The global commodities trading firm replicated the NotPetya worm, strengthened it and then unleashed it on its production environment to assess its ability to fight back

这家全球商品贸易公司复制了NotPetya蠕虫，对其进行了增强，然后在生产环境中释放了该蠕虫，以评估其反击能力。

Mark Swift was sitting in his third floor office at global commodities trading firm Trafigura in the Mayfair district of London’s West End when he first starting hearing reports about NotPetya, a computer worm attack. The worm rapidly spread around the world in June, 2017, crippling multinational companies including global shipping company Maersk, pharmaceutical giant Merck, FedEx’s European subsidiary TNT Express, French construction company Saint-Gobain, food producer Mondelēz, and manufacturer Reckitt Benckiser, among others, causing an estimated $10 billion + in damages.

马克·斯威夫特(Mark Swift)刚开始听到有关计算机蠕虫攻击NotPetya的报道时，坐在伦敦西区梅菲尔区全球商品贸易公司Trafigura的三楼办公室。 该蠕虫于2017年6月在全球Swift蔓延，使包括全球运输公司马士基，制药巨头默克，联邦快递欧洲子公司TNT Express，法国建筑公司Saint-Gobain，食品生产商Mondelēz和制造商Reckitt Benckiser等在内的跨国公司遭受重创，造成大约100亿美元的损失。

“It was clear there was a major problem; we got a very early understanding that something was going on that was much more significant than the usual ransomware but no one had a clear picture of what was happening,” says Swift, Trafigura’s Chief Information Security Officer. “There was a huge amount of confusion and quite a bit of angst. It was incredible that so many companies were being hit at the same time and extremely worrying because you can’t defend against what you don’t understand.”

“很明显，这是一个重大问题； 我们很早就了解到，正在发生的事情比通常的勒索软件要重要得多，但没人能清楚知道发生了什么。” Trafigura首席信息安全官Swift说道。 “存在大量的混乱和相当的焦虑。 令人难以置信的是，有如此多的公司同时受到打击，并且非常令人担忧，因为您无法防御自己不了解的内容。”

Swift’s job it is to ensure the company can effectively play defense against cyberattacks. Trafigura manages more than $54 billion in assets and moves over $170 billion per annum of commodities around the world by ship, barge, truck, rail and pipeline.

Swift的工作是确保公司能够有效防御网络攻击。 托克管理着超过540亿美元的资产，每年通过船舶，驳船，卡车，铁路和管道运输的商品超过1,700亿美元。

While Swift believed the company was reasonably safe he could not quantify the risk. “The questions I kept asking myself is how does the worm get in, how does it move and would our defenses hold out?” he says. “The difficult thing is you don’t have a way to test. Working on assumptions is not a good way to be measuring your defenses.”

尽管Swift认为该公司相当安全，但他无法量化风险。 “我一直在问自己的问题是蠕虫如何进入，如何运动以及我们的防御能力如何？” 他说。 “困难的是，您没有测试方法。 进行假设不是衡量防御的好方法。”

There was only one way to be sure: do the unthinkable.

只有一种方法可以确保：做不可想象的事情。

With the help of NCC Group, a global firm specializing in cybersecurity and risk mitigation, Swift hatched a plan to replicate the Notpetya worm, strengthen it, and then unleash it on the company’s production environment, with the full support of the CEO and the board. The audacious move was deemed to be an acceptable risk because Trafigura had standardized the way it exercises cyber hygiene, something the World Economic Forum’s Centre For Cybersecurity has been encouraging companies to do.

在一家专注于网络安全和风险缓解的全球公司NCC Group的帮助下，Swift制定了一项计划，该计划将是复制Notpetya蠕虫，对其进行增强，然后在首席执行官和董事会的全力支持下将其释放到公司的生产环境中。 如此大胆的举动被认为是可以接受的风险，因为托克已经标准化了其行使网络卫生的方式，世界经济论坛的网络安全中心一直在鼓励企业这样做。

Swift, a member of a World Economic Forum committee to improve resilience for the oil and gas industry, agreed to an interview with The Innovator in the hopes that Trafigura’s experience will help other large enterprises better prepare their cyber defense.

