NotPetya: How to Prep and Respond if You're Hit
Security pros share practices to prepare and handle advanced malware attacks like NotPetya.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt3e77d1f39e135176/64f0d7afce538f0ac1e3f07d/NotPetya-intro.jpg?width=700&auto=webp&quality=80&disable=upscale)
Last week's massive ransomware attack, driven by malware that security experts have dubbed NotPetya (aka Petya/ExPetr/GoldenEye), primarily targeted companies in Ukraine but affected business operations in about 65 countries around the world.
This was the second major global cyberattack within the past two months, following the WannaCry ransomware attack in May 2017. Experts say the most recent outbreak was intended more for destruction than financial gain, and it was conducted by highly skilled threat actors.
The malware's authors demand $300 in bitcoin for ransom, but research following the attack has shown this malware modifies the Master Boot Record in a way that makes data recovery impossible. Attackers injected a backdoor into Ukrainian accounting software as a means of collecting sensitive data, which can be used to cause further damage to businesses.
Dr. Chris Pierson, CSO of Viewpost, explains how this attack seeks to prove the model of propagation without human intervention, focusing on weaknesses in patching and lack of security controls.
"As with all cybercrime attacks -- if this type of attack vector pays off for these hackers, it will be replicated by others and further honed," he notes.
Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.
The spread of last week's malware showed where organizations are failing in their defensive security strategies. Many aren't prepared to defend against an attack of this level or properly respond when -- not if -- one hits them.
"There is no 100-percent foolproof strategy for blocking cyberattacks, short of swearing off computers, email, and the Internet," says CompTIA CIO Randy Gross. "But there are steps that can and should be taken to heighten defenses, starting with making sure that all systems are up-to-date."
Here, experts share recommended practices to prepare for an attack like this, and steps security pros can take following an incident to mitigate its effects on the organization.
The growth of ransomware attacks demands all businesses should have playbooks detailing how security teams will detect and respond to incidents in both production and corporate environments, says Pierson. It's not enough to have a plan -- you also have to practice putting it in action.
"This means the security team and infrastructure team have a plan, have run a table top exercise, and even practiced a response more fully," he explains.
Many security pros focus on prevention. With every new threat vector, they must also assume there's a chance controls will fail and they'll need to respond to events that affect business operations.
The best way to prepare for a ransomware attack is to have a series of data backups, says Carson Sweet, co-founder and CTO at CloudPassage.
"There's absolutely no better way to protect yourself from one of these ransomware attacks," he explains. "You should think of a ransomware attack as a disaster recovery scenario."
A business continuity plan should have a system to back up data within a specific window, say two or twelve hours, so they will be able to rebuild their systems using that data in the event of an attack. This backup window varies from business to business. Some companies, like banks and major retailers, suffer more from losing even an hour's worth of data and should back up their information as often as possible. Security leaders can work with the manager of the business continuity program to determine the timeframe that's best for them.
"You can depend on your own backup more than a vendor patch because you have control over the backup," says James Stanger, CompTIA's senior director for product development. "Vendors can't always get you the latest patch in time, which means that your systems could still be susceptible to zero-day attacks. Your system may have all of the updates the vendor has given, but an exploitable problem still exists."
When you know your data is backed up, you're less likely to feel pressure to pay a ransom because you already have what the cybercriminal is holding hostage," he explains.
While backups are key, experts continue to emphasize the critical importance of patching systems.
"Installing vendor patches in a timely manner and having an update plan in place for all machines is a good place to start," says Robert Rohrman, CompTIA's senior director of information services infrastructure.
Too many computers still run outdated systems like Windows XP and Windows Server 2003, and don't have the proper security protocols in place to prevent ransomware attacks, he continues. Devices with newer operating systems can be vulnerable if security patches or software updates are delayed or ignored. Rohrman advises companies to adopt a globally managed update system for clients and servers as the best way to gain visualization into the enterprise. IT managers should have a program in place to gain a global view of in-house systems and security so patches can be installed on multiple machines from one console.
Patching should be a priority, Sweet emphasizes. Threat actors are using outdated flaws to create weaponized exploits; in some cases, these vulnerabilities are three to five years old.
"Out the gate, there is no excuse to not have patched these vulnerabilities," he says, noting how most of the time, major attacks like NotPetya could have been avoided in a straightforward way. "It always confounds me. Enterprises don't keep up with simple basic patching. The underlying vulnerabilities [attackers] leverage are not new."
