Blog WannaCry Attribution - The Missing Link or Missing The Point?

WannaCry Attribution - The Missing Link or Missing The Point?


The dramatic rise of the WannaCry ransomware attack that targeted a well-documented vulnerability in outdated Windows operating systems sprung into mainstream media late last week.


By the start of the week, the finger-pointing had begun. Microsoft pointed at the NSA calling for more responsible disclosure of vulnerabilities. Before you could say ‘nation-state actor’, a google researcher’s mysterious tweet inspired additional research linking the WannaCry attack to the alleged North Korean sponsored Lazarus Group.



And with that, we all could relax in front of a well-fanned fire of security vendor fueled reporting - breathing a long, familiar sigh of relief that North Korea, cybersecurity’s redheaded stepchild, had acted up yet again.


Why do we go so quick to attribution? As humans, we have a healthy discomfort with the unknown, but for a security operator on the front-lines of protecting corporate networks, attribution can be, at best, a luxury and, at worst, an unhealthy distraction from an already daunting job.


As an audience we desperately seek the comfort of a known villain, while security operators furiously triage a never-ending shitstorm of alerts, tickets, and fires in the name of protecting the networks that hold our most valuable data.


When the media takes hold of a story like WannaCry, security operators finally get their day in the sun. All the sudden, one of your friends who, until now, was pretty sure you were a cable repairman, raises an impressed eyebrow when you his  ‘did you guys see all the ransomwares today?’ question without correcting him. The hot-shot sales guys actually invite you to happy hour after you tell them how they can ‘get in on some of that bitcoin, bro’.  Cybersecurity stocks go up. You get called into the corner office to meet the CFO after he forwarded an article he read on to the entire IT department about WannaCry with a subject like “ARE WE PROTECTED!? LMK THX”.



Come Monday morning though and the attribution fingers start flying, security operators take the elevator downstairs and log into the cubicle below the blaring ‘power wall’ with the ridiculously irrelevant pew-pew lasers shooting across the map of the world and do the real dirty and thankless work of keeping our most precious data safe.




Attribution is important and the role our spy agencies play in responsibly disclosing vulnerabilities is a worthwhile debate in today’s age. But, when events like WannaCry happen, we too quickly gloss over the harder issues in favor of the sensational stories.

The vulnerability that WannaCry exploited was well-known and a patch was released over a month ago. Security operators were loudly raising the alarms about this specific attack then.


Even a search of #nhscyberattack provides some stomach churning foreshadowing...


No doubt, somewhere a security operator at one of the unfortunate victim companies is thinking about those times he was pleading for resources to upgrade the operating systems that were over 15+ years old, while his executive is already recounting the story of that time they were pwned by the North Koreans.


Legacy systems and the challenges of patch prioritization will always be exploited by the bad guys and the media will continue to spur on the righteous, quixotic quest to find a familiar villain, but there is a silver lining.


In the age of social media, the security community showed the strength of collaboration. In the early hours of the attack, the security twitterverse and blogosophere was alive with operators from around the globe helping each other understand and ultimately prevent the attack.



We have a history of working together to exchange intelligence in pursuit of protection from attack. This culture of collaboration is our best hope for keeping up with the ever-evolving nature of cyber attacks. Since the WannaCry outbreak that started last week, we’ve seen multiple new strains, like Jaff and Uiwix, surge onto the scene. Jaff, in particular, has been pillaging enterprise customers since early last week, but was drowned out by WannaCry.


As we brace for the next waves of ransomware inspired by the WannaCry frenzy, we have to seek more ways to break down silos, harness the proven power of collaboration and bring it beyond these massive mainstream events and more squarely and seamlessly into the important work security operators do everyday.

COVID-19 Impact & Community Response The following blog post details the security impact COVID-19 has on enterprise security teams. To learn more about TruSTAR and IBM’s Community effort ... Read More
Why Automated Data Workflows are a Foundational Capability for Enterprise SOCs SOAR technologies and the adoption of orchestration have fundamentally changed the way we think about cybersecurity, and we’re all better for it. ... Read More
Black Hat 2019 Recap: Strategies for Understanding Your Attacker   Read More
CSA Security Update Podcast: TruSTAR CEO Paul Kurtz on the Value of Information Sharing on Threat Intelligence   TruSTAR’s CEO and co-founder Paul Kurtz recently appeared on Cloud Security Alliance’s podcast, CSA Security Update, and sat down with podcast host ... Read More