Happy Anniversary, Still WannaCry

On Friday afternoon, May 12th, 2017, we started to hear about WannaCry ransomware which would ultimately impact over 250,000 computers worldwide. WannaCry, Eternal Blue, Shadow Brokers, and Server Message Block (SMB) exploits seem so long ago. What have we learned in those 5 years? Not enough, apparently.

Although the patch that would protect against WannaCry was issued by Microsoft on March 14th of that same year, it seems many organizations didn’t get around to installing it in time. Exploiting an SMB vulnerability efficiently abused by the NSA for years and then leaked to the public by the Shadow Brokers certainly caught people off guard. Ransomware has only accelerated from there. Some say we may have reached “peak ransomware” last year.

All these years later, organizations are still struggling to patch vulnerabilities before exploits take advantage of them. Or, unfortunately, they patch after the exploit has been utilized and never checked to see. You’re lucky to have one day to patch a critical vulnerability nowadays.  

Over the past 5 years, businesses have purchased more security tools and bought cyber insurance policies in the hopes of mitigating costs associated with their accumulated technical debt. Gone is the thought that some “black box” artificial intelligence (AI) machine can solve all of your security problems without you having to do anything.

Cyber insurers have lost their rears and are pushing back — jacking premiums, cutting coverages, and low-balling recovery efforts. Insurers also started asking more questions in a vain attempt to better underwrite risks. Too late.

Even the SEC has stepped up its efforts to force companies to better disclose their cyber practices and risks to investors. Upstream supply chain partners are asking what you do to mitigate risks. It’s not just “are you doing something” any longer. It’s now “Are you doing the right things?”

So, what are the right things?

1. You need to practice good cyber hygiene; identify and patch vulnerabilities; have a strong, resilient infrastructure; verified security controls; and well-rehearsed IR plans.
2. You need an experienced security team with visibility over the network and hosts (not just hosts). Logs are great but come after the fact.
3. You need battle-hardened humans that actually hunt for badness in your network before it gets you. Not some automated detection tool whose “check-engine light” goes on when the oil is low. You need real people looking for signs that other real people are exploiting weaknesses in your systems.
4. You need to test your controls and procedures to see how effective they actually are.