As children, we were convinced monsters lived in the dark space between the light switch and the bed. We turned off the lights at bedtime and bolted to our beds before the imagined monsters could reach us.
But what happened when we couldn't find our bed after turning off the lights? What happened if we got lost in the dark?
Trying to find a kill switch during a cyberattack is like a child trying to find the bed in the dark. The kill switch is the bed, the tool that stops the monsters, or malware in its tracks. However, unlike May's WannaCry attack, most cyberattacks do not come with a kill switch. To avoid that panic, companies must take preemptive actions and not just reactionary ones.
Kill switches and their purpose
Not knowing the hacker's reason for creating the kill switch complicates the process to locate it and as in the case of WannaCry, the off button seems to have been negligence.
WannaCry was effectively "killed" by registering a seemingly chaotic domain, Ryan Kalember, Sr. VP of cybersecurity at Proofpoint, one of the research firms that activated the kill switch, told CIO Dive.
Hackers most likely designed a kill switch because they were trying to avoid a security detector called a sandbox, according to Kalember.
A sandbox puts a spotlight on every network connection. If a URL, unintended for access, gets caught in a sandbox, it may mean the malware is aware of security looking at it, and therefore resists propagation. By registering the domain, Proofpoint tricked the malware into a sandbox-like response.
Unlike WannaCry, Marta Janus, Sr. principal threat researcher for Cylance, suggests that some kill switches are designed for a hacker's quick escape. "This is especially true for eavesdropping campaigns — if the attackers want to cease their activities and cover their traces once they obtained all the information they needed."
Many companies struggle to find a switch as most of the time it's nonexistent. In the case of NotPetya, a "vaccine" was found in place of a kill switch. NotPetya could activate when it found an existing local file to encrypt. If the file could be found before NotPetya hit, one could effectively "vaccinate" computers against the virus.
Cyberattacks, if nothing else, are experiments for hacker education.
Ryan Kazanciyan, chief security architect for Tanium and a tech advisor for "Mr. Robot," gives credit to 2008's Conficker worm in finding holes in Windows to simply spread itself. WannaCry and NotPetya just exploited that wormability to expand destruction.
This summer's attack can also be credited to 2013's CryptoLocker which locked files until victims paid a ransom. However, as we learned, in the case of NotPetya, a wiper disguised as ransomware, financial gains were not the hackers’ primary focus.
Attacked victims learned NotPetya "[contained] a boot sector component, that in addition to files, encrypts also internal structures of the operating system, making it more difficult, and in some cases impossible, to restore," according to Janus.
That is the game changer for Kalember. "The rest of the way [malware] spreads, we've seen that before, but the willingness of attackers to just destroy things rather than just simply steal information, that's new, that's troubling and there's no reason that that wouldn't spread through all the other traditional means so it's something that we have to start thinking about even if it's unpleasant."
Don't get lost in the dark
Security begins with reliability in corporate security infrastructure.
WannaCry and NotPetya capitalized on continued negligent use of Microsoft's SMB1 in Windows 7. Microsoft had warned companies for months that the system was fundamentally outdated and therefore unreliable.
Kazanciyan believes a company's sustainable prevention relies on the basics of security and asking "how [can] they modernize their architectures so they're not thinking about 'will I detect the next piece of malware?' " If the IT department is constantly fearing an attack, its foundation isn't secure.
During an unprepared attack, isolation is the only option for reducing the malware's propagation within your corporation.
NotPetya started with a software update so Kalember recommends companies segment digital infrastructure. They have to ask where or what parts of their data are most susceptible to intrusion. Consider Maersk's international infrastructure vulnerabilities; because of various ports being in targeted areas, Maersk has reexamined their segmentation.
Is there a kill switch for human ignorance?
While the most common cyberattacks come in linked emails, ignorance alone is not at fault. But there are protocols IT needs to mitigate future vulnerabilities, like regular software updates and maintain backups.
A kill switch, if anything is a false sense of security.
"It's unlikely that we would be saved by a kill switch if something like this were to happen again," said Kalember.