During a talk at Black Hat Europe 2019, the CISO of Maersk, which nearly lost its entire IT infrastructure as a result of the 2017 NotPetya attack, highlighted several key lessons learned, including the equal importance of recovery alongside detection and prevention, and the growing value of threat hunting.
It's hard to imagine a worse day as a CISO: 49,000 laptops and more than 1,000 applications destroyed; all printing and file-sharing systems knocked offline; cloud-management system software ruined; and DHCP and Active Directory servers rendered useless.
It took just seven minutes for NotPetya to lay waste to virtually the entire IT infrastructure of the global shipping giant, AP Moller Maersk. The 2017 attack, caused by a compromised third-party application, paralyzed Maersk's global logistics operations.
It's no wonder Cisco Systems referred to NotPetya as the fastest-moving malware attack it has ever seen. At one point, it was unclear if Maersk could ever fully recover from an attack that cost the company an estimated $300m.
Nearly three years later, Maersk is thriving again. Maersk CISO Andrew Powell, a former CIO for the UK's Royal Air Force who took over cybersecurity at Maersk following the attack, spoke about the incident and highlighted several important lessons for enterprises.
First, a crippling cyberattack can happen to any organization at any time. Every enterprise should assume an adversary has a foothold inside its perimeter at any given moment. Powell said Maersk has discovered three nation-state-related adversaries inside its network in the past six months alone. Planning for the worst means creating and updating detailed incident-response plans that involve all key stakeholders, regularly running tabletop exercises to identify shortcomings and improve processes, and accounting for the new tools, tactics, and procedures of adversaries as they emerge.
Maersk has also invested in the creation of its own "red team" threat-hunting group. The group operates largely independently from the rest of the cybersecurity organization. It studies emerging threats, probes the organization for vulnerabilities the same way adversaries would, and helps identify how to mitigate future avenues of attack. Because Maersk values skills over schooling, some on the team lack college degrees, but all help the company understand how their adversaries think. Whether hired internally or outsourced, every large enterprise now needs this capability.
The attack against Maersk was particularly crippling because NotPetya took out both its primary Active Directory deployment as well as its online backup. It was a scenario the company never planned for, and it was only through good luck that a random power outage at the time of the attack spared one AD node, which was used for the recovery. This is a contingency for which every organization must now plan. All mission-critical systems should be backed up daily, with an offline backup updated no less than weekly. The time and cost involved in such meticulous backups might seem excessive, but each organization should consider whether some budget currently allocated to threat detection and prevention should be reallocated to recovery. Maersk has since undertaken this effort and wishes it had done so sooner.
Finally, every organization must understand that increasing reliance on third-party technology as well as operational technology (OT) devices means it is impossible to control or secure many of the elements that pose risk. As in Maersk's case, be it a third-party application or the IP-enabled engine inside of a massive container ship, cybersecurity leaders must adopt a framework-based approach for identifying and assessing all its sources of IT risk (often in tandem with governance, risk, and compliance (GRC) groups) and then decide which risks to eliminate, which to mitigate, and which to accept. Not all incidents can be prevented, but making deliberate, informed IT risk decisions and driving policy based on them can help avoid the worst-case scenario.