DHS wargames included a scenario similar to WannaCry

The table top exercise demonstrated a need for clear communications between federal, state, and private businesses

security group team circuitry
Credit: Thinkstock

In March of 2016, the Department of Homeland Security conducted a national exercise to see how the government and the private sector would react to a multi-sector cyberattack on critical infrastructure.

The scenario included malware mimicking some of the traits of WannaCry, including a kill switch function and the targeting of commonly used protocols. In the end, the private sector saved the day, but not without facing some serious challenges.

The DHS exercise is known as CyberStorm, and it was during CyberStorm V (CS V) that the participants were introduced to a type of malware that had some interesting characteristics.

In the after-action report, DHS outlined the scenario:

"Players responded to a cyber-specific scenario that leveraged weaknesses in common protocols and services used on the Internet. The scenario included impacts to routing methodology, the Domain Name System (DNS) used to map hostnames to Internet Protocol (IP) addresses, and Public Key Infrastructure (PKI) used to provide authentication and confidentiality. Scenario conditions affected a wide variety of corporate and government systems, medical devices, and payment systems. During scenario play, the malware included a feature that bricked infected systems when players blocked against the malicious IPs. Resolution required a coordinated 200 government and private sector response.

"The CS V adversaries incorporated real world threat elements and had the resources, capabilities, and intent to carry out sophisticated and pervasive attacks. Multiple adversaries used the impacts to routing, host name mapping, and authentication to design and deliver attacks against exercise participants. In particular, one primary adversary group developed a sophisticated command and control network and allowed supplementary groups to purchase the access necessary to deliver targeted malware specific to certain sectors. This allowed a diverse set of adversary groups to target CS V players."

In contrast, WannaCry targeted a common protocol that was known to be vulnerable, and included commands to spread if a kill switch domain didn't respond to a lookup. Ransomware itself, malware in general really, has become a service-based industry for criminals, as the barrier to entry is low and the payouts virtually unlimited.

CS V was just a drill, but the recent WannaCry attacks were nothing of the sort.

Lucky for the public, a researcher discovered and registered the kill switch domain, thus preventing WannaCry from spreading. A day later, a second WannaCry variant was stopped by another researcher who was able to register the new kill switch domain.

Yet, the tabletop program ran by DHS uncovered a number of issues, which will certainly play out in real life should a more damning version of WannaCry emerge.

Consider the game from the viewpoint of a participant who recently spoke to Salted Hash.

First, they were given some indicators (IP addresses) and early reports indicated that one retailer had 200 systems bricked. While that is intelligence, and it does count as information sharing, it isn’t exactly useful during a national incident without details that help explain what’s being presented clearly.

The immediate challenge for CS V participants was getting in-touch with other organizations in order to learn the impact this attack had on them.

As the DHS report on CS V notes:

“…in general, the community lacked a cohesive framework to guide cyber response activities at a national level, particularly regarding escalation processes, decision-making, and development and distribution of large-scale remediation strategies.”

“When players provided reporting, they did not use quantifiable impact assessments to provide a clear understanding of the relative effects across their organizations. This affected understanding of the risks at an industry and ultimately national level, challenging players’ ability to assess the severity of the attacks, to manage the risks, and to determine the potential cascading impacts.”

Sound familiar?

One of the aspects of the malware tracked during CS V was that traffic from the C2 had to be signed with a particular private key that could be dug out of the binaries from an infected system. But when it came to forensics, any anti-Virus usage (as well as other forensic tools) would brick the system immediately.

Yet, when the C2 IP addresses were sent out, another CS V participant explained, things went downhill fast. Teams in the federal and private sector started blocking C2 addresses, or conducted forensics on the infected machines. This resulted in a number of bricked systems, and a lesson that block and tackle doesn’t always work in every situation.

Other challenges from CS V that translate to the real world included getting timely responses from the FBI and other ISACs. It seemed that every organization wanted to be the ringleader - holding their cards close instead of coordinating context-added data to the others.

Compare this setting to WannaCry’s initial outbreak. Within a few hours the issue was contained thanks to a quick thinking researcher in the UK, and other experts who not only determined how the malware was spreading, but why. No one wanted to be the ringleader, they just shared the information they had with everyone.

The public got lucky with WannaCry, but if something similar to the tabletop exercise happens, will luck save us a second time?

"By their very design, tabletop exercises have neat endings. In the messy real world of security, a crisis can continue for weeks or months, and it takes hard work to clean up, because every enterprise has its own combination of obstacles, resources and capabilities. You can’t just replace a multi-million-dollar MRI whose software can’t be patched, when you have patients lining up to be scanned," explained Wendy Nather, principal security strategist at Duo Security.

Eventually, a participant in the private sector was able to get the private key for the CS V malware from a snapshot of an infected system. At that point, DHS ended the exercise.

However, the game ended before the real problem and resolution could be tested.

The private sector would have had to coordinate with the state and federal level to explain to victims how to stand up their own C2 with the private key to disable the malware, without tipping off the original threat actor.

How do you do that at scale?

(As a side note, some of the participants in CS V were considering developing a C2 as a service option to help less savvy victims uninstall the malware.)

A person familiar with CS V, who could not speak on the record, suggest that when it comes to sharing threat intelligence, organizations need to start building relationships now. These relationships should include peers and law enforcement.

In addition, organizations need to practice sharing information, but this will require they understand what details can be shared, and ensuring that the proper permissions have been secured from the leadership beforehand.

The best threat intelligence is generally in the form of a story: "First this happened, and then we tried this, and then the adversary did this..." and so on, the person explained.

But what can you do today, right now, to prepare for future WannaCry attacks?

“At the very least, organizations should take stock of their biggest risks: which systems cannot be updated, where they need to borrow expertise in an emergency, and what they could begin to improve on right now, even if it means launching a multi-year project. The most complex systems are generally the slowest and hardest to change, and they also tend to be the most critical to the business. If you know you can’t prevent something, try to invest in detection and response,” Nather said.

Cybersecurity market research: Top 15 statistics for 2017