A few months ago, I was working on a risk assessment with a business and one of the most extreme threats, beyond targeted malware, was an attack by a nation state. Given the nature of the business being assessed wasn't involved in, or related to critical infrastructure, and the IP wasn't such that it was of national or military importance to gain leverage, we gave the risk a low rating. In recent months, due to the leaking of custom malware developed by the NSA, the tools considered available only to nation states are now available to everyone. Where the internet democratised the attack vectors employable against entities with an online presence, the leak of custom, targeted malware, has lowered the barrier to entry such that even non-sophisticated malicious actors can leverage the experience, expertise and destructive force of a nation state.
We know that WannaCry exploited a vulnerability in Windows software and NotPetya exploited the same vulnerability albeit through different means with a greater ability to subvert protections. We also know many recommendations are related to patching and some configuration changes. These are good recommendations given the attack vectors being used in this attack. However, we must bear in mind that this is a single attack built around the EternalBlue exploit only. Will the recommendations suffice not if, but when other exploits are utilised? Remember that the leaked tools include Windows exploits as well as exploits against the Linux OS, Mac OSX, iOS, Android and Cisco. I'm pretty certain that your organisation is likely using more than one of these platforms!
So back to the risk assessment. Now we all need to consider ourselves to be vulnerable to compromise, not necessarily by a nation state, but by actors with the tools of a nation state. It's also worth considering the leaks we've seen are from the NSA toolkit; there are certainly other intelligence agencies with a comparable cache.
It's fair to say we cannot trust the platform, but:
- Can we harden the platform to such an extent we can trust it? i.e. hardening to maximise security
- Can we make our platform immutable? e.g. use of read-only containers
- Can we use serverless architecture?
If we cannot trust the platform, can we trust our applications? Maybe! Can we trust the libraries our applications are using?
If we must operate upon a platform we cannot trust with application libraries that may be vulnerable, can we:
- Identify and react to attacks leveraged against these?
- Automatically or easy alter configurations to mitigate the attack or risk of attack?