WannaCry Reflections

WannaCry Technical

Sorry, your not going to find loads of technical information here in this post.  

Ok, So Non-Technical

Alrighty then.  As the above indicated, this article is not going to be going into the technical guts of the (now) infamous worm that wrecked havoc and cancelled so many weekend plans.  There has been lots of articles (and alot of FUD) writen about it already.  Much of it by people who do not get paid directly to work with malware.  A quick Google search will show you more than you can ever handle.  

People Involved

I wanted to focus some attention on the people involved in dealing with this nasty little worm.  And no, I am not offering biographies on individuals.  Rather I wanted to say how impressed I was with the infosec community as a whole.  People, from all walks of life, different countries, timezones etc came together to work on the problem.  

Even before the worm started spreading, there were individuals who raised alarm over the fears that the vulnerability exploited by the worm.  People on Twitter stated that this one would be bad, "our next MS08-067".  I doubt that many of them could have even guessed how much damage would be wrought.  

It shouldn't be too surprising.  A vulnerability within a pervasive protocol, which would allow for remote code execution and give an attacker full SYSTEM level control, would be too tempting a target for anyone with malicious intent.  

Added to the mystic, was the fact that this flaw was found (and likely utilized) by none other than the NSA.  Only to be stolen and later released by the ShadowBrokers.  

What a perfect storm.  Who'd a thunk it?!?!  Well as we all know, it didn't take long before someone weaponized it, and added a self-replicating ability.  

Throughout the community, people came together to raise the alarm.  Then to analyze the malware and give technical information as to its capabilities.  Then to even work to help neuter the malware with its famous 'kill switch'.  Attribution has been attempted, however I think that effort will go on for a long time to come.

In the meantime, defenders are still working hard to stop the infection, apply patches and help reduce the impact of this worm.

Impact

The impact of the worm will definitely be hard to measure.  We have heard lots of people state that they believe it is the most destructive event in infosec.  I tend to agree.  While I do not have numbers, the ability of the worm to target sensitive files and spread has to give it an edge.  Other worms were definitely more 'disruptive', however many of them still failed to to give the lasting impact of having all of your valuable data rendered unrecoverable.  

The Future

As I have stated before, let no disaster go unused.  There will be good to come out of this.  

First, the importance of patching and keeping OS's updated will likely not be forgotten easily.  Even in hard to patch devices like embedded systems (MRI machines anyone?).  At the very least it gives us a data point to show people a quantifiable cost is for the risk.

Secondly, our "blue teams" importance will be cemented within the mindset of C-level executives.  Yes we may be a 'cost center', however we will firmly be labeled as an important factor in risk reduction.  Again, being able to show, in quantifiable numbers, your value to an organization, is KEY to C-levels understanding.

Thirdly, the importance of working together, worldwide, has been shown.  We are much stronger standing together and working collaboratively than we are apart.  We can come together and truly have a positive impact on worldwide information security.  My hope is, that this realization will empower organizations to open up more, to share information more freely.  To give their employees time (and more importantly money) to go and do those things that do not always benefit the company directly, by helping out the world community.  We are so connected and inter-dependent on each other that the more we collaborate, the stronger we all become.

A Final

I wanted to express my thanks to several people, but wanted to call one out in particular.  @MalwareTechBlog, the individual who (at least at first) accidentally registered the first worm's kill site.  He showed what we should strive for.  He helped out tremendously, and not just for the kill site.  But for his technical analysis of the worm, and even more so for his work coordinating between several global organizations to help protect and help people who were infected.  Added to that was the fact that after been given $10K, for his excellent work by @Hacker0x01 he stated it would be split between charities and for education stuff for others.  A true class act!  A beer on me anytime we meet dude!