Organizations like DHS managed the WannaCry ransomware outbreak by crowdsourcing information quickly and relying on trusted partnerships.
SAN FRANCISCO -- It was springtime 2017, and a soon-to-be notorious ransomware was tearing through organizations across the globe.
Known as WannaCry, the ransomware targeted computers running Microsoft Windows operating systems, encrypting data, and enabling its perpetrators to demand monetary ransom from victims. Some 200,000 computers were infected in 150 countries. While pervasive, WannaCry didn’t extract as much financial damage as other ransomware attacks. The impact of WannaCry was reined in, partly because a researcher discovered a kill switch that stopped the malware from spreading.
The National Cybersecurity and Communications Integration Center (NCCIC) at the Department of Homeland Security (DHS) was learning about the ransomware on the fly, as it hit early Friday morning, May 12.
“It was my good luck and my good fortune that I had to be at NCCIC on Friday,” said Bradley Nix, chief of program execution at NCCIC.
WannaCry affected numerous organizations, from Telefonica, a telecommunications company in Spain, to Federal Express in the U.S. to the National Health Service, the healthcare system in the U.K.
Patrick, a patient in the U.K. who was due to have open heart surgery on May 12, was visited by his doctor before the scheduled procedure. “He looked . . . concerned,” Patrick said. “He told me, ‘We’ve been hacked.’” X-rays and patient records were inaccessible. “It was the most awful time,” Patrick said. “Because I didn’t know what was going to happen to me.”
WannaCry signaled a new chapter in the impact of ransomware. But, in truth, these kinds of cyberattacks has gathered steam for some time. DHS itself reported a fourfold increase in ransomware between 2015 and 2016. And in 2017, a Ponemon Institute survey found that of its 600-plus respondents, more than 51% said they had been hit by ransomware.
Key organizations like NCCIC believe the key to combatting rapidly proliferating malware like WannaCry is to crowdsource information as the attack happens in real time. By testing malware, then sharing the initial findings with other organizations, NCCIC was able to help slow the impact of WannaCry.
“Share early and share often” said Jermaine Roebuck, principal incident response engagement lead at DHS. “Dump [the malware] in a sandbox and share it quickly so the community can start to protect itself.”
Companies like Cisco have cultivated their own threat intelligence partnerships. Cisco Talos, a threat research and intelligence team, partners with other entities to gather data in real time about cybersecurity events. During WannaCry, Talos moved quickly to communicate the impact of the ransomware to customers and constituents.
Sharing that information can be difficult as a crisis unfolds. It means taking in the information as it’s generated, then quickly analyzing and distributing that information. The NCCIC had prepared for a major cybersecurity crisis like this by building out its cybersecurity network of partnerships.
Preparation and practice enables you to keep pace with a cybersecurity event rather than lagging behind. “If you’re not prepared, you’re going to be behind the ball and you won’t be able to distill that information,” Nix said.
Verifying results through crowdsourcing was a key NCCIC technique. It observed patterns and verified information by identifying consistencies among its constituents. “One of the things I observed . .. was how consistent all the information was across all the reporting,” Nix said. “Even within all the chaos . . . that chaos was not preventing these existing and established information exchange partnerships from sharing information.”
There’s some risk in crowdsourcing, of course. Organizations have to validate information and the sources it comes from—and that can be risky in an environment rife with malicious actors.
That’s another important element of crowdsourcing, said John Felker, director at NCCIC. Organizations like NCCIC used their networks to validate information, and vet the source of that information for credibility. “You can say [to your network], ‘Hey, I got this information from an unknown source’,” Felker said. “You trust but verify, and leverage your networks to do that.”
At the same time, Felker emphasized, cybersecurity crises like WannaCry are dynamic and require action—despite imperfect information.
“Everything was moving fast,” Felker said. “We’re not going to stick around and try to get 100%. We’re going to go when we get to a level of comfort. We say, ‘There will be more updates to follow, but this is the best we have right now.’”
Prevention is the best medicine in combatting malware. Roebuck of NCCIC outlined five key tenets in protecting against ransomware.
Lauren Horwitz is the managing editor of Cisco.com, where she covers the IT infrastructure market and develops content strategy. Previously, Horwitz was a senior executive editor in the Business Applications and Architecture group at TechTarget;, a senior editor at Cutter Consortium, an IT research firm; and an editor at the American Prospect, a political journal. She has received awards from American Society of Business Publication Editors (ASBPE), a min Best of the Web award and the Kimmerling Prize for best graduate paper for her editing work on the journal article "The Fluid Jurisprudence of Israel's Emergency Powers.”