世界经济论坛委员会成员之一的斯威夫特(Swift)是提高石油和天然气行业弹性的成员，他同意接受《创新者》的采访，希望托克的经验能帮助其他大型企业更好地做好网络防御的准备。

Deconstrucing NotPetya

解构NotPetya

It was one of Trafigura’s lead engineers that first suggested testing how well the company’s defenses would stand up to the NotPetya worm under controlled circumstances. Swift liked the idea and approached NCC Group. They struck an agreement: If the cybersecurity firm could help develop a replica of the worm Trafigura would test it and- if all went well — NCC could use the case as a reference to sell the service to other big corporate clients.

Trafigura的首席工程师之一首先建议测试在可控的情况下，该公司的防御能力如何抵御NotPetya蠕虫。 斯威夫特喜欢这个主意，并与NCC集团联系。 他们达成了一项协议：如果网络安全公司可以帮助开发蠕虫病毒的副本，那么Trafigura会对其进行测试，如果一切顺利，NCC可以将此案作为向其他大型企业客户出售该服务的参考。

Oliver Whitehouse, NCC Group’s Global Chief Technology Officer, remembers the first discussion about replicating Notpetya with Swift, whom he has known for 20 years. “We were coming off a busy summer in the U.K. We had two major worms, the last of which was NotPetya. Mark [Swift] was getting questions from his chief executive about whether it would have an impact on Trafigura. Mark could just say ‘we think our controls would limit the impact’ but it was very much a theory and he could offer no definitive assurance. When he outlined that he would like to run this test to quantify the risk I told him ‘we can do that.’ I had the confidence that we could replicate NotPetya by deconstructing it and then reconstructing it,” says Whitehouse.

NCC集团全球首席技术官奥利弗·怀特豪斯(Oliver Whitehouse)记得他与Swift进行复制的第一次讨论，他已经认识20多年了。 “我们正值英国一个繁忙的夏天，有两个主要的蠕虫，最后一个是NotPetya。 马克[斯威夫特](Mark [Swift])从他的首席执行官那里得到了有关是否会对托克产生影响的疑问。 马克可以说“我们认为我们的控制会限制这种影响”，但这在很大程度上是一种理论，他无法提供明确的保证。 当他概述自己想进行此测试以量化风险时，我告诉他“我们可以做到”。 我有信心，我们可以通过解构然后再重建它来复制NotPetya。”怀特豪斯说。

Swift’s team and NCC Group started the work in November of 2017. “We decided to rewrite the worm so we knew exactly what every line of code did,” says Swift. “We discovered a coding mistake in the way it moved and stole tokens and the way it scanned. It wasn’t as efficient in moving as it might have been so we corrected those mistakes to make it even stronger.” The team also installed kill switches to ensure the worm didn’t proliferate outside of Trafigura’s network and accidentally infect suppliers and partners.

Swift的团队和NCC Group于2017年11月开始工作。“我们决定重写该蠕虫，以便我们确切知道每一行代码的功能，” Swift说。 “我们发现了在移动和窃取令牌以及扫描方式方面的编码错误。 它的移动效率不如预期，因此我们纠正了这些错误，使其变得更加强大。” 该小组还安装了杀伤开关，以确保该蠕虫不会在Trafigura的网络之外扩散，并意外感染供应商和合作伙伴。

The process was supposed to take three months but took a year.

该过程原本要花三个月，但要花一年时间。

“The complex bit was having the confidence that the controls would work and that it would not go awry and be disruptive,” says Whitehouse. “ We worked on the principle that if there was any doubt the first instruction was to shut itself down, ensuring that it would only spread to computer networks directly under Trafigura’s control. There were key systems in the industrial operations technology in areas such as mining and fuel terminals that had to be excluded but all the corporate assets could be included. Then we built in various other safeguards, such as the rate at which it could propagate so it would not overload the system. We did three full environment tests before we even got near the production and were confident that the controls could do what they said they are going to do.”

