Eighteen months have passed since that day on June 27, 2017, when an IT administrator, working for the world’s largest shipping conglomerate, watched helplessly as one computer monitor screen after another in Maersk’s Copenhagen headquarters went black.
What began as an automated worm attack —primarily targeting Ukrainian banks, government ministries and electricity firms —began propagating rapidly through international networks, disabling Microsoft Windows operating systems that hadn’t been updated and corrupting data centers across the globe.
Many organizations, like Maersk — which operates nearly 800 seafaring vessels carrying as much as a fifth of world’s shipping freight — lost access to their domain controllers and found themselves “dead in the water,” as one account of the NotPetya attack would later put it. Ultimately, organizations in Germany, France, Italy, United Kingdom, Poland, even Russia, as well as Australia and the United States, including FedEx and Merck, all found themselves facing a crisis of one proportion or another and hundreds of millions of dollars in damages.
The question as we head into 2020 is, what lessons can we take away from that incident — and in particular, what should leaders operating federal agencies be doing differently today as a result?
In many regards, U.S. federal agencies came through those days in June in better shape than their commercial counterparts.
One advantage the U.S. government has over the commercial world is its insistence that agencies comply with various operating regulations, including IT requirements to put mitigating controls in place to detect cybersecurity threats. Federal employees may complain about having to adopt the Department of Homeland Security’s Continuous Diagnostics and Mitigation program. But a decent case can be made that CDM helped many agencies quickly identify and quarantine the NotPetya infection and avoid wider scale disruptions.
In the commercial world, it is much more hit or miss: There are organizations that are very good about their security controls — and many that aren’t. Better-run organizations, which recognize security is key to their business, invest a lot in cybersecurity; other organizations don’t see that same investment urgency and end up putting themselves at greater risk.
Moving to stronger resiliency
That said, federal agencies still need to give greater priority to cybersecurity resiliency and the disciplines of cybersecurity hygiene — ensuring their network and application configurations are set correctly and are kept systematically up to date.
Over the past 18 months, many agencies have channeled their attention on moving to the cloud. The cloud certainly offers some important security advantages — if managed correctly. However, agencies are already demonstrating a tendency to behave like a kid in a technology candy store — and getting lax about maintaining the proper configurations on their systems. It’s a discipline that can never stop and is only growing more important as agencies expand their systems into the cloud.
So what can agencies do differently and more effectively to reduce their risk from another NotPetya-scale assault?
1. Focus on measures of resiliency, not metrics of busy-ness.
A lot of tools can tell you how many incidents your security operations center identified, responded to and cleared in the past week. But what does that really tell you? Is a high number good? Or bad? Or just a measure of how busy your teams are? And how do you know if you’re really getting better?
The more important thing to look at is your agency’s measure of resiliency that, similarly to a credit card score, sums up three things:
- Are you hard to hit?
- Are you able to detect threats in context immediately?
- Are you able to respond rapidly?
That requires having a reliable model of your networks and the means to know whether your systems are configured securely and hardened according to internal and federal standards. Ultimately, your agency’s resiliency score should reflect how complete your model is and how well your agency is positioned to answer those three questions.
2. Scale your automation
Earlier in my career, I was part of a Blue Team with a mission of assessing vulnerabilities at the agency I worked at. It routinely took 20 people six months to do an assessment. There’s an old adage: If you have to do something more than twice, write a script for it.
We eventually brought in the company (the one I now work for) to automate assessments. We not only were able to automate a lot of the work, we drastically improved our cadence — going from one or two assessments a year, to eight, and got to the point where the Blue Team started working entirely on more advanced projects.
3. Put teeth into your partnership agreements
Agencies might also want to take a closer look at work the Department of Defense is undertaking to strengthen security controls across the Defense Industrial Base supply chain. DoD acquisition and sustainment officials are working with a variety of stakeholders, to develop a new Cybersecurity Maturity Model Certification (CMMC) process, expected to be officially released in January 2020.
Companies wanting to work on DoD projects or bid on DoD contracts will need to be rated on a scale of 1 to 5 and certified by third party auditors on how well they meet critical cybersecurity standards and hygiene practices. The CMMC program promises to give IT and contracting officials real teeth to enforce cybersecurity controls and a model for government agencies to oversee their IT operating ecosystem.
In the end, it’s not always possible to defend against the likes of a NotPetya attack. But it is possible to know whether your systems are configured properly to deflect and survive those attacks.
Wayne Lloyd is Federal CTO and Technical Director at RedSeal. He has over 25 years of field experience in information technology with the last 15 years directly focusing in cyber security including computer and network security, advanced threat analysis, intrusion detection and operations, vulnerability risk assessment and policy and compliance.
Learn more about enabling enterprise networks to be resilient to cyber events and interruptions with RedSeal.