As Real as it Gets: Critical Lessons from 2019-nCoV and WannaCry (Cyber-Biological Wisdom)
Updated: Jul 29, 2020
The Line Between Biological and Cyber Threats has Never Been so Thin, so what can we Learn and what Should we Do?
This is not merely a ‘comparison’ piece… there are hard core lessons for us to take away and you need to read this.
Beyond the notional similarities between biological and cyber viruses, there are material lessons-learned that defenders against either threat can leverage to inform the other.
What’s more, both threat domains are now inextricably linked in meaningful, impactful, and literal ways.
We’ll look at the similarities and lessons-learned for each of three phases of both threat domains: Before the threat materializes, during the impact of the threat, and after the threat has subsided. We'll also draw out three high-level take-aways from both domains that should be considered and referenced during any strategic discussion related to either. Finally, we will tie both domains together inextricably and well beyond correlation and analogy, to a point of material impact each has on the other when both converge.
While there has already been quite a bit written comparing biological viruses to the cyber malware industry, they have largely been clickbait knee-jerk pieces that offer some but not much value to the reader. I’m writing this piece from the perspective of someone that’s practiced 20+ years of cyber security, having worked with organizations and missions of every kind, ranging from hospitals to million device networks and all else in between. I’ve also been corresponding with a family friend in the middle of the action in S. Korea, who’s been holed up in his apartment complex with infected neighbors for going on three weeks now. He’s been keeping a journal of sorts, reaching out to his friends/family via emails every evening to reflect on the experience.
Lately, the emails have become somber. Less humor. Less denial. Less… everything.
Facts matter now to him and his wife. Water, matters.
In the last few hours before committing to this piece, things in America have fundamentally changed…Our president has declared a national emergency, flights cancelled from Europe, the number of asymptomatic infected much higher than we thought, the realization that the virus survives in the air for much longer than we thought as a means of transmission and the cancellation of social events with 250 or more participants. All of this coming at us at break-neck speed… along with more misinformation and disinformation than ever.
"Beware of false knowledge; it is more dangerous than ignorance" -George Bernard Shaw
In this piece I draw similarities between COVID-19 and WannaCry (for sake of being a well-known example, and, because I battled it first hand in ways that illuminated non-obvious lessons I’m eager to pass along). The comparisons I’ll draw won’t be all-inclusive, but rather those that point to a lesson that defenders (and victims) of either type of threat can benefit from.
I’ll do this by focusing on three generic stages of a threat: Before, During and After it’s impacts have been felt.
The Calm Before the Storm
There is no calm before a storm. There is a fast-paced, just-in-time world of businesses operating at break-neck speeds, with SecOps staff in short supply, with hospitals at near-full capacity, and with everything in our lives in the year 2020, built by algorithms for maximum efficiency. Black Swan events like WannaCry (and now, the Coronavirus) are never truly anticipated or prepared for. They make their way as a line-item in a risk register at best, with an assigned value, and a notion of what ‘acceptable risk’ the organization associates with such an event.
We humans press forward with the deafening pressure to perform in the near term.
This becomes ‘status-quo’, and all efforts are an attempt to maintain that predictable baseline of performance. This is why, in the face of this pandemic, our first reaction tends to be one of denial. Significant effort is spent trying to normalize the event. It’s a survival mechanism, and during a crisis, it has as many benefits as it has risks. But mark my words, the risks are real and tend to materialize in unexpected ways.
Meanwhile, on the opposite end of the spectrum, we have conspiracy theorists, dis-information networks, trollbot farms, and the click-bait armada all amplifying noise to the point it becomes the only signal we consume. Call this the FUD side of the spectrum where both cyber vendors and eBay n95 respirator masks are concerned.
The FUD end of the spectrum also creates things we describe with words like “Vendor Fatigue”...or even “Vendor Repulsion”, a raw guttural reaction to any form of vendor salesmanship or marketing effort whatsoever.
