The WannaCry attack has grabbed the attention of the world for all the wrong reasons, but perhaps for the correct ones as well. For the apathy, denial, ignorance and deliberate "blind eye" to which has been turned too long towards the cyber security discussion has had the global “wake-up call”.
Whilst the world is fed media headlines that the "world is under attack" it fails to recognise that the world has been under attack for years, the difference of course this attack got significant attention because it closed hospitals and lives were put in potential danger. I've heard it said many times that people won't take cyber threats seriously until a life is lost. Does really have to get to that degree of seriousness?
I recall when we saw the first attacks of Ransomware in Australia in September, 2013. Interestingly the first three (3) organisations compromised in Queensland were medical facilities, not because of what they represented but they were simply identified as being vulnerable. From memory, there were about 52 organisations compromised in that first wave of attack, not so insignificant! And they didn't just encrypt the PC, they encrypted the entire file server!
There is no doubt that the global pervasiveness of this attack is extraordinary and will garner significant interest and commentary, but what concerns me is what we don't see. What concerns me is that people will look for ransomware indicators and then be satisfied that they're "safe". This couldn't be further from the truth.
The exploits developed are many and varied and we have to stop assigning such exploits to a single group! There is huge money to be made from cybercrime and it's vital we understand the “Crime as a Service” model because we need to "know our enemy" - yes, it's the "Art of War!"
So a person or group getting their hands on a particular effective exploit tool can do three (3) fundamental things:
Keep the exploit to themselves, use it and make money from their endeavours;
Provide the exploit "as a Service" to other criminals and get paid for how many times it is deployed or rendered effective; or
Sell the exploit to other criminals as an expensive highly sought after commodity allowing them to extract the greatest harm possible.
But of course the criminal has the option to do all of these things simultaneously!
I have the greatest respect for the skills of our enemy and I particularly respect their strategic conceptualisation. So do we really think they would expose their skills and exploits so readily in isolation? Do we not think they would have leveraged other exploit tools in conjunction with WannaCry? They understand the art of deception and diversion! Whilst all attention will be on WannaCry and its nuances, I can't help but think what else have they already done?
WannaCry is the overt side of the operation, it declares itself in order to facilitate the ransom demand but the cybercriminal more generally never wants to be discovered. Using Fire Eye's intelligence analysis it now takes on average 206 days before a breach is detected. Obviously the longer the better so as to yield the greatest exfiltration of precious data. Quite simply the longer the covert operation remains undetected the more significant the damage and the more significant the organised crime effort. The purpose of Organised Crime? To make money!
WannaCry is not the end, but merely the beginning! It's time to get our organisations focussed on the right technologies, tethered to the best security, and underpinned and supported by a strong cyber-secure organisational culture.
So now we have the world's attention and I expect we will hold it for a period of time and then we will move to the next headline. The women and men of the cyber security industry work tirelessly, industriously with passion and vigour to protect their organisations irrespective of headlines because they know the threat is growing, increasing with sophistication and nefarious intent, and it does not sleep.
Now is the time to review your security strategy, baseline your current security position and seek to build greater resilience inside your business to ensure it grows safely and securely tomorrow.
Brian Hay is Lead CISO Advisor, APAC for Unisys Australia, cyber evangelist, public speaker and commentator.
- WannaCry could have been worse – and still could be – as exploit shapes “new normal”
- APAC’s transformation enthusiasm causing “scary things” to happen with IoT security
- Remembering the IT department before rolling out IT
- The lifecycle of cybercrime
- Visibility imperative gives Savvius a growing role in integrated security defence