The recent cyber-attack caused disruption around the globe and has infected companies in an estimated 64 countries, including major banks, oil and gas organizations, law firms and advertising agencies. According to anti-virus vendor ESET, 80% of all infections were in Ukraine, with Germany second hardest hit with about 9%.
Generally, ransomware similar to the previous Wannacry attack spread via “worms”. The worms multiply exponentially until they discover a particularly vulnerable exploit within an organization. One of these is via the so-called EternalBlue hack - thought to have been developed by US NSA developers, which uses an exploit in protocol to let computers and other equipment talk to each other, known as the Server Message Block (SMB).
As of the publishing of this article, it is still unclear who was behind the cyberattack and just how far the damage could reach, but Petya is markedly the latest and perhaps most sophisticated in a series of attacks chipping away at the confidence that security teams have in their toolsets, procedures and processes.
Never Ending Arms Race
With the Ransomware spreading like wildfire across the globe, thousands of companies have been scrambling to safeguard their data. Microsoft Security Bulletin is recommending various security patches that were previously released to make sure that Petya Ransomware and its variants cannot progress. Additionally, Microsoft has provided a guide to help secure windows systems against the EternalBlue exploit opening up this particular brand of attack. For those that are already facing Petya, there doesn't appear to be a way to restore corrupted filesystems, and no option to pay the ransom, because the Posteo webmail address given to pay the $300 ransom has been shut down.
What security leaders should be considering is how dangerous it has become to have disconnected systems spitting out reports and failing to garner actionable intelligence. The ability to correlate these alerts in real time, manage cases efficiently and respond effectively has pushed Security Orchestration to the top of the security food chain in recent months.
So you installed a patch….now what? Time to consider Security Orchestration
Once we get beyond the immediate patchwork of solutions and accept that these attacks will continue, we need to think about how to best bolster response. Security orchestration allows for automation and improved capabilities to navigate the full scope of security operations and incident response activities from the initial alert through to remediation. Simply put, context, automation and analyst enablement ensures that the disease is cured, not just the symptoms.
Petya is a warning to companies struggling to keep up with alerts - and a clear use case for those struggling to create context from their data and efficiently run their SOC. Tightly coupled automation with threat management and investigation provides the ultimate balance of machine driven and analyst led response.
Having just passed the halfway mark for 2017, the threat landscape has now grown to have brought some of the largest and most critical global organizations to their knees, creating a ripple effect throughout world economies with no sign of slowing. WannaCry was a small warning in comparison to Petya, and if this trend continues, the next massive attack could be a tipping point.
To learn more about how Siemplify is helping companies manage alerts and build the next generation SOC Request a Demo Here...