It’s been two weeks since the WannaCry ransomware burst across networks around the world, infecting hundreds of thousands of systems in more than a hundred countries. Despite the early fears, the discovery of an embedded “kill switch” helped slow the malware’s momentum just as it was getting going. But that hasn’t stopped the flood of threats exploiting the same underlying vulnerability.
There’s already been plenty of talk about what lessons we can learn from WannaCry, but WannaCry isn’t really the threat here. WannaCry is just a not-so-great piece of ransomware that piggybacked on a much bigger threat.
The only reason that WannaCry made any impact at all is because it exploited a vulnerability in Microsoft’s Secure Messaging Block (SMB) that was originally discovered by the NSA and leaked two months ago by the secretive ShadowBrokers. SMB is a protocol used for filesharing, and it’s enabled by default on most Windows installations. This makes an SMB vulnerability incredibly powerful – according to one former NSA employee, using it felt like “fishing with dynamite.”
WannaCry is far from the only malware that’s taken advantage of this vulnerability. Adylkuzz is a much quieter piece of malware that hides in the background, stealing CPU cycles to mine cryptocurrency. Researchers don’t know how widespread it is, but one team that exposed a server with the SMB vulnerability to the Internet found that it only took about 20 minutes to get infected with Adylkuzz. Researchers are now discovering other even more sophisticated worms (two have been named EternalRocks and BlueDoom, and there are certainly others) that use multiple SMB vulnerabilities from that same two-month-old leak.
It's the constant churn of vulnerabilities that makes these pieces of malware dangerous.
All of this highlights that simple fact. This is far from the first vulnerability dump we’ve seen, and it won’t be the last. In fact, the same mysterious group that released these vulnerabilities promised on Saturday that they had more vulnerabilities coming in June, and a new widespread Samba vulnerability was discovered only yesterday.
Our systems are more complex than they have ever been, and they are getting more complex by the minute. Complexity is the enemy of security. As hard as we look for vulnerabilities, we will miss some – or, rather, someone else will find them first. And then we’ll be left scrambling to catch up.
Perhaps we could solve this by making our systems simpler – by reducing that complexity. It’s a valuable goal, but it’s not going to happen any time soon. We might also address this through better coordinated disclosure of vulnerabilities – but Microsoft put out an SMB patch a month before the SMB vulnerability went public. That’s more than two months ago at this point. Even with lead time, many organizations couldn’t react in time.
Patching is essential, but it’s also slow, cumbersome, and risky when deployed quickly and at scale. Working under time pressure, organizations are far too likely to make a mistake and break something while patching, or move too slowly and be caught while they are still exposed. Even worse, careless patching creates complexity we don’t understand, which leads to new vulnerabilities. The problem here isn’t patching – it’s needing to patch reactively, with a short time window, inside an environment that you don’t really understand.
This highlights an essential lesson that the last week should drive home: once the clock is ticking, defenders are at a fundamental disadvantage. The intruder decides when to launch their threat, which means they are prepared, while defenders are scrambling. Defenders win when they operate proactively, building understanding and control of their environment before the threat materializes.
Cybersecurity today is heavily focused on rapid reaction. This is why the most common refrain over the last two weeks has been that organizations should patch faster to protect themselves against WannaCry. But it completely misses the essential imbalance between proactive and reactive security. If your only option to deal with a sudden threat is to react quickly by patching everywhere, you’re already at a huge disadvantage.
Instead of trying to patch faster, what if we didn’t have to patch everywhere? SMB is enabled by default on most Windows installations. That’s why these SMB vulnerabilities are so powerful – and so complicated to patch. But how many of those systems are actually using SMB to share files? How many are using it for mission-critical functions? Chances are not all of them, and you don’t have to patch those other systems immediately. You could temporarily shut down SMB, and focus on patching those systems for which it has to remain operational. This would focus patching – a comparatively slow response – only where it is absolutely necessary, accelerating overall response time.
The same approach could work for future threats, but it requires that you be able to quickly determine which systems are at risk and which functionality is mission-critical, and that you be able to act on those systems quickly as well. An organization that has done this proactive work can react much more quickly. Rather than scrambling to patch everything, they will be able to simplify their problem and limit their scramble.
Invest in understanding and controlling your environment.
If someone is using dynamite, you have to be able to control the blast radius, and waiting for them to light the dynamite is too late. We don’t need to prepare for the next WannaCry (or Adylkuzz, or EternalRocks, or BlueDoom) – we need to prepare for the next vulnerability dump. The best preparation for that threat isn’t a single-minded focus on patching and other reactive tools. Patching is important, but an investment in proactive control will radically improve the speed and accuracy of your response. It will help you patch faster, but more importantly, it will make you more secure from the start and radically speed up your response to the threat.