With thousands of customers relying on us for protection, I’m not surprised that we’ve gotten questions about the current dire predictions of nation-state cyberwarfare resulting from ongoing global political friction. People want to know what they should do differently or do more.
My answer is that they should not panic, and they shouldn’t assume they need to revamp their security portfolio. Instead, this is a good time and reason to ensure that they understand their risks and are diligent in watching for trouble. Most will never be an intentional target, but there is always the risk that some automated attack spreads beyond its intended targets, like NotPetya did back in June of 2017.
It’s a helpful historical precedent. The NotPetya attack was intended to disrupt Ukrainian assets but spread so indiscriminately that it resulted in $10B of damages worldwide. If you’re interested, there is a thorough and interesting analysis in a 2018 issue of Wired. The punchline is that this major attack leveraged known weaknesses and interconnected systems to rapidly spread, to steal credentials, and to destroy the systems that it touched.
What are the lessons?
- Validate visibility to all the systems in your estate and the software that they are running. One of the reasons that NotPetya was so damaging, and spread so far so quickly, was that it combined an attack against unpatched systems with the capability of stealing authentication credentials from memory. A neglected and underpowered system may not be a critical asset, but it’s likely that one or more accounts that access it will also have access to systems that matter. If it’s vulnerable or undiscovered, that’s a serious weakness. Take the time to do the asset inventory, auto-discover anything new, and know where the gaps may be.
- Maintain constant vigilance. Remote code execution exploits and laterally spreading campaigns take a little time to bloom. Watch for connections from unusual geographies or to unserved ports. Refresh your employee awareness on browser and email hygiene, and watch logs for evidence of repeat failed login requests, and failed network connections. Look for unusual traffic patterns internally, as the scan-and-spray tactics of worms for lateral movement won’t follow your normal paths.
- Balkanize where you can. Least privilege is a well-known best practice, but least access can be a great disruptor of automated attacks. Know what networks and services need to communicate with one another and block the rest. This does more than just contain an infection; the presence of multiple failed attempts to connect through an internal gateway can provide early warning of an ongoing infection, so long as you’re watching.
- Double check your recovery plan. Run a restoration exercise of your backups and double check that they are stored in multiple locations and inaccessible to even the most privileged system or user from your operational systems.
Most of you are probably saying, “Shouldn’t we be doing all of this anyway?”. The answer is, “Of course,” but focus and rigor in security practices fade quickly when things are going well. Drift and dwell time are the byproducts of a lack of attention, and an absence of incidents can lull the best organization into a false sense of comfort. Cyberattack hyperbole may cause some natural human overreactions, but it provides an opportunity to rally your organization around the importance of vigilance, patching, and response planning.
You’ll probably avoid the crosshairs of some nation-state retaliation, but you might as well benefit from the interest while it lasts.
About the Author