怀特豪斯说：“复杂的一点是，人们有信心控制将起作用，并且不会出错并且不会造成破坏。” “我们的原则是，如果有任何疑问，第一个指令就是关闭自身，以确保它只会传播到直接在托克控制下的计算机网络上。 在诸如采矿和燃料码头等领域，工业运营技术中存在一些关键系统，这些系统必须排除在外，但可以包括所有公司资产。 然后，我们建立了各种其他保护措施，例如它可以传播的速率，这样就不会使系统过载。 我们甚至在接近生产之前就进行了三项完整的环境测试，并确信控件可以完成他们说的打算做的事情。”

Getting Sign-Off

签收

Getting the company’s leadership to sign-off was an important part of the process. Trafigura, stores and delivers the commodities it trades, which includes approximately six million barrels of oil a day. In order to buy the assets that it later trades it has established access to credit from 155 banks. It has to manage credit risks, legal risks, IT risks and liquidity risks and all of these risks are integrally linked. “We are a high volume, low margin business,” explains Christophe Salmon, Trafigura’s Chief Financial Officer. “Our business is based on arbitrage, we fight for the last cent per barrel. Any basis point matters in terms of protection of our margins. If the integrity of our system was compromised it would have consequences in being able to conduct our business and in the daily reporting to our financial partners,”, a factor that could impact Trafigura’s access to both credit and its liquidity. “This was why, in discussing with Mark, testing the strength and integrity of our system — and identifying any potential vulnerabilities — was so important,” says Salmon.

使公司领导层签字批准是该过程的重要组成部分。 托克运输和储存所交易的商品，其中每天包括约600万桶石油。 为了购买后来交易的资产，它已经建立了从155家银行获得信贷的途径。 它必须管理信贷风险，法律风险，IT风险和流动性风险，所有这些风险都是紧密相连的。 托克首席财务官Christophe Salmon解释说：“我们是高产量，低利润的业务。” “我们的业务以套利为基础，我们争夺每桶最后一分钱。 任何基点都对保护我们的利润至关重要。 如果我们的系统完整性受到损害，将会对我们开展业务和向我们的财务合作伙伴进行日常报告产生影响。”，这可能会影响托克的信贷和流动性。 Salmon说：“这就是为什么在与Mark进行讨论时，测试系统的强度和完整性以及识别任何潜在的漏洞如此重要的原因。”

Unleashing The Worm

释放蠕虫

On November 8, 2018 the worm was unleashed. Swift, together with Trafigura’s lead engineer, Whitehouse and an NCC Group developer huddled around a group of computer screens. “We looked at each other and said ‘should we run it?’, remembers Swift. “I paused for a moment and wondered ‘What on earth am I doing?’ before giving the green light. And then we waited for the havoc to begin.”

该蠕虫于2018年11月8 日被释放。 Swift与托克的首席工程师，怀特豪斯(Whitehouse)和NCC Group的开发人员一起挤在一组计算机屏幕上。 斯威夫特回忆说：“我们互相看着对方，说'我们应该经营吗？'。 “我停了片刻，想知道'我到底在做什么？' 在给绿灯之前。 然后我们等待大破坏开始。”

Thirty minutes went by. Nothing happened. Then the worm found its way in through an unpatched computer in Switzerland and exploited that entry to gain privileges. At that point the team thought it would spread like wildfire. But to their surprise it didn’t, due to a security configuration Trafigura had made that they had not fully appreciated. So the team launched different scenarios, purposely infecting different ‘patient zeros’ increasingly notching up the level of exposure. Eventually a misconfiguration in a software development network lit the fuse and the worm started to spread aggressively throughout the development environment, moving from from machine to machine and location to location. “We tracked the various ways the worm jumped between systems and were able to create a good map and a good understanding of its speed and its ferociousness,” Whitehouse says.

三十分钟过去了。 什么都没有发生。 然后，该蠕虫通过瑞士未安装补丁程序的计算机进入其中，并利用该条目获得特权。 当时，团队认为它会像野火一样蔓延。 但是令他们惊讶的是，由于安全配置Trafigura使得他们没有得到充分的赞赏，所以没有实现。 因此，该团队启动了不同的方案，目的是感染不同的“患者零”，从而逐渐增加暴露水平。 最终，软件开发网络中的配置错误点燃了保险丝，蠕虫开始在整个开发环境中积极传播，从一个机器到另一个机器，从一个位置到另一个位置。 怀特豪斯说：“我们跟踪了蠕虫在系统之间跳转的各种方式，能够创建一个好的地图，并对它的速度和凶猛性有一个很好的了解。”

The value of the test data can’t be overstated, he says. Trafigura used it to make adjustments to its network. “This one configuration change by Trafigura significantly disrupts the speed at which worms can propagate even if they can access highly privileged systems,” says Whitehouse.