Against this pretext (before a black swan type event hits like the coronavirus), we also have a skewed set of priorities. We value perfect visibility in cyber security, more than we value actions that can be taken from that visibility. We value threat attribution more than we value creating and practicing playbooks designed to quickly contain a threat this is emerging. This is much akin to academic, yet often esoteric, research in the biological threat landscape. “The most important thing”, in other words, is rarely “the thing we are actually doing right now”. A certain luxury of prioritization creeps into organizations that have not yet been tested. If I may be so bold, on the cyber front, I liken this to SecOps teams and leadership that have made it their strategy and even their legacy, to “assume the breach”, who then focus their precious resources on reactive strategies and technologies. Over time, under this pretense, these efforts end up being what might define success or even progress for a team. Entire SOCs are set up to hunt for the unknown unknown assumed to already be in the network. Yet, as every organization that was impacted by WannaCry learned, little to none of that strategy was able to counter the threat and reduce actual risk to the mission..to safety, to uptime. Anyone that’s heard me speak in the past on this topic knows why I think this is: it is because human nature likes to focus on things we can see and understand and measure and report. We gravitate towards such existence. Yet, as we all continue to learn ever since May 2017, the threat landscape simply doesn’t care what makes us wake up in the morning or what keeps us up at night. It cares about the shortest, least-risk path to an outcome that is repeatable over time.
Hopefully, reading this, you are already beginning to draw parallels to the world’s overall readiness prior to this novel virus spreading faster now than ever. The same spectrum of denial on one end and FUD/conspiracy on the other. Even the same over-emphasis the human race places on reactive measures like hoarding of surgical masks (which, btw, are more likely to harm than help). And yet, the same denial, too, about how serious this virus is, with articles claiming it is less dangerous than the flu, despite a 10-15x mortality rate and the fact it only just appeared on earth in the last few months. So far this year, there have been 18,000 deaths out of 32,000,000 (.0005625) flu patients, and there have been 3000 COVID-19 deaths out of 89,000 (.0337) (at time of writing). Which disease is more deadly? That...ends up being a question of time. Let me ask the reader: which one would you rather not catch? So we see that much as in the world of cyber security, far too much emphasis is placed on likelihood than it is on raw impact, when it comes to assessing risk. Black swan events like COVID-19 and WannaCry… don’t happen...until they do. Perhaps it is from my 12+ years experience working to protect DoD systems that I gain such perspective. Warfare is unpredictable. Katrina, was too. Likelihood is hard to gauge when it comes to cyber risk. So much so, in fact, that I spent a considerable portion of my career helping a Defense agency to evaluate how they were even gauging risk for a given finding or vulnerability. The short version? I did away with likelihood, effectively. I assumed 100% likelihood to the extent you forced my process to reconcile that variable in cyber risk. It’s not because there isn’t a sliding scale of real-world likelihood involved with cyber risk: it’s because there were simply not enough resources, expertise or raw boots-on-ground intelligence to ever actually be able to gauge it in a meaningful amount of time to make a difference to the mission. Instead, we shifted the risk effort on impact to mission. Impact, it turns out, is relatively easier to solve for than likelihood. So right now, instead of trying to gauge whether COVID-19 is coming to a neighborhood near you… spend your cycles assuming it will, and act now, accordingly. Remember, time is on the adversary's side...unless you claim it and take it back as your own. The virus will spread, in time. The virus may mutate, in time. The virus may hit your community, your organization, or your family, in time. So get ahead of it now, when you still have time. My friends in S. Korea would have done anything to know it was going to hit their community and apartment complex before it did… they would have left before flights were disallowed out of the region. They would have taken a vacation to the country-side in Korea before their apartment complex was hit. The hospitals there would have cleared out non-critical patients and sent them home earlier. Masks would have been stockpiled in hospitals where masks are actually needed and helpful.
The Storm Hits - Weathering it is Not Enough
When an attack happens; when it hits; it is not enough to merely weather it. Instead we must actively adapt, and boldly fight tooth and nail at every level. As Darwin surmised, those who survive “are not the strongest or the most intelligent, but the most adaptable to change.” This is true in biology, but it is also true in cyber security.
