What CISOs need to learn from WannaCry

In 2017 — for the first time in over a decade — a computer worm ran rampage across the internet, threatening to disrupt businesses, industries, governments and national infrastructure across several continents.

The WannaCry ransomware attack became the biggest threat to the internet since the Mydoom worm in 2004. On May 12, 2017, the worm infected millions of computers, encrypting their files and holding them hostage to a bitcoin payment.

Train stations, government departments, and Fortune 500 companies were hit by the surprise attack. The U.K.’s National Health Service (NHS) was one of the biggest organizations hit, forcing doctors to turn patients away and emergency rooms to close.

Earlier this week we reported a deep-dive story into the 2017 cyberattack that’s never been told before.

British security researchers — Marcus Hutchins and Jamie Hankins — registered a domain name found in WannaCry’s code in order to track the infection. It took them three hours to realize they had inadvertently stopped the attack dead in its tracks. That domain became the now-infamous “kill switch” that instantly stopped the spread of the ransomware.

As long as the kill switch remains online, no computer infected with WannaCry would have its files encrypted.

But the attack was far from over.

In the days following, the researchers were attacked from an angry botnet operator pummeling the domain with junk traffic to try to knock it offline and two of their servers were seized by police in France thinking they were contributing to the spread of the ransomware.

Worse, their exhaustion and lack of sleep threatened to derail the operation. The kill switch was later moved to Cloudflare, which has the technical and infrastructure support to keep it alive.

Hankins described it as the “most stressful thing” he’s ever experienced. “The last thing you need is the idea of the entire NHS on fire,” he told TechCrunch.

Although the kill switch is in good hands, the internet is just one domain failure away from another massive WannaCry outbreak. Just last month two Cloudflare failures threatened to bring the kill switch domain offline. Thankfully, it stayed up without a hitch.

CISOs and CSOs take note: here’s what you need to know.

1. You’re probably infected. You just don’t know it yet

GettyImages 493838534 1

Image via Getty Images / RGBAlpha

There is a good chance that your networks are infected with WannaCry — even if your systems haven’t yet been encrypted. Hankins told TechCrunch that there were 60 million attempted “detonations” of the WannaCry ransomware in June alone. So long as there’s a connection between the infected device and the kill switch domain, affected computers will not be encrypted.

That doesn’t just mean there’s another outbreak if the domain goes down. If your network suffers an internet outage, those infected computers will lose connection to the kill switch and be immediately encrypted.

Accept that there’s a problem and do something about it. Have data backups in place — and patch!

2. Patch, patch, patch your systems

Microsoft released patches prior to the WannaCry attack. The WannaCry attack was so significant that Microsoft ended up releasing patches for Windows XP three days after the kill switch was first activated, despite having dropped support for the two-decades-old operating system years earlier.

Many consumers installed those patches as part of their regular monthly security updates. But many enterprises — take note, CISOs — have not yet installed patches on critical machines, like storage and data servers.

Two years later more than a million internet-facing computers are still vulnerable to WannaCry. Worse, that doesn’t include the many more computers that are “underneath” those internet-facing servers, including an entire fleet of computers connected to the same network. In other words, the number is likely far higher.

3. Communication is absolutely key

It’s very likely that your organization — if not WannaCry — will be hit by a malware outbreak or a security incident at some point in the future. We assume systems will fail and humans will mess something up. It happens.

As Hutchins and Hankins quickly learned, communication is at the center of everything that they do. Although the two researchers were in constant contact with one another, one of the biggest challenges they faced was interacting with other people in several timezones. Big enterprises may face a similar challenge.

When you’re dealing with a malware outbreak or security incident, make sure you’re unified behind a single timezone — like Coordinated Universal Time (UTC) — to make it easier than having to convert timezones. Also ensure that you have a communications platform that you trust, know will work, and will not let you down in the event of a malware outbreak. That means consider a cloud-based communications platform in line with your corporate policies and not a system that you run in-house that could be knocked offline by malware.

4. Document everything and be transparent with your workers

GettyImages 878457548

Image via Getty Images / LuckyStep48

There is a good chance that you may have to call in law enforcement or third-party incident responders to deal with your security incident.

As Hankins said, “document everything like you’re going to be indicted by the FBI.” It sounds extreme, but it could very well work in your favor.

Making sure that you have everything logged and documented across your team is vital. It will not only help in your recovery, but it will also help others know exactly what has been done, when, and by whom, so others are not doubling back on themselves or wasting time on redoing the same tasks again and again. But also it will help if your company has cybersecurity insurance and needs to file a claim. Your team will be partly responsible for the decision on whether or not everything within your company’s control was done properly. Millions of dollars could be at stake.

Your documentation should be compiled and protected — and backed up. It may be used in the future if the culprits are caught and the case is brought to court.

But also having this information available will help shape your message internally and externally. Companies get hit by cyberattacks all the time. How they’re handled is what promotes empathy for a company — or derision.

Using what you know will help inform your staff, clients and customers, and the wider world what happened — and to help ensure that it will not happen again.

5. Your workers are human. Remember their wellbeing

Finally, the big takeaway from the WannaCry deep-dive was the human aspect. Both Hutchins and Hankins were thrown in at the deep end without realizing what stress, exhaustion and pressure they were about to face.

During the five days of the attack and its immediate aftermath, the researchers worked 92 hours and having almost no sleep

You may never know when an incident is going to happen. Making sure that your staff is prepared and ready to go at a moment’s notice and are given the tools, resources and support is key. The welfare and wellbeing of your staff may not seem important — let alone a priority — in the middle of your company’s systems failing. But an incident may well take days to recover from and you need your best people at the top of their game.

Ensuring that your staff is given breaks, swapped out regularly — and having documentation will help ease that transition — and are looked after during this stressful period should be a priority over anything else.