Last 12th May there was a cyber attack on a global scale based on a virus/malware that combined file encryption abilities and extortion (ransomware) with self-propagation (worm). The ransomware component is called WannaCry and the propagation component is based on a technique/tool developed by the NSA - an US security agency - that is called EternalBlue, which fell into the hands of criminals. The attack was staged simultaneously around the world and affected hundreds of thousands of computers in more than 100 countries.
The malware explores vulnerabilities in the Windows operating system to infect other vulnerable computers on the same local network as the machines that were originally infected, moving at high speed with massive propagation. The vulnerability that this version of WannaCry explores is based on fragilities in the file sharing subsystem, that had been announced and corrected by Microsoft itself on 14 March 2017, showing that many institutions around the world do not update their systems often enough.
Generally, the impact of this malware, or similar ones, can be associated with various causes:
1. Problems with business sector employees' awareness/training - Workers clicking on attachments of "suspicious" emails is often how the malware enters the institutions. In this specific case, this possibility can almost certainly be dismissed;
2. The speed of companies applying patches or corrections from Windows or other software companies - A slow response in applying these patches or corrections may leave a company unprotected. Regarding this specific instance, it is undeniable that this was the root cause of the problem in all the institutions;
3. Companies' ability to detect that they are under attack - The panic caused by the unknown and the lack of visibility of what is going on in the network and the world in general, leads to institutions taking exaggerated measures, with an impact on the brand and the business. In this specific case, many institutions ordered their workers to switch off their personal computers and cut access to the Internet throughout the organisation.
Considering the above, various practices should be implemented to avoid being infected by malware like WannaCry. The latest updates to operating systems should be applied often, and there should be constant monitoring of alerts and various internal indicators on the institutions' networks - as well as what is reported by the community regarding other organisations - and the constant review of threats and their risk mitigation actions.
These practices depend on building an 'intelligence' structure in the institutions, where decision making depends on recollecting, processing and analysing information from various sources, both internal as external. I believe that the pressure caused by the security incidents due to the inability to respond quickly will force companies to provision proper means and resources. Likewise, institutions that have Strategic intelligence or Competitive Intelligence teams will also start to have Cyber Threat Intelligence teams (or outsource them).
VP of Strategic Marketing at S21sec