A few weeks ago we saw information leaked from known sources that no one really knows what their agenda is (disinformation, whistleblowing or a nation-state sponsored disruption campaign). Information was released about toolkits that certain Intelligence Agencies (supposedly in the USA) used to spy on all other countries.

Among software there were also exploits in portions of Windows operating systems that many believe Microsoft knew about but only released a patch when the information leak came out. This patch was released shortly after samples of the toolkits were given away via github in order to get people interested in bidding for the software and information.

An interesting thing to note is that “Shadow-brokers” had very broken english so we don’t know from which country they are really from, China, Russia, Iran??? Who knows. A detailed language analysis would offer some insight as to the language mistakes in the posts and translating into the three mentioned actors (if against the US) to see if it would make sense. Another option is that someone from the US or a Skiddie group are trying to start WW3.

This type of propaganda (if that is what it really is) aims at creating a “suspense and end-of-world” type of news and messages to do a few specific things. From an emotional standpoint they create fear, get people to question the specific nation-state supposedly behind the tools that calls up negative views on how they are the bad guys. The reality of Intelligence however is not so simple or easy to blame just one country for this predicament. Lets start with some facts:

1. Information leaked from both Wikileaks and Shadow-brokers about CIA, NSA tools
2. A Sample is released to “verify” legitimacy of claims and auction (on underground .onion sites and github)
3. Security Analysts and Security Researchers look at the tools, the exploits and verify some actually work
4. Microsoft “finally” releases a patch and labels this as critical
5. After the patch release on May 12th messages start to come in about Windows XP clients in Hospitals and Critical Infrastructure (!) that are not patched and have un-supported Windows versions running critical and informational services for Hospitals, Rail and other Critical Infrastructure
6. Press labels this as a “cyber attack” and many “cyber” experts jump on the bandwagon selling additional services and consulting

I want to talk about what we “hopefully” learned from all this and clarify a few things about what this really was.

If we separate fantastic claims and emotions from all the security companies now using this to make money we can actually see a few things and after looking at those facts determine what and how we need to buy or use services to change the situation. If I may I will state some personal views and opinions, I hope you don’t mind as the reader and appreciate you reading so far. 

1. These infections were absolutely avoidable and no, any Antivirus was NOT the answer, nor was some magical threat feed in and of itself (I will get to expanding that later).
2. These “attacks” are not really “cyber attacks” they are exploits that were used to infect and disrupt outdated and not correctly patched systems.
3. Don’t get me wrong, there are quite a few questions that need to be answered like why for instance only certain countries were attacked and if there is a “cyber” component. It is not however in my opinion an easy statement to say it was a “cyber attack”. We will only know if that was the actual “intent” after further “evidence” and “neutral analysis” of facts of these “infections”.
4. The fact that old, out-dated systems and operating systems like XP that are “known” to be exploitable for years is just criminal at worst and irresponsible at best.
5. Critical Infrastructure does not seem to be checked or audited (although there are definitions, fines and audit teams from various governments who are responsible for guaranteeing this very thing).

I don’t want to blame anyone for this, one thought that keeps on coming back however is why where so many XP machines being used by critical infrastructure that were exploitable in the first place? The answer is simple if you blame folks but in reality its much more complex.

Many companies and entities have various types of software to do many different things. From an attackers perspective they make operations and management much harder and more complex than in clean-cut and simple shops. When a small shop has outdated clients, operating systems and applications usually its a resource, skill or money issue. In larger companies more resources are in place and budgets may or may not be used to plug the biggest holes. When we look at the most recent attack there “could” be a few reasons for this:

1. Company bought software that is no longer supported or company went bankrupt
2. Company didn’t have money to invest in new OS and applications
3. Legacy applications are too hard, expensive or almost impossible to update due to multiple and complex interdependencies. (This is usually the primary reason)
4. Companies do not see the value in updating infrastructure and see it as a cost area when in fact it is part of the revenue stream of each and every company, globally….. (this is a fact 99% of companies don’t see) and most security (cyber) companies don’t really address correctly.

When infrastructure becomes “bloated” , complex and costly, people usually tend to put mechanisms in place to try to protect it and apply haphazard Band-Aids. Usually we find that in attacks, Band-Aids don’t really solve the real issues that a company has when they can’t change older legacy systems.

We also discover that simple tasks like patch management and managing a secure and proactive operations in NOC and SOCs is usually not done when facing complex and legacy systems. Again there “can” be multiple reasons for this that are not necessarily financial or budget in nature.

The fact remains though (and this attack proves it … again) that these weak links or challenges to solid and more secure operational states are certainly exploitable and are being targeted more and more by various groups in order to create much more damage that actually dealing with the underlying issues and challenges of legacy systems.

So what do we do to resolve and stop these types of attacks?

1. Basic Operations and awareness – Know what you have, what the versions are and patches that SHOULD be installed
2. Map out all the old legacy systems and apply simple risk management to those (should already be in place) if you “claim” ISO27001/2 compliance.
3. Build a proactive security based security and operations team – Use something like our Risk Intelligence service to map out possible risks and attackers, use that information to “avoid” attacks or risks before they become threats
4. Implement actionable intelligence – using a service like our Risk Intelligence can feed all the risks we and your team find into a tangible, actionable and understandable (as well as cost effective) risk documentation, mitigation strategy and system
5. Use the risks and holes you have as honeypots – people will always look for holes in your system, thats always going to be that way. No matter what you do, what you buy, there is always a residual risk. If you have that then think like your attacker does and use the information to find out who is or wants to attack you

Thats it for this post, I hope it was useful, added value and starts additional discussions with us, other really good partners we have and respect and yourself. We are here to help, use us. Don’t fall for the fear based mentality of some “cyber” companies that sell off fud and silver bullets, the world of operations and security is never about silver bullets. Its about great teams that work together with partners, gathering intelligence and using that tom app risks and then manage them.

M