With thousands of customers relying on us for protection, I’m not surprised that we’ve gotten questions about the current dire predictions of nation-state cyberwarfare resulting from ongoing global political friction. People want to know what they should do differently or do more.
My answer is that they should not panic, and they shouldn’t assume they need to revamp their security portfolio. Instead, this is a good time and reason to ensure that they understand their risks and are diligent in watching for trouble. Most will never be an intentional target, but there is always the risk that some automated attack spreads beyond its intended targets, like NotPetya did back in June of 2017.
It’s a helpful historical precedent. The NotPetya attack was intended to disrupt Ukrainian assets but spread so indiscriminately that it resulted in $10B of damages worldwide. If you’re interested, there is a thorough and interesting analysis in a 2018 issue of Wired. The punchline is that this major attack leveraged known weaknesses and interconnected systems to rapidly spread, to steal credentials, and to destroy the systems that it touched.
What are the lessons?
- Validate visibility to all the systems in your estate and the software that they are running. One of the reasons that NotPetya was so damaging, and spread so far so quickly, was that it combined an attack against unpatched systems with the capability of stealing authentication credentials from memory. A neglected and underpowered system may not be a critical asset, but it’s likely that one or more accounts that access it will also have access to systems that matter. If it’s vulnerable or undiscovered, that’s a serious weakness. Take the time to do the asset inventory, auto-discover anything new, and know where the gaps may be.
- Maintain constant vigilance. Remote code execution exploits and laterally spreading campaigns take a little time to bloom. Watch for connections from unusual geographies or to unserved ports. Refresh your employee awareness on browser and email hygiene, and watch logs for evidence of repeat failed login requests, and failed network connections. Look for unusual traffic patterns internally, as the scan-and-spray tactics of worms for lateral movement won’t follow your normal paths.
- Balkanize where you can. Least privilege is a well-known best practice, but least access can be a great disruptor of automated attacks. Know what networks and services need to communicate with one another and block the rest. This does more than just contain an infection; the presence of multiple failed attempts to connect through an internal gateway can provide early warning of an ongoing infection, so long as you’re watching.
- Double check your recovery plan. Run a restoration exercise of your backups and double check that they are stored in multiple locations and inaccessible to even the most privileged system or user from your operational systems.