Two Years Later: NotPetya’s Lessons for Cybersecurity Continue

In early Summer 2017, the highly destructive NotPetya malware appeared and spread with devastating efficiency across information systems and architectures worldwide. The attack not only broke records for speed and destruction, but also served as a wakeup call for security professionals to up their game on cyber defense. Let’s take a closer look at important lessons of NotPetya, and how those lessons continue to shape today’s leading practices in cybersecurity.

More Destruction, More Speed

Unlike ransomware and other attacks staged for profit, NotPetya was a milestone in the era of destructive malware. While NotPetya exploited the same weakness as WannaCry, NotPetya was built with apparently destructive intent — which it did on the order of $10 billion in damage worldwide, a record for such an attack.

Just as 9/11 forever shifted our understanding of airline hijacking away from something negotiable, NotPetya has taught today’s security teams to assume destruction is a potential goal, appreciate the elevated risk, and then act accordingly. That means doubling down on defenses, and elevating cybersecurity beyond IT to the top of the C-suite and board-level agenda for enterprise-wide risk assessment.

In addition, NotPetya was built for speed. Unlike phishing and similar attacks, NotPetya spread without human intervention, with code designed to proliferate automatically, rapidly and indiscriminately. In less than a day, it circled the globe, hitting numerous industries across 64 countries — infecting more than 12,000 machines in Ukraine’s banking sector alone.

The speed of NotPetya’s spread was a wakeup call for security teams to generate and share threat insights faster. Cyber defenses today should employ near-real time network traffic analysis, vs. likely outdated signature-based alerting systems. Advanced AI and machine learning are needed to help analysts keep pace with the speed of attacks, allowing quick threat identification and reaction.

Harder Questions about Attribution and Security

Further complicating the modern cybersecurity challenge, NotPetya’s spread was not only fast, but also widespread — within company architectures, throughout entire industries and even across various sectors to affect major organizations including Maersk, FedEx and others. All the while, NotPetya’s advanced design magnified the spread by gathering credentials and leveraging them as a workaround to patching.

This vast lateral movement underscores the weaknesses of perimeter defense-only strategies. Today’s cyber defenses must assume the when, not if, mindset to penetration and lateral movement and embrace a model for collective defense and threat information sharing across many companies, even between many different interrelated industries.

As for attribution, NotPetya shows how the question of definitively identifying the attacker in modern cyberattacks is getting at once harder and, sometimes, less consequential to answer.  While Russia is generally blamed for NotPetya, immediate attribution is less critical, given the rapid and indiscriminate nature of the attack. IronNet research has shown increased “collective offense” between criminal groups and state actors sharing tactics, targets, and capabilities. The delay or lack of attribution is also testing traditional notions of cybersecurity liability in cases where culpability can’t be determined.

Cyber defenders today are finding the battles are more often being waged by large-scale forces operating across blurry lines of attribution and obfuscated collaboration — a “collective offense” — among threat actors that is changing the methods and strategies that modern cyber defenses must employ.  As this trend continues, we’ll increasingly find success lies with a collective defense among industry players — those companies willing to share more fully across organizations and industries. The more we can learn from NotPetya, the better we can guard against its successors.

Get all of the latest info and insights on today’s advanced threats.