All that twitterz is not gold: Why you need to rely on multiple sources of intelligence
Twitter has become an extremely valuable tool for security researchers; experts including Kevin Beaumont and PwnAllTheThings frequently post research findings on the site and following these feeds can be an excellent source for the latest developments in the information security space. However, during major incidents affecting organizations worldwide, including the outbreaks of wCry and NotPetya, relying too heavily on Twitter can cause major problems for organizations scrambling to respond.
On May 12th, when the scale of the spread of wCry began to become apparent, researchers and businesses scrambled to ascertain how the malware was spreading as security operations analysts attempted to harden their networks against the threat. During this period, many users and some media outlets speculated that the malware might be spreading via an email vector.
Figure 1 - Screenshot of tweet on a supposed email vector for wCry.
Even though little specific information was available, many users assumed that email had been the vector.
Figure 2 - Screenshot of tweet on a supposed email vector for wCry.
While this might often be a safe assumption, spam email is by far the most common vector for ransomware delivery. In this case it was an unproven assumption it later emerged that a major contributor to the confusion was a spam campaign delivering the Jaff ransomware which was highly active on the same day. While it was not confirmed until later, throughout the afternoon of May 12th, multiple researchers accurately identified the true propagation vector used by wCry – SMB. Unfortunately, in some instances security advice was given on the basis of this understandable confusion, potentially leading to security operations personnel spending time hunting spam emails while a greater threat lay elsewhere.
Figure 3 - Notification from security software-as-a-service provider MailGuard.
Information versus intelligence
While potentially very useful, information derived from sources such as Twitter should always be treated with caution and assessed in the context of information derived from other sources, particularly when it’s being used to inform a security team’s actions in a time sensitive situation.
This is the difference between information and intelligence; intelligence is aggregated data which has been assessed for credibility and presented in context with appropriate caveats for uncertainty and an assessment of significance. While intelligence must be timely to be useful, unassessed information which may be inaccurate can be even more damaging that the delay required to complete a full assessment.
When the Digital Shadows analyst team investigated wCry on May 12th, we were able to identify indications that suggested spam emails were not the vector being used, leading us to pursue alternative hypotheses that the malware was spreading over SMB. While we are hugely appreciative of the work researchers do to raise awareness of security issues on Twitter and make extensive use of this source, we have found on many occasions that relying on this alone has the potential to lead to operational mistakes and misallocation of resources.