How Can We Prepare?
When you put all of these scenarios together you get some pretty scary possibilities. What if an attacker who was not motivated by money were to unleash a slowly replicating worm that would lie dormant for months, infecting tens of thousands of machines across multiple cities and targeting one or more kinds of infrastructure via a network of compromised IoT devices? What would happen if not one, but all of the hospitals, utilities, or banks in a metropolitan area were hit at once? For the most part, ransomware attacks have been more of an annoyance, but with the WannaCry infections that hit medical and transportation systems, we see the very real impact these cyberattacks can have on critical infrastructure.
With that said, the likelihood of someone combining all of these elements together and evolving the attack this much in one step is essentially unprecedented — though WannaCry did certain hint at the potential. Only certain groups would have the level of sophistication and coordination necessary to carry out an attack at the level we’re hinting at here. Nonetheless, it is certainly possible, if not probable — and it would fit the common criteria of a black swan cyberattack (i.e., the probability of occurrence is low; the impact if it happened would be high; and, in retrospect, we could explain how it could happen). The reality is that history is littered with these kinds of events, and the past teaches us that once-improbable scenarios eventually do happen.
So how can we prepare for something like this? One positive to the type of attack described above is that time is on our side. If an attacker would want to keep a ransomware infection concealed within the noise of everyday life, it would need to move slowly. And though, ultimately, many organizations are connected to one other, to make a dispersed but coordinated attack happen, the ransomware would likely have to be distributed via both social engineering channels (phishing emails, infected USBs, smishing messages, etc.) and worm for it to have the highest chance of success. Which would mean that it would have to evade a lot of eyes over time.
This is why employee security awareness training can play a key part in prevention; end users would most certainly be the targets on the social engineering side, and they would be the ones to raise a red flag if something seemed wrong. Better patch management procedures also play a role, because closing off known vulnerabilities would force the ransomware to mutate and leverage other vulnerabilities. Finally, it’s critical that you apply risk management practices, and have a playbook ready if a disaster like this were to strike, which would help you recover faster and help eliminate the possibility of compounding the problem with further mistakes.
Stay tuned for a future post, in which I will discuss some lessons we can learn from agile development that could help increase the speed of patching.