The sooner you know about a problem, the sooner you can implement a disaster recovery plan and mitigate the damage. Pierson notes antivirus is a good first line of defense for endpoint protection, especially when configured according to specialized guides to protect certain file locations.
In addition, he says, there are several controls businesses can use to scan for files being encrypted en masse. Teams should be reviewing all of their controls, and using network or behavioral tools to accurately identify and block suspicious activity.
Security teams should be able to isolate incidents as soon as possible before starting recovery, Sweet explains. Once malware hits one machine, it will start seeking other systems that have the same vulnerability and are open to infection.
"You need to put the fire out before you start recovering," he says.
Most of these attacks have pretty well-defined signatures, Sweet continues. An internal firewall can be used to block the ports that systems use to infect one another. Once a worm is detected, security and business teams should work together to block the east-west spread of malware within the environment behind the firewall.
"Security teams need to drill for, and practice shutting down, lateral movement to prevent fast-moving worms or ransomware that uses self-propagating means of replication," says Pierson, noting how this was seen in both WannaCry and Petya. Microsegmentation can be extremely effective in preventing this expansion, he adds.
After stopping the spread of attack, the next step is to isolate affected systems and disinfect them, says Sweet. The only guaranteed way to clean a system of malware is to completely wipe it.
"Once you've done that and are confident you eradicated the outbreak, then you can get the data and start to recover systems," he explains.
For many security teams, elimination of malware is the most challenging part of the disaster recovery process. Sweet likens the process to removing mildew in a house; you have to kill it all, or it'll spread.
"These kinds of eradication processes have to be concrete," he says. "If you miss one system or two, or trust an anti-malware solution and it misses something, that outbreak will break out again."
For teams struggling with the eradication and recovery process, Sweet advises completely wiping the system clean and reinstalling it from known, fresh images of systems using file integrity monitoring. This is a good way to ensure systems won't be recompromised.
Only after the infection has been detected, stopped, and eliminated can teams begin to recover data and rebuild affected systems -- the final step in the disaster recovery process.
In the aftermath of a cyberattack, it's also important to get support from business teams and ensure a cybersecurity expert is on the board to help everyone understand the threats they face.
"Making sure someone is focused on the forest as opposed to the trees, and focused on enabling the business through better cybersecurity, is paramount to the success of all companies," says Pierson. The latest ransomware attacks have highlighted the gap between the security risks that board members see on the news, and the reality of the security threat matrix today.
Only after the infection has been detected, stopped, and eliminated can teams begin to recover data and rebuild affected systems -- the final step in the disaster recovery process.
In the aftermath of a cyberattack, it's also important to get support from business teams and ensure a cybersecurity expert is on the board to help everyone understand the threats they face.
"Making sure someone is focused on the forest as opposed to the trees, and focused on enabling the business through better cybersecurity, is paramount to the success of all companies," says Pierson. The latest ransomware attacks have highlighted the gap between the security risks that board members see on the news, and the reality of the security threat matrix today.
Last week's massive ransomware attack, driven by malware that security experts have dubbed NotPetya (aka Petya/ExPetr/GoldenEye), primarily targeted companies in Ukraine but affected business operations in about 65 countries around the world.
This was the second major global cyberattack within the past two months, following the WannaCry ransomware attack in May 2017. Experts say the most recent outbreak was intended more for destruction than financial gain, and it was conducted by highly skilled threat actors.
The malware's authors demand $300 in bitcoin for ransom, but research following the attack has shown this malware modifies the Master Boot Record in a way that makes data recovery impossible. Attackers injected a backdoor into Ukrainian accounting software as a means of collecting sensitive data, which can be used to cause further damage to businesses.
Dr. Chris Pierson, CSO of Viewpost, explains how this attack seeks to prove the model of propagation without human intervention, focusing on weaknesses in patching and lack of security controls.
"As with all cybercrime attacks -- if this type of attack vector pays off for these hackers, it will be replicated by others and further honed," he notes.
Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.
The spread of last week's malware showed where organizations are failing in their defensive security strategies. Many aren't prepared to defend against an attack of this level or properly respond when -- not if -- one hits them.
"There is no 100-percent foolproof strategy for blocking cyberattacks, short of swearing off computers, email, and the Internet," says CompTIA CIO Randy Gross. "But there are steps that can and should be taken to heighten defenses, starting with making sure that all systems are up-to-date."
Here, experts share recommended practices to prepare for an attack like this, and steps security pros can take following an incident to mitigate its effects on the organization.
About the Author(s)
You May Also Like