The Microsoft business model relied on very few Microsoft employees and an army of partners (re-sellers, service providers, etc.). This meant that while we had direct contact with thousands of Microsoft customers (most of them threatening to sue Microsoft for damages in those first few days), we had to rely on thousands more individuals to scale the response to the millions of customers impacted by the event. The training efforts that we coordinated to help those partners get ready to effectively solve the Blaster problem were enormous efforts in and of themselves.
Fortunately for Microsoft and its customers, many thousands of people made incredible personal sacrifices to help organizations of all sizes recover from the effects of Blaster. For all of you, both internal Microsoft staff as well as external partner employees and even those super-smart Microsoft customers, who worked with me during that horrible year of 2003, thanks for sharing your expertise. Thanks for making sacrifices yourselves to help Microsoft and its customers try and make sense of the madness that was August 2003. I know many of you paid high personal prices for your efforts. There are many of us who quite literally lost a year of our lives because of the underlying flaws in technologies and miscreants' exploitation of those flaws for their own purposes.
There are many reasons in my humble opinion why we haven't seen another Blaster-level cyber event. Most definitely the Microsoft team learned their lesson and spent incredible amounts of time to improve the way that technology is developed and deployed. But, not all companies have the luxury of funding multi-million-dollar security mobilization efforts. Based upon some of the research that I have done over the last decade, I have also seen that the adversaries (the miscreants as we called them then) have fundamentally changed the way that they operate.
On one occasion, while working at INL, I was working with a team of international researchers and we saw the attackers self-policing when it came to deploying worm-like attacks. One individual on an IRC channel bragged that he could deploy a worm that day on an un-patched vulnerability. The other people on that channel immediately threatened the braggart with bodily harm should he proceed with his plan.
It makes sense when you think about it. Massive worms cause huge denial of service problems, thereby blinding the attackers and preventing them from exploiting the systems that they already control. Also, worms drive a news cycle which results in organizations improving their infrastructures and applications, thereby reducing the attack surface. Worms like Blaster are bad for their business, and I think thats why we havent seen similarly-sized incidents since.
Sign up for CIO Asia eNewsletters.