How collective defense can work.
We've seen strong indications recently that the ISACs are working, roughly speaking, as advertised, and that's been good news amid the bad.
Notes from one part of the energy sector.
When the CrashOverride industrial control system malware was identified as implicated in the 2016 Ukrainian grid hack, representatives of the Downstream Natural Gas ISAC (DNG-ISAC) and the American Gas Association told us that, while the threat to their sector is as great as the threat to the electrical power distribution system, the natural gas industry made a good showing: they groups' members responded promptly and effectively to the warning they received quietly from Dragos on June 9th. Their guard went up and mitigations were put in place.
The American Gas Association told us they saw a similar response from their members when Petya broke out. John Bryk, of the DNG-ISAC and the American Gas Association, said that the "Downstream Natural Gas and Electric ISACs alerted and provided initial indicators of PETYA to their sectors by 0940 and rapidly confirmed no successful infections across their membership." So the warning went out early and they were able to confirm their members were safe.
Trends in protection.
We also heard from ISACA, the international professional association for information technology governance. They think ransomware attacks of this kind should be expected, and should be expected to come more frequently. They've surveyed the community on the matter, and their results show that:
- "More than half (53%) of survey respondents reported a year-over-year increase in cyberattacks for 2016."
- "62% reported experiencing ransomware in 2016 but only 53% have a formal process in place to address it."
- "Malicious attacks that can impair an organization’s operations or user data remain high in general (78% of organizations reporting attacks)."
ISACA CEO Matt Loeb thinks this means that "cyber security resourcing within organizations has to change" The survey indicated that some of that necessary change is in progress:
- "More organizations than ever now employ a chief information security officer—65%, up from 50% in 2016."
- "Overall cyber security budgets remain strong, with about half of survey respondents seeing budgetary increases in 2016."
- "Smarter, newer cyber training models and advancements continue to serve professionals and organizations well if they are utilized."
Update, 6.29.17: ISACA has been conducting a 24-hour poll on ransomware and malware in relation to this incident; we hope to be able to share their results.
Update, 7.5.17: ISACA has shared its survey results with us. ISACA CEO Matt Loeb says, "In general, cyber security teams need to brace themselves for more action: 83% of ISACA member survey respondents expect that the latter half of 2017 will see ransomware attacks become even more prevalent. Yet 50% of respondents said their company has not conducted any ransomware training for staff." He thinks preparedness trumps response. "Our poll shows that more than one in four organizations typically wait longer than a month to apply the latest software patches. Given the escalating volume and complexity of threats enterprises are facing, placing greater urgency on rapid, comprehensive patching is a critical component of protecting an organization from the business- and infrastructure-crippling consequences of an attack.” The results of ISACA's poll (450 respondents):
- 3:4 respondents polled believe that they their organizations felt prepared or somewhat prepared for a ransomware attack.
- More than 1:4 organizations say that their organization has experienced a ransomware attack.
- While much of the narrative in the media reflects that organizations often pay ransoms in response to being attacked, our poll reflected that only 6% of participants have said that yes, their organizations would pay.
- After the WannaCry attack in May 2017, 50% of participants reported that their organization took new precautions in regards to their security. In light of the Petya attack, an additional 28% responded that their organization will take new precautions.
- Of those polled, 72% shared that their organizations apply the latest software patches within one month, leaving a substantial number of organizations who take longer to apply their patches.
Update, 6.30.17: The US Department of Homeland Security acting undersecretary for cybersecurity shares a perspective on her Department's work to contain the earlier WannaCry outbreak (Federal New Radio). That response, which highlights the role played by CERTs and by US interagency cooperation, holds some lessons for responding to Petya/Nyetya/NotPetya.