Raj Samani, chief scientist at McAfee, reveals the hive of activity that's kicked off at security firms during a big attack
2017 has seen several significant global outbreaks, including WannaCry and NotPeyta
This year has seen several high-profile global malware outbreaks, including the WannaCry ransomware which took down large swatches of the NHS in May.
Following hot on the heels of that attack was NotPetya, another piece of ransomware which this time was thought to be designed to disrupt rather than turn a profit.
When large outbreaks like these start to hit networks around the world, security teams in affected organisations go into overdrive - but perhaps none more so than those at the security companies themselves.
Raj Samani, chief scientist at McAfee, lifts the lid on the furious activity that goes on at his firm during an outbreak. He begins by emphasising the importance of external communications.
"The key is to develop communications to answer the questions customers have," Samani says. "They want to know what's happening, are they protected, what do they need to do? And that's not a simple as it sounds. When you're dealing with Wannacry, it was Saturday and I had 400 messages an hour across multiple platforms. I was working and communicating with law enforcement, journalists, comms teams and others, and it was important to detail what we knew so far as the research continued."
He adds that internal testing is also critical, to ensure that they advice his firm publishes is accurate.
"I was working all weekend," Samani explains. "My phone was going off every other second, and my daughter said she can't wait to get 400 messages an hour, as she gets one. I said I'd happily swap!"
Samani says that it's important to stay on top of the communication as customers expect to be kept up to date.
"If you look at [the] Petya and NotPetya [outbreaks], we had knowledge-based articles up within the hour. That's the beginning of the snowball. You get the initial message that there's this issue occuring and then suddenly it's wider than expected, then it's a global outbreak.
"I was in California, and I was working with my lead resarcher in the Netherlands. We were getting internal teams together, conducting research, performing analyses, looking at third party sources, and making sure we weren't missing anything. We had a very detailed blog up within around three hours.
McAfee has also been involved in the No More Ransom initiaitve, which it co-founded. Samani explains that there are now over 100 partners in the programme, which aims to help people be aware of the issues, and understand how to protect themselves.
After the initial burst of analysis and communication comes the more detailed analysis.
"At that point we ask if there's an opportunity to be able to get the decryption key? Can we recover the data of impacted organisations? With Wannacry we spent two weeks analysing it, we tore the code down, did full analyses and shared the technology and our results for free.
"We managed 29,000 successful decryptions for free, and we don't capture anyone's details either. We do it because it's the right thing to do."
He adds that his teams also work with other, competing security firms, on top of academia, researchers and law enforcement.
"We have these operational working groups which can communicate and work together when a major issue occurs. That's important. When those things occur we have to know if anyone has a sample, and being able to bounce ideas off one another is also key.
"Our customers expect us to protect them, that's our number one objective. If that means we're collaborating with other firms, then that's the expectation."
He sums up, describing the situation during an outbreak as "nuts".
"I was tempted to put a tweet out before I went on holiday: 'Please no major malware outbreaks for two weeks'. But that would've been tempting fate. And I'm cautious about putting out that sort of private data, I don't even put an out of office on. You can get spear phished, because they know when you're back or where you've gone, they can call your secretary and make it sound like they know you."
He does however use Twitter to put information out during a big malware outbreak.
"I used Twitter when Petya hit. As we were finding things out, I was putting it out on my stream, and that was feeding a more detailed deliverable we then posted out later. But Twitter's crazy when things happen, there's so much noise."
Finally, he explains that outbreaks can happen at any time of the day or night, and when they hit, it's time to go to work.
"In our role, when these things happen customers expect you to be there. Even if it's 4am, you just do it, don't even think twice. And it can be fun, although fun is a relative term," he adds.