During WannaCry, businesses quickly realized that the preparations they had made for cyber events, were simply not enough. At best, they had provided a false sense of security going into the event, and at worse, they ended up being too rigid, too presumptive, too optimized to be useful when the fog of war quickly set in. Basic IT tools normally used for things like patch-management, device-inventory management, remote-access, etc., were directly impacted by the worming traffic of WannaCry. No one anticipated the ironic situation this created; when to contain the worm, access and updating to servers was paramount, yet the tools needed to get the job done, were already impacted by an SMB traffic storm. Firewalls and “air-gapped” networks both quickly proved to be misconfigured or otherwise bypassed in production networks. A corrupted payload prevented quick identification of affected hosts; there was no telltale ransom screen; there were no encrypted files. But those same hosts had Double-Pulsar running in memory, providing remote Read, Write, Execute capabilities to the adversary. None of these things were anticipated, and myriad others that formed an hour long talk I gave at SANS-ICS on the heels of WannaCry afterwards. It came down to an organization’s ability to quickly adapt, and quickly make top-down decisions even in the absence of perfect information. This was true for every organization that endured the event. During the CoronaVirus’ initial outbreak in the US, we saw some of the economy’s best Risk Managers quickly make high-impact decisions; like Amazon and Google restricting flights for their employees. At a family level, some families made early decisions to cancel vacations, and stock up on basic supplies. When my own community found out that there was a single confirmed case of the disease in the hospital located behind my house, it was as if everything changed in an instant. Pandemonium. People that had been in denial, or simply in ‘shock’ and paralzyed by the news; suddenly sprung to life and scrambled to the supermarkets, pulled their kids from daycare, and reached out to their neighbors to form plans. But what most of us didn’t understand, was that by then, the disease had already been in our community for up to two weeks prior, incubating, spreading. Suddenly, we were acting with haste, instead of observing in paralysis.
It doesn’t need to be this way. Not in biology, not in cyber. We all saw what was going on in Wuhan. We also saw what steps worked there. What the level of effort looked like. What the doctors said they would have done differently if they could do it all over again. Yet, we did not apply these lessons at the unit family level, nor the business level, and certainly not at the national level.
It truly comes down to this simple aspect of humanity, doesn’t it; that we need to have our arms cut off before we know it will hurt. (My own father used to tell me differently when I was a child, but no matter, I had to learn my own lessons regardless). On the heels of WannaCry came NotPetya… yet only those companies that had been directly impacted by WannaCry were any better prepared. Why?
Allow me to share a few other lessons-learned during WannaCry that directly apply to this novel virus as well. Pay heed!
Basics matter more than ever
We all know that patch management is important. That device inventory and ownership should be done. That networks should be segmented. That RDP is rarely a necessary service. That the SDLC doesn’t like out-of-cycle patching. That Network IT teams loathe being told what to do by SecOps. That network and host visibility is important.
Well, I promise you every one of the thousands of organizations that was impacted by WannaCry thought they were doing a decent job at the ‘cyber basics’. I also promise you that all of them quickly realized during the event that they had not been.
One example that springs to mind was simple device inventory and ownership. While always important (and a challenge), it became exponentially moreseo during WannaCry. This was especially true in production/OT/ICS environments, where there is a mix of shadow IT, vendor-owned IT and ad-hoc wireless networks all being affected at once...some of them serving as re-infection vectors. Even more compounding are the 3rd party vendor SLA’s that normally preclude making unapproved changes to the underlying OS. And, if the hope of the victim organization is that news of the impact doesn’t reach the street...then there is also the need to manage the confidentiality of all those 3rd parties during the crisis.
As I’ve said many times since: “The basics don’t always matter...until they do; and then they really do”
So yeah, wash your hands
Wash your hands for 20 seconds. Grab the paper towel before you turn off the faucet and use the towel to turn it off. Hold on to the towel and use it to open the door; then throw the towel away.
Get plenty of sleep. No, really. Sleep affects your immune system. So does hydration. So does your diet and your exercise. These are basics; but they matter more than ever now.
