Responsible Threat Intelligence: Lessons from WannaCry


By Craig Williams, Sr. Technical Leader / Security Outreach Manager, Cisco Talos

During the recent WannaCry campaign, I couldn't help but notice how much false information about the attack was being communicated irresponsibly. Early reports were flooded with this misinformation, incorrectly stating that the ransomware was spreading via email instead of as an SMB-based worm. Swarms of headline-chasing vendors regurgitated this false information without any firsthand verification.

Can you imagine the frustration of a first responder spending hours looking for phantom emails that never existed instead of finding a way to remediate the actual problem? This is completely unacceptable.

Threat intelligence must be built upon trust. Without that, the data is low fidelity and should not be considered. At a high level the very first rule when responding to a security incident is, "don't panic" – even if the internet is imploding. Getting the details wrong or spreading misinformation is not helpful to anyone. Details must be gathered and verified by trusted sources – ideally first hand – so that you can ensure the fidelity of the data. With this in mind, you must design and develop mitigation techniques that can be used in your environment. Finally, these techniques should be tested across as many samples as possible.

Talos always tries to give back to the community, while also maximizing the damage we create for our adversary's infrastructure. This may be a tool like LockyDump or the Function Identification and Recover Signature Tool (FIRST) framework. At a minimum, what you can count on Talos to provide is a completely free analysis of the threat, how it works, and how to defend against it.

We also include all of the Indicators of Compromise (IOCs) we can verify so that people can determine if their systems have been impacted. Talos also releases all of the rules for the Snort community set so that everyone, even those without Cisco network security, can load our rules and defend themselves.

It concerns me so many of our competitors don't publish IOCs when it only harms the good guys. This fallacy of publishing and not providing IOCs is completely irresponsible and must stop. There's a lot we can learn from WannaCry – and no shortage of articles have been and continue to be written about it. I hope the intelligence community can rally around some key principles in disseminating information responsibly.

Talos is Cisco's industry-leading threat intelligence team that protects your organization's people, data and infrastructure from active adversaries. The Talos team collects information about existing and developing threats, and provides comprehensive protection against more attacks and malware than anyone else. All Cisco Security products utilize Talos threat intelligence, providing fast and effective security solutions. Our job is protecting your network.

Sustaining Partners