There has been a let of good discussion and debate on Twitter around a hypothetical “whitehat worm” that simply applies the MS17-010 patch on vulnerable systems. This is one of the more popular threads I’ve seen:
This is why blue team is hard, folks. I'd be interested to hear your opinions on the ethics of this move, as well as feasibility. https://t.co/KD5Jf6s9dC
— Tarah M. Wheeler (@tarah) May 14, 2017
The consensus is that it’s a terrible idea and is unethical. That seems like the right position to take, but allow me to take the other side for the sake of discussion. Actually, not just the other side.
Much has been written about Netflix’s Chaos Monkey, which grew into an entire Simian Army. Chaos Monkey is designed to randomly shut down systems in Netflix’s environment, forcing discipline in developers and administrators to ensure the software and environment is robust enough to handle faults. Hope is not a strategy, the chaos monkey cometh.
The main criticism people seem to be levying is that organizations should be permitted to run out of date software if they choose without worrying about a some dogooder coming along and applying a patch. Also, in the case of the Wanna Cry ransomworm, a number of UK hospitals were apparently all but brought to a standstill, with some doctors allegedly expecting this to cost some number of patient lives, due to the systems and data being unavailable.
We hear about the woes of the health care field – forced to buy devices that are “stuck” on particular versions of operating systems, with little hope of updating. Similarly, there are anecdotes of organizations unable or unwilling to apply patches on more traditional IT systems due to concerns of stability, compatibility, or possibly just labor costs. In an interconnected world, the “bad behavior” of one organization doesn’t just impact that organization and its constituents. It potentially impacts many others, even the Internet itself, through attacks like the Mirai botnet on Dyn back in 2016.
When systems are infected or compromised, the prudent recommendation is to reimage/rebuild/restore, and for good reason. We typically can’t pragmatically ensure that an infected or compromised system is “clean” without reverting to a known good state. Sadly, many organizations don’t do that, and some times get bit a second or third time by the same actor/malware.
Consider this hypothetical situation:
Rather than a “white hat” worm that silently attempts to apply a patch on vulnerable systems, some chaotic neutral person/group releases a worm that wrecks the operating system and then shuts the system down. The system can’t be restarted without some kind of a rebuild at this point. This situation basically turns the potential downside of the “white hat” worm into a sure thing. There is now no question that that business systems will be damaged, and that hospital systems will be shut down and possibly people will die.
But here’s my question: think of the group releasing this worm as an Internet-wide “chaos monkey”. How quickly would IT behaviors change? Would they change? Would vendors act differently?