The Fog of War involves Entropy, so Move Quickly
There is always a fog of war involved with a crisis event. There is always noise. There is always fear. There is always uncertainty, and as a result, there is always a degree of paralysis. But behind the scenes there is an even greater enemy working against you; entropy. Entropy’s best friend is time itself. The only way to counter the entropic events that unfold one after the other into what feels like chaos, is to move quickly; to get ahead of that curve as much as possible. During WannaCry this meant severing networks from one another before you knew whether X network was being affected by Y. It meant proactively going into every firewall and making sure there wasn’t a Zone to Zone SMB allow rule still buried somewhere deep in the rulestack. It meant patching for EternalBlue even if you couldn’t reach the application dev team for a server first. It even meant patching those 3rd party SLA’d operating systems in mission critical networks, or deploying new security software in resource-constrained VDI environments. It meant: whatever it took, to contain the threat and get ahead of the entropy that plagued SIEM analysts, challenged internal and external legal counsel, and caused the board to pull their hair out. It also meant proactively calling 3rd parties and supply chain partners to gauge the impact WannaCry was having on them and proactively sharing mitigation and intelligence with them. Entropy...an invisible enemy during every crisis, and best countered with proactive rapidity.
It’s my belief that we have not moved quickly enough to counter the entropy of this pandemic.
While there is much politicking going on in the US, I don’t think there’s anyone out there that thinks we’ve been ahead of this threat, or that we have taken decisive actions soon enough to matter; it’s too late for containment.
Containment is Paramount
Speaking of containment; it is critical that an organization going through a crisis like WannaCry is 100% committed to containing the threat as soon and forcefully as possible.
Far too many organizations focused on other priorities during WannaCry, and far too many SecOps teams spent time placating other areas of the business or mission during outset. Everyone was afraid to sound the alarm. Everyone had been placated by years of industry brainwashing that we all needed to assume the breach in the first place. That a compromise was inevitable and expected to occur. Far too much emphasis had been placed on reputation management, cyber-insurance risk offsets, public relations, legal, brand and investor perceptions. At the end of the day, however, none of those things ended up helping organizations to actively counter the threat. To the contrary, they may have even hurt organizations more than helped during WannaCry; because they created a culture, and an organizational dialogue that was comfortable being on its heels. Meanwhile, 19,000 patients in the UK were turned away. Meanwhile, worker safety and raw production uptime impacts had brought the lifeblood of manufacturing and critical infrastructure alike to its knees.
We will never know if the CoronaVirus could have been successfully contained worldwide. China took comparatively extraordinary steps to contain the virus. There have been thousands of lessons-learned already from the initial outbreak in Wuhan alone. We can only hope that the next time there is a novel virus discovered, that we will act on those lessons learned, and do so as soon as humanly possible. When we delay an action that we can take, we do so because we value the status-quo more than anything else. We operate out of fear instead of courage, when we delay. It feels ‘safer’ to not act than it does to take a risk and act.
But much like the speed at which WannaCry spread across the planet, this virus spread at unexpected velocity and has overwhelmed our defenses. The next one may too. So let’s be ready to act.
First Responders need Extra Care
Prior to WannaCry, I had never experienced first hand just how embattled front-line cyber defenders could be. I remember watching my crude html honeypot the night that code-red hit a few months before 9/11 happened. I was unemployed, on severance pay, and playing video games. When I saw all those “aaaaaaaaaaaaaaaaaa’s” I remember thinking...this is weird, this is bad. The next few days was zero sleep for any of us. But Code Red was nothing compared to WannaCry. People fell asleep at their desks. The War Rooms smelled worse than a college hockey-team’s locker room. Above all, and this is no joke, dehydration became the biggest impediment for many teams; people simply forget to drink as they work off of adrenaline and with management looking over their shoulders.
It’s not at all unlike what happens to a hospital when it becomes overrun by patients. Every second matters, and the front line nurses and doctors take the brunt of that initial load.
The risks of dehydration and exhaustion are much greater than we’d like to admit. Critical errors get made. Critical facts get ignored. Decision making is impaired. Even attitude and the ‘resolve’ of analysts disintegrates in time. The adversary is aware of this. The adversary relies on this. And in the cyber world, some adversaries even take direct advantage of it by causing additional disruptions via DNS amplification attacks, dropping CP (child pornography) on affected hosts, etc. all because they know it burdens IR teams even more.
Social Media is Fast, but is a Double-Edged Sword
During any crisis, cyber or biological, we often turn to social media for the ‘fastest’ news and research. We do this because it effectively cuts out the ‘middleman’ of news media, vendors, etc. But this added speed and diversity of information can be a double-edge sword, and puts an additional burden of verification on an analyst for every piece of data that the team intends/desires to actually act upon.
