When it all kicks off: What happens at a security firm when a global malware outbreak occurs?

McAfee chief scientist Raj Samani explains how security firms respond to a global security crisis

When malware goes global, like the WannaCry ransomware in May or NotPetya, which is believed to have been designed to destroy rather than turn a profit, security researchers and software suppliers swing into action.

And, often, the firms don't just go into overdrive, but overtime.

"When you're dealing with Wannacry, it was Saturday and I had 400 messages an hour across multiple platforms. I was working and communicating with law enforcement, journalists, comms teams and others, and it was important to detail what we knew so far as the research continued," Raj Samani, chief scientist at McAfee, tells Computing.

"The key is to develop communications to answer the questions customers have," Samani adds. "They want to know what's happening, are they protected, what do they need to do? And that's not a simple as it sounds.

Internal testing is also critical, to ensure that they advice his firm publishes is accurate.

"I was working all weekend," says Samani. "My phone was going off every other second. My daughter said she can't wait to get 400 messages an hour, as she gets one. I said I'd happily swap!"

Samani says that it's important to stay on top of the communication as customers expect to be kept up to date.

I was tempted to put a tweet out before I went on holiday: 'Please no major malware outbreaks for two weeks'. But that would've been tempting fate.

"If you look at [the] Petya and NotPetya [outbreaks], we had knowledge-based articles up within the hour. That's the beginning of the snowball. You get the initial message that there's this issue occuring and then suddenly it's wider than expected, then it's a global outbreak.

"I was in California, and I was working with my lead researcher in the Netherlands. We were getting internal teams together, conducting research, performing analyses, looking at third-party sources, and making sure we weren't missing anything. We had a very detailed blog up within around three hours.

McAfee has also been involved in the No More Ransom initiaitve, which it co-founded. Samani says that there are now more than 100 partners in the programme, which aims to help people be aware of the issues, and understand how to protect themselves.

[Please turn to page 2]

When it all kicks off: What happens at a security firm when a global malware outbreak occurs?

McAfee chief scientist Raj Samani explains how security firms respond to a global security crisis

After the initial burst of analysis and communication comes the more detailed analysis.

"At that point we ask if there's an opportunity to be able to get the decryption key? Can we recover the data of impacted organisations? With Wannacry we spent two weeks analysing it, we tore the code down, did full analyses and shared the technology and our results for free.

"We managed 29,000 successful decryptions for free, and we don't capture anyone's details either. We do it because it's the right thing to do."

He adds that his teams also work with other, competing security firms, on top of academia, researchers and law enforcement.

"We have these operational working groups which can communicate and work together when a major issue occurs. That's important. When those things occur we have to know if anyone has a sample, and being able to bounce ideas off one another is also key.

"Our customers expect us to protect them, that's our number one objective. If that means we're collaborating with other firms, then that's the expectation."

He sums up, describing the situation during an outbreak as "nuts".

"I was tempted to put a tweet out before I went on holiday: 'Please no major malware outbreaks for two weeks'. But that would've been tempting fate. And I'm cautious about putting out that sort of private data, I don't even put an out of office on. You can get spear phished, because they know when you're back or where you've gone, they can call your secretary and make it sound like they know you."

He does however use Twitter to put information out during a big malware outbreak.

"I used Twitter when NotPetya hit. As we were finding things out, I was putting it out on my stream, and that was feeding a more detailed deliverable we then posted out later. But Twitter's crazy when things happen, there's so much noise."

Finally, he explains that outbreaks can happen at any time of the day or night, and when they hit, it's time to go to work.

"In our role, when these things happen customers expect you to be there. Even if it's 4am, you just do it, don't even think twice. And it can be fun, although fun is a relative term," he adds.

Computing's DevOps Summit returns on 19 September. Attendance is free to qualifying IT leaders and other senior IT professionals, but places will go fast, so secure yours now.