Cybersecurity Investigations: Do You Have the Missing Piece of the Puzzle?
Have you ever thought any of these things to yourself when you see something that’s just not right?
“I don’t want to bother them with it.”
“What I saw can’t be that important.”
“I’m sure I’m wrong.”
When it comes to cybersecurity, many people inadvertently walk around with a key piece of information that could help solve a problem or unlock a puzzle and don’t even know it. Much of what we do in a cybersecurity investigation relies on details we’ve gotten from staff, and the more detail we get the better. I’ve experienced more than one situation during my career where I knew I was close to solving something, I just didn’t have enough pieces of the puzzle to see the whole picture.
If you would, join me for a quick story. I’ll set the Wayback Machine to May of 2017, and by the time we return, you’ll see why sharing the little details makes all the difference in a cybersecurity investigation.
For those of us in the information technology or information security fields, May 12, 2017, was a real watershed moment. This was the day the WannaCry Ransomware attack happened. Before this, most of us looked at ransomware attacks as something that happens to the unprepared or unaware…or at least to someone else. But on May 12, 2017, it happened to everyone. Or it almost happened to everyone, were it not for our unsuspecting hero.
At about 2:45 a.m. ET, computers in Europe and Asia started to be infected with the WannaCry ransomware. The ransomware would encrypt the data on a system’s hard drive and then move to a new system and repeat. This went from company to company, country to country, like a plague spreading across the globe. The attack covered more than 300,000 computers within various hospitals, business, universities and governments in more than 150 different countries. It took advantage of a vulnerability in the Windows operating system to gain access to a device, infect it with ransomware, encrypt the data on the drives and then move to a new machine.
Here is where our unsuspecting hero steps into the story. Marcus Hutchins was a young computer security researcher living in Devon, somewhere in the southwest of England. As a computer security researcher, he had always been fascinated with viruses, malware and finding vulnerabilities in computer code. On the morning of May 12, he was contacted by a friend who asked if he had seen anything on this new ransomware attack called WannaCry and if he wanted a copy of the code to review. Marcus, being an inquisitive fellow, gave a quick “yes” and within minutes, was looking through code to try and figure out how it worked.
As the afternoon passed , Marcus found something odd in the code. He’d discovered that after the virus was done encrypting the data on a computer’s hard drive, it was instructed to reach out to a web domain for further instructions. Marcus searched for this domain on the internet but found that no one owned or registered it. It seemed strange to Marcus that the ransomware was instructed to look for a domain that did not exist. Like the cat, curiosity got the best of Marcus, and he wanted to find out what would happen if the domain existed. So, Marcus spent $12 to register this site and take ownership. Then, he waited.
Once the web domain was registered, the ransomware had a place to reach out to and could move on to the next step in its programming. This was the ransomware’s “kill switch,” a way to stop it from spreading if it got out of the control of its operators. The way it worked was simple – if this domain was found, the virus would stop and not jump to a new computer. If the domain was not found, it would continue to the next machine.
After seven painful hours of this malicious code rampaging across countries and industries around the globe, Marcus Hutchins stopped it with just $12. What would have happened if he had not taken his small discovery about the domain, his piece of the puzzle, and added it into his investigation? I’m sure someone would have found the same line of code and solved this the same way at some point. But the bigger question for me is, how much more damage would have been done if Marcus did not speak up?
The moral of this story is simple…take a page out of Marcus’ book and speak up next time you see something odd. Your information, no matter how small, could be the piece of the puzzle we all need to solve the next cybersecurity problem.
Mike Bechtel is the information security director for Vizo Financial Corporate Credit Union. As such, he oversees incident response planning services, information security risk assessments, security awareness training, social engineering and vulnerability testing and reporting and information security-related consulting services to credit unions.