Does History Need to Repeat Itself? Lessons Learned From WannaCry

Susan Morrow
August 5, 2017 by
Susan Morrow

Often, at the end of a project, especially a long and complicated one, there will be a ‘lessons learned’ session held. These sessions usually bring together either the internal team or consortia teams, to discuss what went wrong and what went right with the project.

The discussions are a way of analyzing events. If done well, they can give future projects insight into how to avoid the same mistakes. Lessons learned sessions can lead to better project management, optimized efforts, and ultimately financial savings. They can also be fun, especially if good food and drinks are provided to lubricate the meeting.

Should you pay the ransom?

Should you pay the ransom?

Download The Ransomware Paper for real-world ransomware examples, mistakes and lessons learned.

The recent global ransomware event, WannaCry, has been a wake-up call to companies across the globe. If ever we need to learn from a cyber security event, it is now.

WannaCry From The Battle Fields

On Friday 12 May, I received a text from a colleague working in a hospital in the UK. This was the second message in three months from the same person. Both messages warned me that the hospital was undergoing a ransomware attack. The first time, the hospital was affected for 48 hours and unable to take in new patients. This time, it turned out to be part of a much, much, bigger attack - the WannaCry ransomware incident.

WannaCry has been described by Europol as being an incident of an “unprecedented level” and requiring a “complex international investigation” to resolve. This comes off the back of the also massive ‘Dyn DDoS’ attack of October 2016, which shut down large parts of the Internet across the USA. Big cyber-security statements like Dyn and WannaCry may become the norm. They have a feel of the cybercriminal playing with us, the financial gain being a secondary consideration. Both of these attacks caused untold damage to the organizations’ affected. But WannaCry was so massive, that it has given the world a wake-up call. At last count, there were around 417,000 WannaCry infected computers across 150 countries.

The impact of the attack on companies and organizations goes far beyond any possible financial gains made by the cybercriminals. In the case of hospitals hit by WannaCry, I know that less urgent patients were turned away, doctors were unable to prescribe drugs, healthcare workers had to resort to pen and paper to take notes, and were unable to retrieve patient data to make decisions. I also know that knock-on effects, to HR and accounting systems, meant that staff salaries were underpaid.

WannaCry has left a trail of broken systems and processes in its wake. We should take what has happened and have a ‘lessons learned’ session to prevent our own organization becoming a cybercrime victim. Below, I've outlined three overarching lessons that can be used to build a better cybersecurity future.

Three Easy Pieces

In the spirit of this ‘lessons learned’ discussion, what would such a session on WannaCry (or similar) look like? To begin the process, I’ve made a start on an agenda for our WannaCry lessons learned get together, or ‘WannaCry war cabinet’. You might have some industry specific items to add to it.

Lesson One: It Pays To Pay

Properly funding cyber security as an ongoing business cost (not an afterthought)

The impact of WannaCry on those affected was not only unprecedented in its scope, but also in the cost of the incident to business. Numbers like $4 billion in lost revenues have been suggested; The actual ransom collected was tiny in comparison at around $49,000. The financial costs are calculated in terms of:

  • Loss of productivity - while computer systems are down, staff cannot work as easily, if at all
  • Forensic investigations - into how the malware entered the system, and how to remove it
  • Regaining access to data / restoring lost data - with or without paying the ransom

And then there are, of course, the impacts of the crime that cannot be described in terms of dollars. In the service industries, this can be reputation damage and loss of customers. In an industry like healthcare, this can mean patients having vital operations delayed, misdiagnosis, or worse.

Making sure your company is protected against cybercrime, like the WannaCry ransomware attack, is likely to have some financial cost upfront. But it is an investment that will save money and prevent disruption. Cybercrime is no longer a case of if you will be hit, it is a case of when.

Lesson Two: Know They Enemy

Security awareness training and phishing simulations

It is said that knowledge is power. If I want to win an argument, I make sure that I understand all sides of it. I can then plan out my own counter-arguments to defeat the opponent. Cybersecurity benefits from the same tactic - know what you are up against, and you’ve got an advantage over the enemy.

One of the ways that we can prepare ourselves to take on cybercrime, is by being aware of the threat landscape and the tools that cybercriminals use to bring about a malware infection, or steal data.

There are three broad aspects to this:

  1. Why be aware? This is the security awareness part of the exercise. Good security awareness training is all about inclusiveness. A security awareness course will teach your staff about how they fit into the whole - that is, what role each person within an organization plays in maintaining the integrity and confidentiality of data.
  2. How cyber incidents happen and the threat profile: for example, it is known that the majority of cyber incidents start with a phishing email - as described in Wombat’s ‘State of the Phish Report 2017’. Security awareness training is augmented by threat simulations like simulated phishing email campaigns that build up mental maps of phishing tricks used to perpetuate data and credential theft.
  3. Be aware of the unexpected – Further research into the WannaCry incident points to the use of ‘remote code execution’ rather than a phishing email. This use of a fairly old hat technique to infect machine-to-machine, means that cybercriminals will call upon any technique they think will work. We have to be prepared for all circumstances and methods of attack. In the case of WannaCry, the attack profile was dependent on existing software vulnerabilities that could have been closed off by keeping software patched and up to date.

