NHS has taken inadequate actions against the alerts published in July 2016 warning that cyberattacks could jeopardise access to critical patient record systems. NHS will benefit from ransomware CTI advisories [35–37] on how to prevent such incidents; example solutions include rehearsing the IR plan before implementing it straight away.
Detection
The WannaCry incident report does not indicate whether NHS has used a monitoring system to identify the indicators. NHS can use the ransomware CTI advisories [35] to identify and feed indicators into the monitoring system through signature updates. Indicators include but are not limited to mssecsvc.exe, diskpart.exe, lhdfrgui.exe, ransomware07_no_detection.exe, and WCry_WannaCry_ransomware.exe.
Analysis and assessment
NHS confirmed the WannaCry incident and identified the scope and impact. NHS can still benefit from CTI advisories [35–37] for the verification. The CTI advisories show that the impact can be “temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses incurred to restore systems and files, and potential harm to an organisation’s reputation” [35].
Containment and eradication
NHS lacked central direction and formalised process to respond to WannaCry incident. They failed to shut down/isolate the systems in time. Example solutions from CTI advisories are to apply MS17-010 SMB vulnerability dated March 14, 2017; enable spam filters to prevent phishing emails; and manage the use of privileged accounts.
Recovery
NHS worked with the IT suppliers to recover the system. CTI advisories [35–37] also provide a list of solutions to consider, e.g., backing up sensitive and important data regularly and testing the backups to ensure they work correctly upon use.
Lessons learned
NHS learned the lessons from this incident; they conducted causal analysis and took actions to improve the security controls and policies. CTI advisories [35–37] also provide some solutions like implementing a business continuity plan.