Another ‘hidden danger’ of leveraging social media during a crisis is that it can easily distract precious and constrained resources from getting stuff done, including the most basic and essential tasks for containment.
I remember when news of the Coronavirus first hit, I spent way too much time trying to find advanced research on the virus, and way too much time being curious about its origins, including conspiracy theories. I even watched videos of people convulsing in the street in China…I effectively got stuck in a ‘data consumption’ mode...all the while, forgetting to take actions that were easily available to me and later proved out to be “the most important things” to combat this virus: Things like washing hands for 20 seconds, stocking up on medications and essentials, and educating my family on other hygienic habits to get in to. By the time I had ordered MRE’s, there was a 2 month backlog. By the time I went to the store to buy toilet paper, there was none. All because I sat consuming social media / news for days instead of taking actions.
If I had a dime for every time someone on an IR team wasted time worrying about threat attribution, or got distracted going down rabbit holes of semi-related tweets about a strain of malware, or tried to determine a possible motive for an attacker affecting multiple hosts… I’d be rich. Rapid segmentation, rapid host containment, rapid identification of compromised accounts, rapid indicators for destruction or exfiltration… the basics...the ones that always matter, are what time should be spent on first, before going down the rabbit holes of social media and having to validate those otherwise in-actionable pieces of intel.
Case in point? Over two million tweets may have been troll-botted to spread mis-information about the Coronavirus… and that was in the first two weeks of the virus spread!
The criminal ‘bar’ for ethics and avant-garde TTPs is lowered all the way to the floor
One thing true during any crisis, is that there is no amount of ‘low’ a criminal won’t go to in order to leverage the crisis as much as possible: Looting during hurricanes and tornadoes, malware-campaigns and scams during a global worm like WannaCry or even a pandemic like the Coronavirus praying on fear of those in its path.
As I opined in a recent Linked-In post: “My personal opinion is that we need a dedicated, government-funded tiger team that is tasked specifically with actively targeting and prosecuting this ilk of criminals to the highest levels of punishment allowable by local laws.”
Now that the virus is forcing much of the workforce to work from home without the same level of enterprise-grade security controls found at the office, the threat of COVID-19 themed spear-phishing campaigns becomes an even greater risk to individuals and businesses alike.
After the Storm, comes the Flood
While we haven’t yet gotten through this pandemic, we have gotten through the majority of the blunt impact that WannaCry initially had, and we’ve learned lessons from that cyber event that we can anticipate will carry over into this biological one. Here are three lessons we should be prepared for during and after this crisis:
Beware, the onslaught of point-solution vendors cometh!
During and after a crisis, vendors will clamour to push their silver bullet solutions. Most of them will be half-baked (if they were fully baked and effective, you would have already procured them, right?). Worse, some of them are orthogonal to the root challenges at hand, like buying a salamander to help your golf game. It gets even worse, even solutions that do partially help address the challenge, might further burden your teams and distract from your primary focus, in turn worsening the condition rather than helping it.
Amazon ended up having to yank over million items that were making false claims or whose prices had been artificially jacked up. Ebay even banned all face masks and hand sanitizersfor the same reason. Even the Surgeon General had to chime in about how ineffective face-masks are, and how they can even make things worse when worn improperly, or when people touch them when they remove them. Just this week the FTC put its foot down on a myriad of other ‘snake oil’ treatments, even targeting specific vendors in its warning.
The same was true in cyber pew pew land after WannaCry, and it hasn’t let down since. Nearly three years on, and vendors are still trying to sell you Zero Trust solutions, or convince you that Visibility is the holy grail of The Cyber. Some endpoint solutions bank heavily on file-based predictive machine learning models, which can be effective in stopping obvious payloads (like WannaCry’s easily-detected payload). But todays and tomorrow's malware doesn’t always have a payload. The list goes on here. Enterprises are “stuffed” with one-off solutions at this point, some of them were bought over a year ago and are still sitting “on the shelf”, or have been “turned on”, but not configured and operationalized enough to make a dent.
