One Article Review
| Source |  Errata Security |
|---|---|
| Identifiant | 725976 |
| Date de publication | 2018-06-27 15:49:15 (vue: 2018-06-27 22:05:45) |
| Titre | Lessons from nPetya one year later |
| Texte | This is the one year anniversary of NotPetya. It was probably the most expensive single hacker attack in history (so far), with FedEx estimating it cost them $300 million. Shipping giant Maersk and drug giant Merck suffered losses on a similar scale. Many are discussing lessons we should learn from this, but they are the wrong lessons.An example is this quote in a recent article:"One year on from NotPetya, it seems lessons still haven't been learned. A lack of regular patching of outdated systems because of the issues of downtime and disruption to organisations was the path through which both NotPetya and WannaCry spread, and this fundamental problem remains." This is an attractive claim. It describes the problem in terms of people being "weak" and that the solution is to be "strong". If only organizations where strong enough, willing to deal with downtime and disruption, then problems like this wouldn't happen.But this is wrong, at least in the case of NotPetya.NotPetya's spread was initiated through the Ukraining company MeDoc, which provided tax accounting software. It had an auto-update process for keeping its software up-to-date. This was subverted in order to deliver the initial NotPetya infection. Patching had nothing to do with this. Other common security controls like firewalls were also bypassed.Auto-updates and cloud-management of software and IoT devices is becoming the norm. This creates a danger for such "supply chain" attacks, where the supplier of the product gets compromised, spreading an infection to all their customers. The lesson organizations need to learn about this is how such infections can be contained. One way is to firewall such products away from the core network. Another solution is port-isolation/microsegmentation, that limits the spread after an initial infection.Once NotPetya got into an organization, it spread laterally. The chief way it did this was through Mimikatz/PsExec, reusing Windows credentials. It stole whatever login information it could get from the infected machine and used it to try to log on to other Windows machines. If it got lucky getting domain administrator credentials, it then spread to the entire Windows domain. This was the primary method of spreading, not the unpatched ETERNALBLUE vulnerability. This is why it was so devastating to companies like Maersk: it wasn't a matter of a few unpatched systems getting infected, it was a matter of losing entire domains, including the backup systems.Such spreading through Windows credentials continues to plague organizations. A good example is the recent ransomware infection of the City of Atlanta that spread much the same way. The limits of the worm were the limits of domain trust relationships. For example, it didn't infect the city airport because that Windows domain is separate from the city's domains.This is the most pressing lesson organizations need to learn, the one they are ignoring. They need to do more to prevent desktops from infecting each other, such as through port-isolation/microsegmentation. They need to control the spread of administrative credentials within the organization. A lot of organizations put the same local admin account on every workstation which makes the spread of NotPetya style worms trivial. They need to reevaluate trust relationships between domains, so that the admin of one can't infect the others.These solutions are difficult, which is why news articles don't mention them. You don't have to know anything about security to proclaim "the problem is lack of patches". It's moral authority, chastising the weak, rather than a proscription of what to do. Solving supply chain hacks and Windows credential sharing, though, is hard. I don't know any universal solution to this -- I'd have to thoroughly analyze your network and business in order to |
| Envoyé | Oui |
| Condensat | $300 this 100 about account accounting admin administrative administrator after airport all also always analyze anniversary another any anything appear are around article: articles atlanta attack attacks attractive authority auto autoupdate autoupdates away backup because becoming been being between both business but bypassed can case chain chastising chief city claim cloud coming common companies company complexity compromised contained continues control controller controls core cost could creates credential credentials customers danger date dated deal dealing deep deliver demonstrates describes desktop desktops devastating devices did didn difficult discussing disruption doesn domain domains don downtime drug each enough entire estimating eternalblue every example except expensive far fedex firewall firewalls from fundamental get gets getting giant going good got hacker hacks had happen happened hard have haven history hops hostile how ignoring imagine importance importantly impossible: including inconsequential infect infected infecting infection infections information initial initiated instead iot isolation/microsegmentation issues its just keeping know lack later laterally learn learned least leaving lesson lessons like limits local log logged login loose losing losses lot lucky lurking lying machine machines maersk maersk: make makes malware management many matter mean means medoc mention merck method million mimikatz/psexec moral more most much need network news norm not nothing notpetya npetya once one only order organisations organization organizations other others otherwise out outdated patched patches patching path people perfectly plague port pressing prevent primary probably problem problems process proclaim product products proscription provided put quote ransomware rather recent recommendation reevaluate regular relationships remains rest reusing same scale security seems separate sharing shipping should similar simple single software solution solutions solving somewhere soundbites spread spreading stick stole stopping stories story strong style subverted such suffered supplier supply system systems tax terms test than that them then these they thoroughly though through trivial trust try ukraining universal unpatched update updates used useful vulnerability wannacry wasn way weak what whatever where which why will willing windows within workstation worm worms wouldn wrong year your |
| Tags | Ransomware Malware Patching |
| Stories | FedEx NotPetya Wannacry |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.