Chris Kennedy had a front row seat to EternalBlue's weaponization in 2017.
At the time he was working for an organization with close connection to military entities with professional threat intelligence sources readily available.
"We got notified that this EternalBlue thing was happening, there were already some rumblings about it," Kennedy, CISO and VP of customer success at AttackIQ, told CIO Dive. The security team was anticipating an exploit.
While Microsoft's "battle rhythm" Patch Tuesday is an industry standard, the company had "punted" the patches as the stolen exploit loomed, said Kennedy. There was no patch from Microsoft at that point.
"[We were] like holy crap, Windows hasn't offered any resolution," he said.
As a zero-day exploit brewed, urgency swept over the security organization.
Malware can spread as easily as the flu in a kindergarten class. It's typically designed around known vulnerabilities and weaponizing a flaw is the pièce de résistance of cyberattacks. The most dangerous ones are wormable, with self-propagating capabilities, such as 2017's WannaCry and NotPetya.
"The enemy knows the enemy of the enemy. But in cyberspace, really, the enemy is not a physical entity — traffic can go from all over the world," Itzik Kotler, co-founder & CTO of SafeBreach, told CIO Dive.
If malicious code is written with "purpose," any computer can run it, Kotler said.
Trouble with the curve
Security organizations keep chaos at bay and by doing so minimize the threat of stalled operations, unplanned recovery expenses and a PR catastrophe.
The trouble with many security strategies is they hinge on the "education" provided by vendors, said Kotler. Companies buy different solutions that "promise something to them." In reality, hackers are learning to go between what one solution can provide, finding the "blind spot" for an attack.
At the watering hole, hackers potentially have millions of people to "infect," they just have to choose their approach to malware. Develop a new piece of malware or modify an existing strand?
Bad actors prioritize blind spots ahead of other vulnerabilities because they take into account the potential cost of a mistake, said Kotler, which is why email phishing is effective. Even if a phishing attempt is unsuccessful, "there is no downside" because either hackers don't get paid at all or just get paid a little. The lift, overall, is minimal.
Phishing schemes account for about 36% of cyberattacks and risk in 2019, according to a Bitefender report. It's used to "break corporate networks" and unleash greater cyberattacks.
But phishing schemes are only one of many cyberattacks to choose from. In order to blindside a controller, hackers can weaponize exploits, like EternalBlue.
If the first delivery mechanism is email, attackers could automatically weaponize an exploit. WannaCry was piggybacking on EternalBlue, said Kotler, which was able to connect to a Windows machine with a specific configuration and end up gaining access to a machine without human intervention.
EternalBlue's patching crisis
Cyberattacks that run on autopilot leave little room for security organizations to prepare. With enough time, when a vulnerability is leaked, such as EternalBlue, bad actors will learn about them and create a database or set of automated attacks.
For Kennedy, the impending EternalBlue exploit became an operational mission in a small window of time.
Exploits "in the wild" take advantage of legacy Windows operating systems, such as Windows XP and Windows 2000. Kennedy's former employer had to evaluate its asset inventory before deploying any necessary patches, even though patches have a tendency to "break" core business processes.
The leadership team convened around the zero-day exploit and leveraged the relationship the organization had with Microsoft to get "beta patches" before their full release. In a 24-hour period the organization shut down the business to apply the patches.
Over the course of the weekend, Kennedy's team went through a "rapid testing process" to deploy the patches on test systems, to ensure their safety. While there were still cases for alarm, "I think we got through, over the course of 48 hours, about 80% to 90% of the enterprise."
When deployments are handled with negligence, patches can threaten the enterprise. Last year nearly 11,000 companies installed faulty software, including almost 9,000 running the same flawed open source software package that brought down Equifax.
Continuous security validation places focus on the "kill chain," according to Kennedy. "You want to minimize that initial access, you want to prevent that hacker or that attacker from getting an initial foothold in the environment."