Cyber Risk is no Longer What We Thought it Was
I’ve given many talks on this topic, but it bears repeating that an organization that has been through WannaCry, simply does not look at cyber risk the same way ever again. Prior to such an event, measuring risk was often an abstracted, best-guess exercise, with a notional set of risk-offset controls assigned notional offset dollar amounts, and a degree of notional risk-transference woven in vis-a-vis cyber insurance policies. But gone are those days for organizations that have felt the full impact of a destructive theat. Gone, too, are the strategies of merely trying to “stop a breach”; as if cyber impact could ever be defined and constrained by mere breach-related fines, or the impact of a competitor or nation state learning secrets.
There are now more stolen records than there are people on earth. Yes, it’s still important to prevent a breach, but it consummately more important to prevent and withstand a destructive cyber event that folks into its risk equation a much more diverse set of impacts: human safety, patient life, manufacturing downtime, disruption of critical services, inventory systems, warehousing, and yes, even the 2100 some odd human lives lost every year due to cyber events in the field of cardiology alone. This is a new era of risk. This is why cyber security no longer folds conveniently under the CIO, and has become a CEO, board, and investor level challenge. These are things I’ve been privy to for decades, on account of contracting for the DoD cyber mission. That’s because the necessity of understand real world risk has always been top of mind for that mission. Now, finally, it is also top of mind for commercial organizations.
The one aspect of this shift that is still challenging for us all: Getting organizations that simply have not gone through a major cyber crisis, to still act, prioritize, staff, resource and practice like those that have.
This sounds a bit like what we are seeing with the Coronavirus, doesn’t it? Has the US paid heed to those countries that are just ahead of the virus’s impact curve? Have we preemptively adopted those controls that we know worked in China, South Korea, and those that are underway in Italy? Much like many destructive cyber threats, this virus does not discriminate in terms of who it targets, or what nation it finds itself within. Watching events unfold in Italy right now should be just as insightful as reading an after-the-fact report on the impact NotPetya had on Maersk. There are lessons everywhere. There are imperatives for action to be learned.
Yet we continue on, refusing to act like the countries that have already been impacted. Thinking we are different. Thinking we still understand real-world risk and, in particular, the impact of this threat. It doesn’t have to be this way. If there is one take-away from this blog, it would be this: “Act and prepare for an event as if you’ve already been through it”.
Never Let a Crisis Go To Waste
I think most readers of this blog will have heard this when it comes to having gone through a cyber event. On the heels of WannaCry, enterprise security spend went up as much as 10x, and operational/production spend even higher. Some CISO’s had the challenge of being able to spend the budget (and more specifically staff for it) fast enough. We know this story by now in the world of cyber… never let an event go to waste… use it to secure funding, teams and position in the organization.
But, when it comes to this coronavirus, the question is: what are we going to do differently next time? Lessons-learned, hind-sight, etc… none of it matters if we don’t do something with that hard-earned information. I am eager to see how this plays out, but now is the time as a nation, and as communities and businesses, to think about what we will do differently in the future to better prevent, and prepare for, such a pandemic. People ask me all the time what is the number one change that I saw in organizations impacted by WannaCry and NotPetya. In a word, the answer is: prevention. While industry will try to tell you the lesson is one of restoration, end user training and awareness, and generally, “resilience”.... The real answer of what changes after you go through something like this is: you never want to go through it again, and it becomes an intolerable component of risk management overall. CISO’s will go through 100 day plans, 200 days plans and beyond after an event like this. At the top of the list, are those fundamental practices, technologies, and broader supply-chain and vendor management business practices that prevent, not just react to, the next big event.
Top Three Take-Aways from Both Cyber and Biological Crisis Events
Here are three take-aways that I want every reader to take with them. These will serve us well from here on out:
Speed to Action is still the Most Important Thing
Time is the invisible instrument of advantage in an adversarial context. Those individuals, organizations, communities, and indeed nations that respond with decisive action and do so as early as humanly possible, stand the greatest chance of mitigating the impact of both cyber and biological events. Hard decisions that carry certain risk, must be made in the absence of perfect visibility, data or analysis. This is a new world we live in...an era of machine-speed computing on the cyber end, and massive human travel at fast speeds by both air and land. There isn’t time to wait to “understand this virus” before we act. As with risk management in general: prepare for the worst, but also strive to act as though the worst might unfold. There is a cost and risk to doing this. There is a level of discomfort. But regardless of how we feel about these things as humans, the truth is, we are living in a hyper-velocity era, and our decision making must keep up such that actions that matter, can happen in time to matter too. The adversary normally has time on its advantage, but it doesn’t have to be this way.