他说，测试数据的价值不可高估。 托克用它来调整其网络。 Whitehouse说：“ Trafigura所做的一项配置更改大大破坏了蠕虫即使可以访问高度特权的系统也可以传播的速度。”

To Swift’s great relief unleashing the worm in this controlled manner had no operational impact on the business. None of the company’s computer users noticed a thing.

令Swift欣慰的是，以这种受控方式释放蠕虫对业务没有运营影响。 公司的计算机用户都没有注意到任何事情。

Key Takeaways

重要要点

NCC Group is eager to run similar tests for other big corporates but so far there have been no other takers. Although a number of big companies have expressed interest in doing so they have had trouble getting internal sign-off. Whitehouse says that often organizations think they have a picture of what their computer networks look like. However, 99% of the time this does not reflect reality. Knowing who is connected is one of the first things a company has to do to ensure its cyber security. The map needs to be accurate “at any point in any week,” he says. “When I ask what is on their network, who is responsible for it, what each device does and what business operation it underpins they look at me quizzically and say they don’t know. If you don’t know then you don’t know what your risk is. You have to understand the material risks before you can unleash tests like Trafigura’s.”

NCC Group渴望对其他大公司进行类似的测试，但到目前为止，还没有其他人接受。 尽管许多大公司都表示有兴趣这样做，但他们在获得内部批准方面遇到了麻烦。 怀特豪斯说，组织经常认为他们对计算机网络的外观有了解。 但是，这有99％的时间不能反映现实。 知道谁已连接是公司确保其网络安全的首要任务之一。 他说，“在任何一周的任何时候”，地图都必须准确。 “当我询问他们的网络上是什么，由谁负责，每个设备做什么以及它支持什么业务运营时，他们会困惑地看着我，说他们不知道。 如果您不知道，那么您将不知道自己会有什么风险。 您必须先了解重大风险，然后才能进行托克等测试。”

Swift agrees. “One of the reasons why we were more capable of running this was we know where the edge of our network boundary is,” he says. “You have to fundamentally understand how many machines you have and where they are to be able to sign off on something like this. We spend a lot of time standardizing our environment because we believe you need to do things to standard and enforce things to standard.”

斯威夫特同意。 他说：“之所以能够运行此功能，是因为我们知道网络边界的边缘在哪里。” “您必须从根本上了解您拥有多少台计算机，以及它们将在何处签名这样的东西。 我们花费大量时间来标准化我们的环境，因为我们认为您需要做一些标准化工作，并执行一些符合标准的事情。”

One of thetakeaways from the test was that having hard data and being able to really measure risk is key, says Swift. Trafigura thought that being 99.9% compliant in some areas was good enough. It was not. “So now we understand that and if anybody says we are being overly cautious we can demonstrate why we need to do what we do. We believe it is worthwhile to get better at testing and measuring the effectiveness of security in our internal network, but is only worth doing if you also have an appetite to introduce major controls.”

Swift说，测试的主要目的之一是拥有硬数据并能够真正衡量风险是关键。 托克认为在某些地区达到99.9％的遵从水平已经足够了。 它不是。 “所以现在我们明白了，如果有人说我们过于谨慎，我们可以证明为什么我们需要做我们做的事情。 我们认为，有必要更好地测试和衡量内部网络中安全性的有效性，但只有在您有兴趣引入主要控制措施的情况下，才值得这样做。”

Swift says he has no illusions. Controls or no controls the attacks will keep coming. The next worm, the next virus, is likely to be more virulent. And no matter how good its cyber defense is Trafigura — like any other company on the planet — will have to continue to be vigilant in the never-ending battle to keep its systems safe.

斯威夫特说他没有幻想。 控制或无控制的攻击将继续存在。 下一个蠕虫，下一个病毒，可能更具毒性。 就像其网络上的任何其他公司一样，托克的网络防御多么出色，都将不得不继续保持不断的警惕，以确保其系统的安全。