Articles

WannaCry: Lessons learned and carried forward

Personal experiences from these cyber professionals

Although it feels like yesterday, May 12th, 2017 is the fifth anniversary of the WannaCry ransomware attack. In all, more than 200,000 computers across 150 countries inflicted estimated damages of as much as US $4 billion. WannaCry was neither the first nor the last ransomware in a long procession of cyber exploits. For many security professionals, it was a landmark event.

On the fifth anniversary of WannaCry, CyberTalk.org asked several Check Point security professionals to describe their personal experience with WannaCry, including the lessons they learned, and the impact it has had on their security best practices.

Here is what they had to say:

Peter Nicoletti, Field CISO, Americas, Check Point Software

There’s no doubt that WannaCry was a critical wake-up call. When it first surfaced, I knew it was serious, especially since I knew that CVE vulnerability was one of the top issues on our unpatched Microsoft servers. I remember the “fish slap” many of us felt by this zero-day attack. How could a simple attack blow by protection layers and compromise servers so rapidly and with devastating results?

As my company’s CISO, I immediately assembled the team and “war gamed” all the possible outcomes, from no-impact to total compromise of all vulnerable servers. The cost to recover a server from a malware event was thousands of dollars, and any type of outage was unacceptable. IR plan engaged! Security partners were summoned to coordinate a suite of IPS signature upgrades, WAF configuration changes, additional firewall security system monitoring and we put the server patch team on intravenous JOLT cola and 24/7 efforts. As it worked out, my organization (and my career) escaped unscathed based on fast teamwork. I still remember a Board member referring to my Incident Response best practices response as nothing more than a ‘chicken-little’ episode, all the way up until I showed her how easily the compromise worked and explained the scenario in detail.

Since then, and over the years, I continue to preach the importance of patch hygiene. This includes a good set of patching tools and the use of a different team to validate patches. If it can’t be patched, there better be an appropriate compensating control! It’s important to coordinate closely with the business to ensure any patching efforts do not interfere with operations or break applications. If there is one clear takeaway from WannaCry and all the slew of subsequent ransomware attacks since, it’s the realization that patching and zero-day prevention have become table stakes to the Big Game and an essential focus for all organizations.

Deryk Mitchelson, Field CISO, EMEA, Check Point Software

In May of 2017, I thankfully, had not yet joined the National Health Service (NHS) in the UK, one of the clear victims of the WannaCry attack. I was working at that time as the CISO and VP of Technology for a commercial data organization. A recent company acquisition was badly impacted by WannaCry, and unfortunately, we didn’t have the sufficient time or opportunity to deploy our own hardened images and endpoint protection. I do remember the pushback we received from the acquired firm’s IT who were proud of their services. Affected encrypted devices were restored from backups although not all file-on-file shares were fully backed up, so a small amount of data was lost.

One important lesson is for cyber professionals to make cyber hygiene a top priority. Without it, and with the steady stream of sophisticated cyber attacks, disaster is only a click away.

WannaCry was not a sophisticated ransomware. A hardened image with robust patching and network segmentation could have prevented this infection as well as may cyber attacks since. Doing the basics well with a prevention mindset and proper hygiene is your first line of defense. Today, security professionals are aided by incredible AI and ML technologies that will only strengthen our abilities to protect our organizations.

Jony Fischbein, CISO, Check Point Software

I became Check Point’s CISO after WannaCry, but at that time, I routinely worked on developing security strategies with large customers. Since becoming the CISO, I see a huge responsibility for professionals to develop preventative plans to mitigate ransomware and other cyber attacks.

One process often overlooked by professionals is to develop air-tight security strategies, including the role of backups. A solid backup is the instrument that allows an organization to quickly recover from an attack. The other important process is the development and persistent updating of your business continuity plan (BCP). This details the procedures, methodologies, and the periodic exercises required to provide a firm defense.

“Defense in Depth” is another key concept that’s important for CISOs to adopt. If your defense strategy relies on a single measure, that is way too thin. While today’s bad actors are developing more sophisticated threats, CISOs are trying to defend with security implementations that could be six months or a year old. Security implementations can break or be misconfigured, allowing the malware to successfully encrypt and jump to the next victim. My defense-in-depth strategy dictates that one or more security controls will eventually fail. Plan on secondary or complementary solutions.

And for my final best practice…. Remember that security is all about planning and risk assessment and the proper implementation of your available tools.

Micki Boland, Enterprise Security Architect and Evangelist, Check Point Software

At the time of the WannaCry ransomware outbreak, I was a global architect and engineer for one of the largest logistics management companies in the world. For businesses in this sector, business partners (B2B), subsidiaries, and M&A firms are often integrated into the mothership enterprise, often creating a weak link in the security chain.

With WannaCry, this was the case. A partner link with my customer was exploited and when it hit; the customer’s home base was unscathed due to its large security infrastructure. However, a recently acquired subsidiary was impacted. Operations and ICT systems were disrupted, resulting in a direct impact to the subsidiary’s service areas and to a larger extent, the slowdown of services throughout the rest of customer’s global enterprise. Permanent data loss was also a result.

Soon after WannaCry, the company was attacked by the NotPetya ransomware using the same Microsoft vulnerability. This time, the organization was prepared.

It is incumbent on all security professionals to put into practice the hard-earned lessons with targeted zero-day attacks. This includes the use of virtual patching with IPS and/or next generation threat prevention. The latter must include threat emulation/extraction, anti-bot, and anti-virus technologies to gain protection against what have become sophisticated cyber attacks.

Microsoft did have a patch for these vulnerabilities three months before WannaCry, but many organizations failed to patch. WannaCry was a definite wakeup call for my customer and for organizations encircling the globe in terms of the financial impact and widespread disruption of IT systems.

Final note

Ransomware is a major disrupting factor for all organizations, large or small. Ransomware’s rapid evolvement has completely altered the threat landscape. A devastating attack comes without warning, requiring the fact that only the best security in place can prevent attacks and keep organizations protected.

To learn more about how you protect your organization from ransomware, visit the following:

Lastly, to receive more cutting-edge cyber security news, best practices and analyses, please sign up for the CyberTalk.org newsletter.

Back to top button