson, principal at Chertoff Group, in an interview with CIO Dive. Tensions are running high, but it all boils down to a failure to incorporate people into cyberdefenses.
Anderson saw first hand organizations taken down by NotPetya and their downfalls were mostly all preventable. Using new tools is good but most viruses could cost a company virtually nothing if regular employee trainings were imposed. But not only should trainings be administered, companies need to keep an active inventory and record to make sure employees are actually taking the courses.
Beyond end-users, "most information security practices, most IT areas, from what I've seen, are historically understaffed," said Anderson. There are already about 300,000 open cybersecurity jobs in the U.S. and already 60% of organizations say their security teams are understaffed.
"I've seen cyber go from bad to worse," he said, because bad guys don't function under a chain of command or laws. Because of this, it is difficult to create a universal playbook for dealing with cyberattacks. International cyber norms need a focus, like through NATO, according to Anderson.