Learning from NotPetya

If you have a free moment, read Andy Greenberg’s excellent Wired article on NotPetya. Andy focuses on the shipping company Maersk, a major victim of the attack, and describes how this event affected international shipping. In this article, I comment on some interesting quotes from the article.

“In 2016, one group of IT executives had pushed for a preemptive security redesign of Maersk’s entire global network. They called attention to Maersk’s less-than-perfect software patching…”

Like many companies, Maersk was slow to improve their security posture. The tasks associated with doing so likely get de-prioritised. It reminds me of a CSO who I had lunch with and lamented that his group was under-funded as they were “not revenue producing.” However, the upside of cybersecurity is in risk mitigation. The used case of NotPetya illustrates significant costs incurred when this risk is not adequately assessed (or not assessed at all).

“Before NotPetya’s launch, Microsoft had released a patch for its EternalBlue vulnerability.”

The EternalBlue vulnerability was one of three leveraged by the attack (Microsoft Office vulnerability CVE-2017–0199 and an FTP vulnerability on Me.Doc’s server). All these vulnerabilities were known ahead of time. It’s illustrative to consider this with Maersk’s lagging patch program. Granted, many organizations are simply overwhelmed by patching — which is why patch prioritization is key.

Vulnerability prioritization tools allow defenders to proactively patch (CYR3CON screenshot).
Vulnerability prioritisation tools allow defenders to proactively patch (CYR3CON screenshot).”NotPetya was saturating victims’ systems with terrifying speed: It took 45 seconds to bring down the network of a large Ukrainian bank.”

When a cyber-attack proceeds this quickly, many security mechanisms are unable to cope which is why avoidance has got to be a vital component of the strategy. Patch prioritisation and segmentation (lacking in Maersk at the time of the attack) are common strategies that can help an enterprise avoid such attack — or at least mitigate a fast-mover like NotPetya. It is also crucial to allocate resources in a way to maximise the avoidance of such attacks. Intelligence on the latest hacker tactics can significantly inform such strategies.

“No new bookings could be made, essentially cutting off Maersk’s core source of shipping revenue… NotPetya cost Maersk between $250 million and $300 million.”

This number is staggering! Note that losses of this size dwarf cybersecurity spending in just about every company.

“The result was more than $10 billion in total damages.”

Another staggering number — Greenberg says its the most damaging cyber attack in history. Firms like FedEx, Merck, and DLA Piper also suffered financial losses on a similar scale to Maersk. However, the $10 billion number suggests there were plenty more.


What can CSO’s learn form NotPetya? Well, here are some takeaways:

  • A fast-moving cyber attack may not afford any reaction time — making prevention (as opposed to remediation) the most cost-effective option
  • Attackers know defenders are overwhelmed with software vulnerabilities — which is why they continue to successfully employ known (but un-patched) vulnerabilities in attacks
  • Existing malware and exploits available to attackers is known — and this information can be leveraged to make better preventative decisions
  • If an enterprise improperly assesses cyber risk, they become more vulnerable to a rare but extremely expensive attack like #NotPetya

These learnings lead to tough decisions, and CSO’s of enterprises world-over often lose battles concerning resources. That said, the lessons from #NotPetya provide another vignette that can be used to educate senior decision makers.

The goal is not for senior leaders to make the “right” decisions, but instead make the most informed ones — decisions that duly consider a genuine cyber threat.