Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Crowdsourcing, trusted partnerships reined in impact of WannaCry

by Lauren Horwitz

Managing Editor, Cisco.com

Organizations like DHS managed the WannaCry ransomware outbreak by crowdsourcing information quickly and relying on trusted partnerships.

SAN FRANCISCO -- It was springtime 2017, and a soon-to-be notorious ransomware was tearing through organizations across the globe.

Known as WannaCry, the ransomware targeted computers running Microsoft Windows operating systems, encrypting data, and enabling its perpetrators to demand monetary ransom from victims. Some 200,000 computers were infected in 150 countries. While pervasive, WannaCry didn’t extract as much financial damage as other ransomware attacks. The impact of WannaCry was reined in, partly because a researcher discovered a kill switch that stopped the malware from spreading.

The National Cybersecurity and Communications Integration Center (NCCIC) at the Department of Homeland Security (DHS) was learning about the ransomware on the fly, as it hit early Friday morning, May 12.

It was my good luck and my good fortune that I had to be at NCCIC on Friday,” said Bradley Nix, chief of program execution at NCCIC.

WannaCry affected numerous organizations, from Telefonica, a telecommunications company in Spain, to Federal Express in the U.S. to the National Health Service, the healthcare system in the U.K.

Patrick, a patient in the U.K. who was due to have open heart surgery on May 12, was visited by his doctor before the scheduled procedure. “He looked . . . concerned,” Patrick said. “He told me, ‘We’ve been hacked.’” X-rays and patient records were inaccessible. “It was the most awful time,” Patrick said. “Because I didn’t know what was going to happen to me.”

WannaCry signaled a new chapter in the impact of ransomware. But, in truth, these kinds of cyberattacks has gathered steam for some time. DHS itself reported a fourfold increase in ransomware between 2015 and 2016. And in 2017, a Ponemon Institute survey found that of its 600-plus respondents, more than 51% said they had been hit by ransomware.

Combatting the impact of ransomware with trusted partnerships

Key organizations like NCCIC believe the key to combatting rapidly proliferating malware like WannaCry is to crowdsource information as the attack happens in real time. By testing malware, then sharing the initial findings with other organizations, NCCIC was able to help slow the impact of WannaCry.

“Share early and share often” said Jermaine Roebuck, principal incident response engagement lead at DHS. “Dump [the malware] in a sandbox and share it quickly so the community can start to protect itself.”

Companies like Cisco have cultivated their own threat intelligence partnerships. Cisco Talos, a threat research and intelligence team, partners with other entities to gather data in real time about cybersecurity events. During WannaCry, Talos moved quickly to communicate the impact of the ransomware to customers and constituents.

Sharing that information can be difficult as a crisis unfolds. It means taking in the information as it’s generated, then quickly analyzing and distributing that information. The NCCIC had prepared for a major cybersecurity crisis like this by building out its cybersecurity network of partnerships.

Preparation and practice enables you to keep pace with a cybersecurity event rather than lagging behind. “If you’re not prepared, you’re going to be behind the ball and you won’t be able to distill that information,” Nix said.

Verifying results through crowdsourcing was a key NCCIC technique. It observed patterns and verified information by identifying consistencies among its constituents. “One of the things I observed . .. was how consistent all the information was across all the reporting,” Nix said. “Even within all the chaos  . . . that chaos was not preventing these existing and established information exchange partnerships from sharing information.”

Trust but verify

There’s some risk in crowdsourcing, of course. Organizations have to validate information and the sources it comes from—and that can be risky in an environment rife with malicious actors.

That’s another important element of crowdsourcing, said John Felker, director at NCCIC. Organizations like NCCIC used their networks to validate information, and vet the source of that information for credibility. “You can say [to your network], ‘Hey, I got this information from an unknown source’,” Felker said. “You trust but verify, and leverage your networks to do that.”

At the same time, Felker emphasized, cybersecurity crises like WannaCry are dynamic and require action—despite imperfect information.

“Everything was moving fast,” Felker said. “We’re not going to stick around and try to get 100%. We’re going to go when we get to a level of comfort. We say, ‘There will be more updates to follow, but this is the best we have right now.’”

The top five ways of combatting ransomware threats

Prevention is the best medicine in combatting malware. Roebuck of NCCIC outlined five key tenets in protecting against ransomware.

  1. Application whitelisting. This tedious work involves specifying which software apps are approved and permitted to be on a company’s system. While Roebuck said that whitelisting is onerous, it’s necessary. “You need to go through the motions, do the hard work,” Roebuck said.
  2. Two-factor authentication. With two-factor authentication, users not only have to enter a password but also a second piece of information which only they have. While many companies don’t employ two-factor authentication, the practice could have “shut WannaCry down,” Roebuck said.
  3. Data backup. Numerous incidents have highlighted the need for a disaster recovery strategy if a company is affected. But at the same time, have a risk management strategy to protect your data backup. “You need to back up, but at the same time you need to store [that data] in manner that is segmented from the network or offline,” Roebuck emphasized. 
  4. Educating users about good practices. Malicious actors still attack through simple means, such as asking users to enable macros when they open a Microsoft Word document. “Next thing you know, you’ve got a script executing and you’re off to the races with an incident response," Roebuck said. 
  5. Patching. Roebuck said that companies need to be more vigilant about patching. Many of the servers WannaCry paralyzed used outdated versions of Windows. “We have been talking about patching for the better part of 20 years, and people just aren’t doing it,” he said. But Roebuck also emphasized that it’s often not enterprises’ willful neglect, but rather a lack of visibility into IT assets that results in patching lapses.

    "People may have trouble understanding their environment—where all the systems live. This basic asset inventory management—it’s still such a big issue," Roebuck said.

For more Cisco news:

For more Cisco resources:

Lauren Horwitz is the managing editor of Cisco.com, where she covers the IT infrastructure market and develops content strategy. Previously, Horwitz was a senior executive editor in the Business Applications and Architecture group at TechTarget;, a senior editor at Cutter Consortium, an IT research firm; and an editor at the American Prospect, a political journal. She has received awards from American Society of Business Publication Editors (ASBPE), a min Best of the Web award and the Kimmerling Prize for best graduate paper for her editing work on the journal article "The Fluid Jurisprudence of Israel's Emergency Powers.”