There are several key industry-wide lessons to be learned from the NotPetya attack in 2017, according to the information chief at one of the companies most heavily impacted.
The cyber threat landscape has changed fundamentally, with a very real risk of being caught up in nation state-sponsored activity, says Adam Banks, chief technology and information officer at Danish transport and shipping giant AP Moller–Maersk, which ships 20% of the world’s GDP.
This is one of the key learnings from the NotPetya destructive cyber attack in the second quarter of 2017, which cost the company $350m in lost revenue, he told attendees of InfoSecurity Europe 2019 in London.
“Company boards and audit committees need to understand that this stuff is real,” said Banks. “NotPetya was explicitly designed to destroy data-processing capability. This is not ransomware that exists to deprive you of your data. It exists to destroy your ability to process it.”
This type of malware is part of a growing trend of nation state cyber attacks, said Banks. “In 2016, the US Department of Defense recorded 15 nation state attacks, but in 2017 the number went up to 180, and they have already recorded more than 180 this year so far. And the reason this is significant is that the types of malware involved are massively more damaging than something a criminal enterprise would use.”
The other point to note about nation-state attacks, said Banks, is that they are typically extremely effective in doing what they are designed to do. “According to the director of the NSA [US National Security Agency], in the seven years he has been in the job, he has never launched an attack that hasn’t worked.
“But the assumption is that the same is true for the Chinese, the Russians and others that when a state targets an organisation, it’s a 100% penetration rate, so organisations cannot assume perimeter security as a valid means of protection any more.”
While organisations still need perimeter defences to keep out amateur hackers and low-level cyber criminals, at the same time there is a need for some intelligence inside that perimeter to work out what is going on within corporate networks, said Banks. “Chances are, they are already in.”
The second key learning, therefore, is that prevention is unlikely to be an effective strategy, said Banks, adding: “Automated detection and response is key.”
Maersk has implemented both automated detection and response, he said. “In the event that we see something suspicious going on in the network, we don’t just flag it – we stop it. And then engage with the owner of the affected device about why they have been disconnected from the network.”
The effectiveness of this approach was demonstrated in November 2018, when an attack by NotPetya variant Bad Rabbit was launched through the Interfax Russian news agency website and infected a computer belonging to a Maersk employee in Russia, said Banks.
“But his was the only device in our network that was affected. And while the scenario was not identical to NotPetya, it was close enough for me to think that this form of automated protection is extremely worthwhile.”
The third key learning, said Banks, is that standard online backup is no longer a safe approach. Organisations have spent millions in recent years moving from tape backup to online backup, he said, “but if it is attached to your network, nowadays you have got to assume that it will be hit – therefore, it can’t be a [safe] backup if it is online”.
This is solved in the physical world by disconnecting online backup on a weekly rotational basis, said Banks. “But in the cloud world, this problem has yet to be solved because while it is relatively easy to disconnect, you have problems reconnecting,” he said.
“Cloud service providers need to take action to find a way of making cloud-based online backup a more secure solution.”
Patching is necessary, but the fourth key learning is that patching is insufficient, he said. “The first question people usually ask about NotPetya is whether we were patched. We were patched appropriately against the Eternal Blue exploit also used in WannaCry, but that defended against only one way that NotPetya was able to use to spread.
“NotPetya – which was distributed through a backdoor in an automatic update to the MeDoc software used to submit tax returns in Ukraine [which was the real target of NotPetya] – uses a number of different methods to spread, which is why it is so effective.
“If it can’t propagate using Eternal Blue, it attempts to do a pass the hash credential theft. The reason this turned out to be so significant for us is the server that we ran MeDoc on was a physical server that was due to be moved to the cloud.”
Banks added: “The day before NotPetya arrived, the domain administrator logged on, did a full inventory of the machine and then logged off. But this meant that the first credential stolen using the pass the hash method provided the malware with the keys to the kingdom, enabling it to propagate horizontally and vertically.
“That meant that 55,000 clients and 7,000 servers were infected within seven minutes, when it basically ran out of things to infect.”
NotPetya’s damage to Maersk
In terms of IT services, NotPetya badly damaged Maersk’s dynamic host configuration protocol(DHCP) and Active Directory services, the enterprise service bus was destroyed, and vCenter, which controls the cloud, was damaged and unstable.
In terms of end-user devices, 49,000 laptops were destroyed, all print capability was destroyed, and file shares were unavailable.
All of Maersk’s 1,200 applications were inaccessible and about 1,000 were destroyed, while about 3,500 out of 6,200 servers were destroyed.
The fifth key learning, said Banks, is that privileged access management is extremely important. “When I was working in the payments industry, we had no administrators,” he said. “Nobody in the company had standing administrator privileges. This was done on a right-to-work basis. Employees had to raise a change control request and were given admin rights for a limited period.
“If we had had that at Maersk at the time of the NotPetya attack, my guess is that we would have had 400-500 machines impacted, not 55,000. So that has become critical. We have no elevated privileges in many parts of the company any more, and we are working towards zero.”
The sixth key learning, said Banks, it that organisations need to understand that for heavy industrials, business continuity plans and crisis management plans may need to be wider than asset-focused.
“These plans are likely to be focused on assets, as they were at Maersk,” he said. “But we have changed that now. The first question in the crisis management plan is whether the incident at hand is asset-centric or global, which used to mean ‘big’ but now really means ‘global’.
“The answer to this question determines whether we use a financial services-type model, where it is executive level and you are on call every four hours 24/7 making decisions on what’s going to happen to the whole business, or whether it is asset-centric, in which case you push it to the executive in those assets. If we had adopted this approach before NotPetya, our response would have been a lot slicker.”
Business continuity plans
In terms of business continuity plans, Banks said it is important to keep service continuity plans and service resumption plans separate.
“This forces the people looking at business continuity to assume no IT capability,” he said. “Before NotPetya, these two were merged and no provision was made for what action to take in the event of having no technology at all. We did not have a plan for the global destruction of all our IT capability.
“By forcing the split between business continuity and service resumption, you can start by saying there is no business technology when you get to service resumption, and that results in a much better version of the plan.”
The final key learning is the value of openness and transparency, said Banks. “The decision to be open and honest about what was going on was extremely beneficial,” he said. “Despite the challenges, 95% of our containers reached their destinations on time because we were able to move goods through ports for four weeks without any customs clearance.
“The reason we were able to do that, in addition to being a global brand that people trust, was because port authorities knew why we couldn’t do it, and agreed that we could retro-file everything that we had moved. If we had not been open about this, we would never have got that level of cooperation.”
This article originally appeared on ComputerWeekly.