The recent WannaCry ransomware attack that infected (at the time of this article) more than 300,000 machines in more than 150 countries should serve as a wake–up call and a sign of things to come. This latest attack is showing how ransomware is becoming a major headache for organizations, both public and private, in nearly every industry. Reports emerged that car makers Renault and Nissan were attacked. Spain’s Iberdrola and utility provider Gas Natural suffered from the outbreak. FedEx Corp. in the U.S. reported disruptions as well.
The ransomware threat has grown over the past few years, with attackers recognizing its relative ease of use and profitability. Ransomware is part a larger family of attack tools called “distributed cybercrime,” where cybercriminals attack many victims in the same campaign. These tools are part of a growing dark industry where malware, exploit kits, distribution services, etc. are developed to maximize ROI and infect as many victims as possible easily and quickly. Distributed crimeware is readily available on the dark web with professional platforms, customization and even infection experts on call.
Most security experts agree, there will be more attacks like WannaCry on the horizon, and many organizations are ill–equipped to be ready for what’s next. Manufacturing and other industrial organizations have additional challenges, like having to implement programs that secure both operational technology (OT) and information technology (IT) assets from potential cyberattacks.
Change in Approach Needed
Microsoft issued a patch for MS17-010, the vulnerabilities in computers and servers that were at the heart of WannaCry, almost exactly two months before those attacks began. Why did so many organizations leave themselves open? Were vulnerability management and IT operations teams simply overwhelmed by the sheer number of vulnerability alerts they receive daily?
Even if your organization wasn’t impacted this time, don’t assume you’re in the clear. According to SC Magazine, the average company experiences two to three cyberattacks per month. Overall, businesses need to change their approach in how they manage and prioritize vulnerabilities, so they can focus on the small subset of vulnerabilities most likely to be targeted by attackers. Security programs must evolve from a frustrating and endless exercise of scrambling to patch everything all the time, toward a focused, intelligent, action–driven program that considers real–world threats. Such an approach is called “threat-centric vulnerability management” (TCVM). An effective TCVM approach leverages these five main components:
- Assessment/Discovery: gather data on the vulnerabilities currently within your organization’s systems and incorporate them into a comprehensive model of your network and its assets
- Vulnerability and Threat Intelligence: use intelligence feeds and security analyst research to understand which vulnerabilities are being exploited in the wild; packaged in ransomware, exploit kits, etc. sold on the dark web; or have published but inactive exploits
- Prioritization: starting with the network model and current information on exploits and previous attacks, use attack vector analytics and simulations to understand how attacks could play out, assessing the true risk of each vulnerability in your environment and prioritizing their remediation
- Remediation: apply patches or other compensating controls (IPS signatures, access rules, segmentation changes, etc.) to prevent exploitation; remediation urgency is aligned with the threat posed by each vulnerability
- Oversight: track remediation to ensure threats are neutralized and progress is made in reducing overall risk; monitor unmitigated vulnerabilities in case their threat level escalates
The Convergence of OT and IT
Manufacturers have typically only had to worry about protecting their IT infrastructure from cyberattacks. Unlike the old days when OT on the shop floor was kept far away from the back office IT systems, operational efficiencies and cost savings have made the integration of the two the way of business today. Unfortunately, this also gives bad guys more attack targets and vectors to spread malware and exploit vulnerabilities.
The best way to prepare for an attack is to rethink your cybersecurity strategy and break down the security management silos between IT and OT environments. This gives more comprehensive visibility of the entire attack surface, allowing you to analyze access and vulnerabilities to strengthen critical infrastructure security. Traditional vulnerability management often leaves out internet–enabled sensors, ICS and SCADA systems, which often can’t be patched using the same technologies and processes as traditional IT devices. Through better visibility and context within the TCVM approach, organizations are better armed to protect all assets and prevent exploitation by making better use of security controls.
Costs Higher than Ransom
Don’t look at the financial details of this attack and think it’s not that big a deal or that it will be cheaper to pay a ransom than rethink your security. The price charged to decrypt data was admittedly small at $300 per victim, and the profit reaped by the attackers correspondingly paltry — in the tens of thousands of dollars for a global attack affecting millions. But the costs to manufacturers affected were certainly much higher. One widely reported figure pegs automotive manufacturing downtime costs at $22,000 per minute. Multiply that by the minutes in a day and then the several plants involved, and Renault certainly took a significant hit thanks to WannaCry.
This day and age, it’s not a matter of if your business will be targeted by cyberattackers, its a matter of when and what impact those attacks may have. The best thing you can do is to rethink your approach to cybersecurity from a holistic perspective. Prioritize the cyber triage to your system based on threat–centric vulnerability management and remain ever vigilant in your IT and OT networks. WannaCry may have gone quiet, but it’s likely emboldened a lot of attackers who think they may have what it takes to do it better.
Ravid Circus is vice president of product at Skybox Security.