A small example of an organization doing it right? M.I.T., whose President L. Rafael Reif wrote in this notice to students:
“State and federal public health officials advise that to slow a spreading virus like COVID-19, the right time for decisive actionis before it is established on our campus.”
A large part of acting quickly, is the courage and wisdom to act well before there is even an event. This brings us to our next biggest take-away:
Act Like the Organization Who’s Already Been Through It
An individual and/or an organization/community both act completely differently after having been impacted by either biological or cyber threats. The lesson? For those of us who have not yet been through it, act like the ones that have, and do it now, so that your actions are preemptive and proactive, vice reactive and responsive. (again, time is the advantage here: claim it!). I’ll put it a different way, too: We are no longer in the 2012-2015 breach era where a CISO’s legacy, philosophy, and strategy is one of being able to describe what just happened in great detail, and to show a good effort in remediating flaws and restoring services following the event. That on-your-heels reactive form of due-diligence, no longer meets the mark.
Diligence must be demonstrated well ahead of any definitive event or crisis, such that a CISO can present exactly how and why an organization did not endure what other organizations just did. There are myriad reasons for this shift in attitude and philosophy.
It is much like airlines sending emails out now to their customer base, reminding them of how they are already using HEPA grade air filtration, and better-than-CDC recommended sanitization before and after every flight. Tell us what you did before the bad thing that happened to others; don’t tell us what you are doing now that it just happened to you.
Cyber and Biological Threats are More than just Analogues
Like colors of the rainbow together, and beyond just being convenient analogs to explore lessons learned, both cyber and biological threats are inextricably linked in material ways, such that the threat dynamics of one dimension directly impacts the threat dynamics of the other.
Since 2015 we have seen criminal actors both willing and eager to extort hospitals for ransom. Why? Because they can apply the maximum amount and form of leverage there is: Human life and safety. This results in maximum ROI for their targeted campaigns.
Now, enter Coronavirus...spreading quickly and soon to add millions of additional severe-symptom patients to an already at-capacity global health care condition. When ventilators have become “solid gold” in this context, so to, will access to patient record data, patient-operational environment IOT, and mission-critical maintenance systems for blood banks and laboratories. All of this portends to an uncannily dire cyber challenge for hospitals going forward.
Similarly troubling, and as has already been reported on extensively, is the sheer amount and diversity of various malware campaigns that are leveraging the pretext of the coronavirus in order to get victims to click and download/run malware.
Finally, with workers around the globe being asked to work from home and self-quarantine, there is a distinct increase in risk associated with home networks, IOT, and reduced security stack when compared to working onsite at an office. This chances of successful attack at home increase quickly, especially for organizations and individuals that were not already set up and accustomed to working from home. SentinelOne’s Yotum Gutman wrote a blog with recommended best practices for this new group of workers finding themselves navigating remote operational security challenges for the first time. Case in point? Microsoft accidentally disclosed a new SMBv3 buffer overflow vulnerability that is pre-authentication and therefore wormable akin to past worming events like...you guessed it...WannaCry, etc. This cached version of a vendor mentions some mitigation activities like disabling SMBv3 compression and the obvious: blocking 445 TCP at firewalls and clients, all while hoping this doesn’t break mission critical applications. Guess which type of organization in particular simply cannot afford to take on that kind of rigor right now? That’s right; hospitals.
Just prior to publishing this, in the same hours of finalizing the piece, comes news of a Czech hospital responsible for Coronavirus testing, getting hit by a cyber attack that has affected operations. I can’t think of a more solemn, quintessential example of why it is so vastly important for every reader of this piece to take action now, when we all should be able to look at the writing on the wall, and know it is about to happen… or now, as you read this...just has.
Once again, threats from biology and cyber realms converge together to create ‘perfect storm’ risk scenarios that don’t fit society’s playbooks… until they do.
Finally, as you find yourself possibly quarantined, take a lesson from the little one...
"When life gives you anti-viral soap, make bubbles" -Sloane Armanda Scheferman
Owner, Armanda Intelligence LLC