The ransomware and wiper malware that affected companies around the world in huge ways should be a watershed moment for all of us in infosec. If we ever needed relevant real world scenarios for upper management / board level conversations... this should be a game changer!
3. HIJACKINGS
• What would you surmise the mindset of the pilot / crew / passengers if a plane was
hijacked prior to 9/11?
• How did 9/11 change that mindset?
• What security controls exist today that didn’t exist prior to 9/11? (next slide)
• What priority was this given after 9/11?
• Shortly after the terrorist attack on the United States, President Bush provided twenty
billion dollars for the upgrading of intelligence and security
http://www.ifpo.org/resource-links/articles-and-reports/protection-of-specific-environments/the-evolution-of-airline-security-since-911/
4. WATERSHED MOMENT FOR AIRLINES
• The biggest change was the creation of the TSA just months after 9/11
• Identification requirements: ID must be presented, name must match ticket
• Shoe removal: Most travelers must remove shoes at checkpoints
• Baggage: All baggage whether carry-on and checked must be screened
• Liquid ban: No liquids allowed through security in containers larger than 3.4
ounces
• Special items: Most travelers must remove toiletries and laptops from bags
• Jackets: Most travelers must remove outerwear during screening
• Enhanced pat-downs: This extra screening is sometimes administered
• No welcome committees: Only ticketed travelers are now allowed at airline gate
areas
• Cockpit doors: These have been reinforced and stay locked during flights
https://www.farecompare.com/travel-advice/9-ways-security-has-changed-since-911/
5. INFOSEC WATERSHED EVENTS
International Event
• August 15th, 2012 – Saudi Aramco –
Shamoon malware partially wiped or totally
destroyed the hard drives of 35,000
company computers
Domestic Event
• On November 24th, 2014 – Sony Pictures
Entertainment was breached seemingly by
the GOP (Guardians of Peace) and had over
100 terabytes of data stolen
https://www.darkreading.com/attacks-breaches/inside-the-aftermath-of-the-saudi-aramco-breach/d/d-id/1321676
https://www.sans.org/reading-room/whitepapers/casestudies/case-study-critical-controls-sony-implemented-36022
6. WHAT ARE THE RECENT THREATS?
WannaCry – May 12th, 2017
• True ransomware propagating using
EternalBlue exploiting MS17-010
• Wannacry crippled computers in at least
150 countries and economic losses are
estimated at $4 billion
• Motive… financial gain?
Companies Affected
• UK’s National Health Service
• US hospitals (undisclosed)
• FedEx
• Nissan
• Renault
• Hitachi
• Russia (banks, telecom, railway, etc.)
• Police in one Indian state
• Universities in China (over 100k pc’s)
• Chinese police
7. ANOTHER RECENT THREAT
NotPetya – June 27th 2017
• Destructive “wiper” malware
• Propagation also using EternalBlue
exploiting MS17-010
• Motive… disruption, maybe nation state
testing the waters?
Companies Affected
• Major healthcare vendor (Nuance)
affected by NotPetya ($30m loss)
• Portion of FedEx affected (Intl shipping)
”may never be recovered” $300m
• Maersk shipping indicated a $200m-$300m
loss
• Merck allegedly had 90,000 machines
affected
8. HOW TO DEFEND?
• If you happen to be in Healthcare… HHS states that ransomware is automatically
considered a breach until proven otherwise; setup a process to engage third
party forensics to analyze and offer a risk assessment of the probability of a
breach
• An incident response plan should be in place to respond quickly with specific
steps to follow in the event of ransomware
• Communicate as quickly as possible when an infection like ransomware occurs
so that appropriate teams can engage and hopefully avoid costly issues
• Patch your systems, verify patching is working through vulnerability scans,
segment your high risk and critical systems off user networks
• Continuous monitoring of network activities, file movements, threat detection
and correlating these events is essential
• Continuous assessment of risk culminating in the remediation or acceptance of
identified vulnerabilities via a plan of action
9. WILL WE EVER LEARN?
• To quote a colleague in the industry… “look at what happened to Home Depot,
Target, TJ Maxx. Everyone still shops there. Maybe they had a temporary dip, but
no permanent damage”
• From a discussion at the 2017 Cyber Summit in Cambridge, Mass last week…
“Nobody will take security seriously until they’re hurt in new ways”.
https://www.cnbc.com/2017/10/09/greylocks-sarah-guo-us-doest-take-data-security-seriously-enough.html
Prior to 9/11, I would assume a pilot might think a hijacking would end up with some terrorists demanding a ransom and most everyone on board goes home unscathed so to speak.
After 9/11, I would assume everyone on board would think their plane has just turned into a weapon and they may not live much longer
In 2012, the Saudi Aramco event started with an employee clicking a link in a spear-phishing email.
The timing of the event was specific to Ramadan when the miscreants knew the IT staff would be limited. A group calling itself the “Cutting Sword of Justice” claimed responsibility
At risk here was potentially the 9.4 million barrels of oil a day supplied by this company. 10% of the worlds oil supply was at risk
Aramco utilized its private fleet of airplanes to fly employees directly to factory floors in Southeast Asia where they could procure 50,000 hard drives
Their corporate office was offline for 5 months. This event should have rocked our world in terms of information security controls having top priority in our companies, especially within IT, but it seems to been shrugged off as an isolated attack that “won’t happen to us”.
In 2014, the Sony event, it seemed to me that the public perception of this was a targeted attack by “seemingly” North Korea as retribution for the movie they were producing that depicted an assassination attempt on their leader (even though attribution has landed on multiple groups being possibly responsible). With that said, I’m guessing leadership in most organizations didn’t feel threatened by this because it was so politically motivated. Either way, it was devastating to the company:
It’s believed that user account credentials were harvested early on in this breach and that the malware used had these credentials imbedded for a high likelihood of success
The wiper malware activated and wiped around 9-10,000 machines
Basic operations were established again after 45 days and everything else was rebuilt over the next 18 months
The “Destover” malware seemed to be tied to N Korea but that same tool has been used in other instances
It appeared that the wipe may have come from one group and the data leaks from another
Basically everything was stolen and leaked… personal data on employees, movies and scripts, performance reports and salary info, source code, private keys, passwords, certificates, production schedules, box office projections, executives emails, Brad Pitt’s phone number, and more!
These incidents that happened this year that affected US companies so greatly have been a game changer for many executives that serve in leadership for corporate America. For many, this will be the tipping point where they begin to adequately staff and fund the information security programs of their organizations.
Due to the fact that these NSA tools are still being disclosed over time, these events may just be a precursor to much bigger issues in the future.
Started in the Ukraine and spread like wildfire.
On third bullet, I say hopefully because we have info directly from one of the companies affected by NotPetya that all of their systems that were affected happened in 10 minutes.
On fourth bullet, I totally understand the difficulty of staying up to date on all patches. It is not easy! Trying to take clinical systems offline for patching is a challenge. Medical devices are another challenge, especially when there are FDA regulations.
I guarantee you that these companies affected by WannaCry and NotPetya have a new perspective on priorities in their organization.
The thing is… we can’t live in fear of these miscreants or what might happen. People like me have to explain to the leaders of our companies how this can happen, how it can be prevented, and quickly get to that state if you are not there. Everything happens for a reason… I truly believe that and I know the One who’s in control, so I sleep pretty good at night.
Thanks for your time!
Any questions?