DHS’ 72-hour marathon to keep agencies, industry safe from WannaCry


The Homeland Security Department had been expecting and planning for a cyber threat like the WannaCry Ransomware attack for years.

Once DHS started to see signs of the malware in Asia and Europe early one morning on May 12, federal executives executed a plan that showed just how far the government has come over the last decade in dealing with cyber attacks.

Jeanette Manfra, the acting deputy undersecretary for cybersecurity at the Homeland Security Department, offered an in-depth look into the steps DHS and the government took to keep federal agencies safe from WannaCry.

Jeanette Manfra is the acting deputy undersecretary for cybersecurity at the Homeland Security Department.

Manfra said between 7 a.m. and 8 a.m. the US-CERT started getting reports of WannaCry from Asia and by mid-morning the malware had spread to European partners.

“We first started to engage with the overseas, international cybersecurity incident response teams for organization such as the U.S.-CERT, which sits at DHS and is the team that does the watch and warning function, incident response and analysis functions. Over the years, we have been working with partner countries to develop similar domestic, national CERTs across the globe. That was the first activation, if you will, of the international watch and warning networks and individual bilateral engagements with a few of the CERTs that were experiencing incidents domestically,” Manfra said on Ask the CIO. “They started passing us information, sometimes it was technical information if they actually had it that we could use and sometimes it was just context so we could distinguish what is true and what is not. That engagement was very quick and it mobilized very quickly.”

The real trigger for DHS and the U.S. federal government came midday when WannaCry infected the national healthcare system in the United Kingdom.

“From that point on, we started to escalate in the government and initiated enhanced coordination procedures, which means we have more resources devoted to this, and focused on broadening our engagement,” Manfra said. “Within a couple of hours, we had all of the major Internet service providers on the phone and were sharing information. By the evening, we had more than 40 IT and cybersecurity companies engaged in addition to the service providers.”

She said the goal was to get samples of the malware and have forensic analysts take the code apart and turn them into defensive measures.

“The quicker that we can turn that around and the quicker we can get that out, the higher chance we have of preventing further potential victims. That was much of Friday afternoon and Friday evening,” Manfra said. “By Friday night, early Saturday morning, we actually as a result of all of that collaboration, we were able to issue a joint FBI and DHS alert that had some of our initial information. This is largely technical information that other security operations centers could use. We pushed that to all the federal government. Agencies were able to use our own intrusion detection systems and plug in signatures to have broader protections across the government.”

Also Friday afternoon, DHS convened a call with federal chief information officers and chief information security officers to discuss updating the EINSTEIN 2 and 3A software with the malware signatures. By the evening, DHS had identified five signatures of WannaCry for E2, which is an intrusion detection tool that resides on Trusted Internet Connections (TIC) throughout the government. Manfra said DHS deployed 18 signatures on the E3A tool, which takes classified information and use it to protect unclassified networks.

DHS continued to add signatures as the weekend continued and by early June had 7-to-10 for E2 and 18-to-20 for E3A.

Later Saturday morning, she said DHS put out a detailed malware analysis for public and private sector organizations.

DHS also worked with the Small Business Administration to develop an alert and information for the small and medium-sized business community and got that out by Sunday.

This was one of the first times DHS exercised the enhanced coordination procedures, which the Obama administration established under Presidential Policy Directive-41. PPD-41, signed July 2016, details roles and responsibilities during a cyber attack for both the public and private sectors.

She said by Monday, DHS remained in contact with international partners to see if the attack was dying down or if a second round of attacks was possible.

Manfra said the White House also got involved, led by Tom Bossert, the President’s Homeland Security advisor, as did other relevant cabinet members and Congress discussing what steps agencies can take to protect its networks.

Manfra said DHS is finalizing an “after action report” on the government’s response to WannaCry.

She said the after action report brings in a broad team including public and legislative affairs and others to discuss how internal processes could be improved. DHS also talked to federal CIOs and their private sector partners to gather feedback and suggestions for improvements.

“Generally the feedback was good. Everybody appreciated the urgency and the ability to move quickly. How quickly we activated the different communications protocols and how quickly we were able to push information out, and our willingness to share draft products, draft analysis with external partners so they could improve it before we finalized it,” she said. “The things we want to improve upon. In some cases, some of these things were ad hoc. We want to build those into more specific protocols and we have something that can live through the personality relationships. We will spend more time developing more specific playbooks that we can drill down to at a more granular level with the private sector and other agencies.”

Manfra said she is proud of her team’s effort as well as the partnership with industry and other federal agencies.

“We did weather this particular instance of ransomware rather well as did most organizations within the U.S. Well it’s a little too early to assess why that is and there are multiple factors for that, parts of it has to do with the work the federal government has done over the years patching critical vulnerabilities, prioritizing the time it takes to patch critical vulnerabilities, reducing the amount of time, and we also have been over the last coup le of years very focused on ransomware in particular,” Manfra said. “I’ve been a part of the cybersecurity and communications unit at DHS for about 10 years now and I have never seen us move this quickly for this expansive of an issue across so many different partners across the globe and provide value this quickly. A lot of us had our weekends and Mother’s Day ruined. People worked incredibly hard.”