Speaking in the opening keynote session of day two at the Gartner Security & Risk Management Summit 2019 in London, Adam Banks, chief technology and information officer at Maersk, reflected on the company’s response and recovery following the NotPetya attack in 2017.
Banks said that when Maersk was hit by NotPetya, the company was “not unusually weak,” and this is really important, because too often organizations feel immune to cyber-attacks because they do not consider themselves to have obvious security flaws.
However, Maersk was (and is) a company that is extremely data-centric. “Whilst we have a global flow of cargo, we equally have a global flow of information,” but because of the import/export work Maersk does, it cannot “lock up” data or create a centralized data pool and “put every form of defense around it.” The value of the data is in its distribution.
When NotPetya first hit, Maersk was unable to determine exactly what was occurring, Banks explained. It took several hours to establish the cause of the attack, and the wide-spread impact. IT services, end-user devices and applications/servers were dramatically affected. As many as 49,000 laptops were destroyed and 1200 applications were inaccessible.
“I didn’t go home for 70 days,” Banks said, as he worked tirelessly with the rest of the business to respond and recover.
“The first thing we did was to make some fairly big decisions about how to manage this. Mearsk is an asset-centric business with an asset-centric crisis management approach,” but that was not going to be effective in dealing with the global fallout of NotPetya, Banks explained. “I abandoned corporate crisis management and implemented a financial services crisis management model, because financial services normally only ever have global crises.”
In the first one to three days of the outbreak of NotPetya, Maersk:
- Worked with Deloitte in cyber-forensics
- Decided to be as open as possible about the incident, both internally and externally
- Designed a new Windows build
- Strengthened as far as possible
- Retrieved an undamaged copy of the Active Directory
In the first four to nine days of the outbreak of NotPetya, Maersk:
- Built 2000 laptops
- Rebuilt the Active Directory
- Spoke to the individual responsible for creating the NotPetya malware
From nine days onwards following the outbreak of NotPetya, Maersk:
- Continued to work through the ever growing list of affected applications: in two weeks all global applications were restored and in four weeks all laptops were rebuilt