Global spending on security awareness training is expected to reach $10 billion by 2027. This type of investment is happening because awareness training has been shown to be effective against cybercrime. It is now a fundamental part of many large Enterprise cyber security strategy plans, and this ethos is now moving into the small-medium enterprise too. The reason why security awareness training works is because cybercrime manipulates the human-factor, i.e. our own behavior, to perpetuate the crime. A typical example being stealing a password written on a post-it-note, or automatically clicking on a link in an email which takes the user to a spoof site. Making all staff aware of that behavior works to make users stop and think before performing an action - it effectively de-risks our behavior and re-trains users.

In a poll by SC Magazine, they found that over 88% of companies found security awareness training to be worthwhile. Analysts ‘Aberdeen Group’ found that security awareness training produced a reduction in cyber-risk by around 50%.

Knowing what and who you are dealing with may mean that you have to invest some time and money, but in the longer term, this is money well-spent.

Lesson Three: Lead by Example

Sharing cybersecurity information internally and between companies, where appropriate, can help to build up banks of knowledge about threats.

Sharing of security information is one of those ideas that has been floating around in the tech and other industries for a while. The U.S. government has long supported the idea of critical infrastructure protection through shared cyber security intelligence - see this U.S. government directive from 1998 which set out an infrastructure plan for cross government-public sector co-operation around cybersecurity information sharing. This directive ultimately became the National Strategy to Secure Cyberspace in 2003. The ethos of sharing intelligence around cybersecurity events is an important one. Cybercriminals often use specific targets and techniques. They also rely on stealth and the element of surprise. They also share information about successful techniques between themselves. One way that industry sectors can help both their own sector, and others, is to make sure that any intelligence around methods and the threat landscape is shared. During the Obama administration, a system of Information Sharing and Analysis Centers (ISAC) were set up to help alleviate some of the issues around this type of intelligence sharing. The IT industry, for example, has a not-for-profit ISAC specifically looking at sharing cybersecurity challenges within that sector.

The current administration in the U.S. is also cognizant of the importance of sharing and cooperation around cyber security, and in an executive order released in May this year, the “Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” it states that:

“...the United States is especially dependent on a globally secure and resilient internet and must work with allies and other partners...”

When cybersecurity issues start to hit the bottom line, the entire company has to take action and the company heads need to lead the way. According to Juniper Research, in 2016, 40% of companies who experienced a cyber breach lost 20% of their customers. It is figures such as these that drive the need for a better approach to cybersecurity. As individual organizations, we can lead by example in our workplace by sharing information between groups and departments. This can give us a better understanding of the threat across the organization as a whole. C-level executives can lead the way in their company by displaying an understanding of the challenges of cybersecurity, as well as investing in cyber security training.

Concluding Thoughts

The three lessons used as part of our ‘lessons learned’ session can be applied to the WannaCry incident as well as other cyber security threats. As I write, a new massive incident is shaping up in the guise of ‘FireBall’, a malware variant that is said to have infected 250 million Windows and Mac devices. Fireball is seemingly innocuous - it turns the device into a ‘Zombie’, taking the user to fake search engines and advertising. However, it is essentially a malware infection, and who knows what other sinister actions it may take. Cybercrime is a successful business. It is not likely to go away anytime soon. So we have to deal with it as we would any other issue in our organization. If we were to have a local recruitment issue that is impacting production, we would look further afield to recruit. Cybercrime is a business issue, like any other. We must meet it head on to manage the impact. Learning lessons from previous crimes, like WannaCry, can be a very positive way to prevent a future cyber incident.

We can easily get wound up by the blame game around attacks like WannaCry. Many people are focusing their efforts on finding out the whys and wherefores for the reason that WannaCry was let loose in the wild. This matters, of course. Understanding the underlying psychology and drivers of a cyber-incident can give us insight into why it was perpetrated to help us prevent it. However, we also should make sure that we use attack measures as well as defensive actions. As individuals and as organizations, we need to take a stand against cybercrime in a highly proactive way. Cyber security has often been put to the back of the queue when it comes to investment. In many ways, it reminds me of my old days working in the pharmaceutical intermediates industry. Quality Control (QC) was seen as a necessary evil. The pharma industry had to test its own materials to make sure that no contamination occurred down the line, costing the company untold amounts in lost production and worse, compensation. But QC was not core business, so money was spent there under duress. Cyber security spending within an organization is the equivalent to QC. Without investment in it, we can end up with a disaster situation like the one the UK NHS found itself in last month.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

In a follow-up article, we’ll look at what actions could have been taken to stop malware like WannaCry: “The Wonders of Hindsight: How WannaCry Could Have Been WannaSmile.”

Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.