May 12 will mark the second anniversary of the WannaCry ransomware cryptoworm attack. It was a troubling time: During the four-day long ordeal, the cryptoworm infected more than 300,000 endpoints among 200,000 separate victims throughout 150 countries. It propagated rapidly through the EternalBlue exploit — an exploit that took advantage of a flaw in Windows’ Server Message Block protocol. Tellingly, those who applied Microsoft’s April patches, and were running currently supported versions of Windows, were not affected by the attack.
Those who were hit by the WannaCry ransomware found themselves in great pains. Their systems and data had been encrypted on them, and they would remain encrypted, unless a demand for payment, typically $300 to $600 worth of bitcoin, was met.
This attack proved pivotal in security and changed the way organizations go about securing their environments. But as you’ll see, enterprises will need to continue to evolve their approaches to security as the nature of malware attacks, and attacks in general, continue to change.
When WannaCry occurred, I was leading a team of engineers whose job it was to make sure systems were up to date, patched and configured properly. Patching was then, and remains to this day, one of the most proactive, yet table stakes, measures an organization can take to secure themselves from malware and attack. Still, I learned a powerful lesson during the WannaCry incident.
While everyone thought they had been taking measures to secure their systems that were “good enough,” WannaCry proved their efforts actually were not. Truthfully, most organizations were far from it. They found that they weren’t “good enough” when it came to staff security awareness, the speed of their patch cycles, or how they approached their data security. In the wake of the attack, many organizations upped their cybersecurity game.
This was especially true when it came to patching. Slower, more cautious approaches to patching quickly gave way to aggressive approaches. Others also examined not only how they protected their data from attack, defensively, but made certain that it was also recoverable. Additionally, many organizations upped their employee security awareness training investment so that fewer employees would be susceptible to clicking on a phishing link.
These are all good and necessary steps: But will they be enough to defend against future attacks? Before answering that, let’s take a look at how malware has evolved over the years:
Experimental: The first wave of malware, such as the Creeper Worm and the ANIMAL Trojan were experimental. That is, they were designed to propagate, and the damage they wrought (if any) was incidental to their propagation.
Destructive: Over time, malware authors were no longer satisfied with simply creating malware that propagated successfully. It had to do something. Unfortunately, that something became increasingly destructive. The PC-Write Trojan, released in 1986, was a malware that once installed erased users files. While this was a malicious act, there wasn’t any personal financial gain sought by the malware authors.
Disruptive: The next generation of malware was more “disruptive” attacks. These included worms, such as Code Red, Sasser and Blaster. These worm outbreaks disrupted business and aggravated users. These attacks, also, were not meant to be monetized by the malware writers.
Mass Ransomware: With the next generation of malware came the weaponization of attacks into full-fledged profit centers, such as WannaCry. These ransomware attacks cast a wide net, were intended to be monetized and left a deep, broad impact. To borrow a military analogy, these attacks are more carpet bombing than strategic strikes.
User Targeted/Stealthy Malware: In the current generation of malware, we are seeing more targeted attacks — strategic strikes if you will. And by targeted, I mean down to the single user. These attacks are quite the opposite of the earlier generations of attacks — they don’t want to be noticed at all. These attacks, when successful, are therefore far less noisy and are far more difficult to spot. They are typically meant to gain access for snooping and stealing valuable intellectual property or other regulated data.
What does this mean for the future of security?
Targeting the insider, and what this means to security
Enterprises that focus too much on guarding against the WannaCry type of attacks are going to lose focus and likely lose a few entanglements when malicious actors target their environments. Why? Because we’re unlikely to see numerous attacks on the order and magnitude of WannaCry. While such attacks could strike at any time, we are much more likely to continue to see highly-targeted, smaller-scale attacks. So, the answer to the question above about whether organizations have taken adequate steps to guard against future attacks since WannaCry is no.
As I mentioned earlier, the nature of attacks has changed over the years — and so has the layer of enterprise technology targeted by malware and attackers. Years ago, it was common for attackers to target the enterprise network layer. They’d infiltrate the network and move around seeking further places they could intrude. However, over time, enterprises invested so much into hardening their networks, from intrusion detection and prevention systems to hardening network-related assets, that attackers moved on to other targets, such as servers like Windows NT and Microsoft Internet Information Services. The network was no longer at the target, and it became more about application security.
What’s next? Highly-targeted attacks. They will prey upon specific individuals in an attempt to get to valuable data, which can be sold on the dark web or directly to those who would want to buy the information, such as nation states or competitors. Or, it will be ransomware attacks that target high-value individuals and their data. These attacks won’t be like the splashy WannaCry attacks. Instead they will be stealthy attacks. And they will be highly lucrative for attackers.
This isn’t to say that big-bang worm or ransomware attacks can’t or won’t strike again. They likely will. However, we are going to see an increase in targeted attacks.
What layer of the enterprise tech stack will they target? Cloud platforms. It makes sense when you couple the increased targeting of users with the massive move of data to the cloud. We’re already seeing this with the rise in attacks on poorly configured cloud databases and clusters of containers. Going forward, we’re very likely to see ransomware attacks move to encrypt user files that are sitting on cloud services, such as Google Drive, Microsoft OneDrive, iCloud and others.
It’s true, cloud services have the ability to restore files that have been struck by an attack, and many files could be likely restored, unless they remained encrypted beyond the time that the provider maintains backups. But if such an attack occurred at scale, tens of thousands to millions of accounts would be affected. Any cloud provider would likely find themselves overwhelmed. So, affected enterprises would have to wait a while, a long while, to get their unencrypted files back.
Where does that leave user organizations when it comes to protecting themselves? The advice here is relatively straightforward. Organizations need to do everything they have been (or should be) doing to protect their systems — from sound patch and configuration management to everything else one would find in a mature security risk management program. But as attacks get stealthier, security software will need to be able to provide acute visibility to all data and pinpoint subtle and potentially unauthorized movements of data in the environment, including to cloud services. Furthermore, those tools will need to be able to restore any version of any file within minutes, not days, weeks or months.
After all, the prized asset in all of the attacks is data. This is true whether we’re facing disruptive, destructive or modern ransomware attacks. Whether it’s customer data, regulated data or valuable intellectual property, enterprises that focus on ensuring that all data is protected and available will be in the best position to weather through any type of attack — no matter what the future brings.
(About Rob Juncker, senior vice president of research and development and operations at Code42. His background is in security, cloud, mobile and IT management. Before joining Code42, Juncker was vice president of research and development at Ivanti, a leader in the security and IT management space.)
(Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting past contributions.)