Unshakeable Salt

Happy New Outbreak Day. Its 8am on the first ‘normal’ working day back in the New Year. I’m currently sat watching a Splunk dashboard light up as new virus infections are detected.  It happens every year, but amazingly many companies just don’t prepare for this.  It’s very predictable. The key indicators are all there, we’ve just accepted the risks and got ourselves into the festive season.

How it all started

It all started in the first half of December.  The monthly script kiddie frameworks ‘drop’ and within days there is plethora of malware messages landing within our honeypot mailboxes. The majority of the links / attachments were picked up by the usual filters, but the December drop does seem to include more undetectable malware than normal.

If an organisation operates good cyber hygiene, this doesn’t affect them much. There isn’t a major shift in risk.  Contracted vendors and 3rdparties rapidly identify the new malware and update their filters lists. The organisation continues to check every few hours for malware definitions, as well as checking for updates to all operating systems, applications and network devices.

As the organisation has good cyber hygiene, they have a complete asset management list and the necessary platforms and processes to ensure that they patches are deployed in a timely manner.

The December Delta

This is where December is different. Firstly, there is a common trend for a lot of people to take training courses before Christmas. There is spare budget to use up before the end of calendar year coinciding with a seasonal lull in operation.  Secondly, communications are ‘different’. Management send out their appreciation for the year and aspirations for the year ahead. People are more ‘chatty’, emails are more social and frequently deviate from what is normally policy within a business.  Thirdly, there is the holiday period were companies operate on skeleton staff, with limited functionality and reduced hours.

Finally (and by no means least), people switch off.  They are already half on holiday.  They are full of Spiced Ginger Bread Latte, are wondering about the cooking time for a  22lb Turkey and have they managed to remember the token gift for everyone.  Adhering and following good cyber hygiene really is at the bottom of the list.

New Outbreak Day

This brings us up to today.  At 8am there is a mass turn on of workstations that just haven’t received any patching or AV updates for the last few weeks.  To complicate matters, the Staff aren’t quite awake yet either.  Still a bit worse for wear from the New Years celebrations, all they want to do is get caught up on their email as fast as possible.  They are willing to dismiss any warning messages that they encounter on the way.

Windows update, out of date and with the ability to update manually disabled.
Out of date, but with the ability to update manually disabled

Staff are also willing to postpone a reboot that makes a patch effective. They’re even willing to ignore that AV warning at the bottom of their screen. Surely the company wants them to be productive sooner and not to sat around waiting for their computer to be ready?

Let’s just look at the inbox of phishing emails. They’re all well crafted to target this particular morning. Titled with “2019 update” or “Christmas Project Cancellation”, of course it must be important to them. They accept that there will be an email of good/bad news to open this morning. They either don’t twig that the URL in the email is wrong, or that the attachment insists that on macro is run in the background. Inevitably the Malware is downloaded and starts to spread across a network of similarly unpatched machines. 

Response

Hopefully the security team are already aware of the threat and the malware is quickly contained.  Specialists forensically investigate the infection, profile the characteristics and understand the delivery mechanisms.  As an orchestrated response, they push out the emergency change management requests to update firewall rules, blocking the inbound and outbound network connections.  The web filters are adjusted to block necessary URLS, preventing the payloads from being downloaded.  Staff are reminded via an instant message not to click links and to let their machines to update.  The Threat and Vulnerability Management suite aggressively scans the network, verifying the effectiveness of the response.

The loss will be minimalised to a drop-in productivity for a few days and business is back up to full strength ready for the following week. Just in time for the January malware frameworks to drop. Then we can do a new outbreak day all over again.

Director of Unshakeable Salt, an Information security specialist who first started contracting in 1997.

Next Post