One thing that all CIOs have had on their minds the last couple of years is if their infrastructure and services are safe from ransomware attacks. So far in 2021 we have seen a surge of ransomware attacks that have targeted even large enterprises like Colonial Pipeline which supply 45% of the East Coast’s supply of diesel, petrol and jet fuel and ended up paying 5 million for getting back access to their data. The latest statistics show that there is a ransomware attack every 11 seconds, where the attackers utilize different attack vectors to try to get access. So how can we protect ourselves or at least reduce the risk from these types of attacks?
Attack patterns
First of all, it’s important to understand how most ransomware attacks are done. Initially, most ransomware up until now have been focused on getting access and encrypting the data and demanding a ransom. However, in the end of 2020, certain ransomware groups started to change their strategy to use triple extortion. What this means is that not only does your data get encrypted and exfiltrated, but if you do not respond to the original ransom, attackers may then also launch a DDoS attack against your services.
So, what kind of attack patterns do we see as most common? In most cases, there are only a few of these attack vectors which are used for initial attacks, but they are also used in combination to try to gain access as quickly as possible.
- Phishing emails (Where they set up newly created domains to run phishing email campaigns over a short period)
- Drive-by download (usually starting with a phishing email)
- Credential stuffing (reuse of compromised user identity) either by credential phishing or by getting hold of account information from hacked third-party sources.
- Brute-force attacks (for non-MFA based services such as RDP, ADFS, Legacy authentication Azure Active Directory)
- Exploiting vulnerabilities (Exchange, Citrix NetScaler, Fortinet as some examples)
- DDoS attacks (high-volume attacks, using vulnerabilities in, for instance, UDP/DTLS protocols.)
Most ransomware is aimed at infecting Windows-based environments running Active Directory. Attackers usually start with getting access to a compromised endpoint or directly to the infrastructure through brute-force or vulnerable external services. There has, however, also been an increase in attacks aimed at other operating systems and environments.
Usually when a computer or server gets compromised, the attackers apply logic to disable security and backup services, clear event logs and utilize scripts and other tools to both do reconnaissance of the local network. They also attempt to capture the username and password associated with the local computer with tools such as Mimikatz to dump the local user database but also find other local secrets to try to get further access to the infrastructure. As one example for one organization, the attackers gained access to a compromised endpoint using a phishing attack, then they utilized the Zerologon vulnerability to get full access to the Active Directory environment before they then started to deploy their executable to encrypt the data. This was all done under 5 hours from the initial compromise.
Countermeasures
To implement countermeasures, we need to understand and protect the different attack surfaces and ensure that we have guard-rails in place between systems to prevent attackers from being able to do lateral movement. There should also be mechanisms in place to ensure visibility and an automatic response when an attack occurs. The main principles to reduce the risk for ransomware are:
- Patch and keep your systems updated – This is to avoid attackers being able to exploit known vulnerabilities. Many organizations have automated patching in place for Windows based environments, but we also need to make sure we have processes in place for other systems where we might not have the same automated patching systems, such as virtualization layer, external services (VPN, Firewall) and other third-party products. There are also products that can be used to monitor or do vulnerability scanning if you have custom-made web applications that you want to check for vulnerabilities.
- Apply strict MFA for all remote access – This is to avoid brute force attacks, and in most organizations, not always easily implemented since many have external services that have support for different protocols such as SAML, Radius, OAuth, Windows authentication, LDAP and such. However, there are many MFA providers in the market which support most of these protocols such as Azure Active Directory and remember to use the mobile application and not rely on SMS-based MFA.
- Protect user accounts – This is not always a simple task, but there are more and more services now that can provide identity protection and notify if user credentials have been leaked. This is important to ensure that attackers cannot reuse active credentials. Here we have services like Azure Active Directory Identity Protection, or even using the free service from haveibeenpwnd.com, where you can get notified from user accounts from a certain domain.
- Protecting the endpoint – Most ransomware attacks starts with a compromised endpoint, so it’s important to have proper security in place for the endpoints. Traditional antivirus is no longer enough, where we see that more and more organizations are adopting EDR (Endpoint Detection and Response) to be better equipped at stopping unknown processes/activities on a computer. Which is important since ransomware is always adapting. For Windows as well, there are a lot of built-in security mechanisms that you can use to reduce both the initial compromise and lateral movement, such as Application Guard and Identity Guard. It is also important with basic security mechanisms and to prevent some of the logic on ransomware to run. Disable macros in Office, remove older versions of PowerShell (most ransomware try to use older versions), change default file behavior for HTA/JS/JSE files using Group Policy and lastly making sure that your endpoints are up to date. Also, make sure that web browsers that are in use are updated, since we are seeing more and more vulnerabilities associated with browsers.
- Email security – Since many ransomware attacks start with phishing email, it’s important to have proper protection mechanisms to reduce the risk. Some common mechanisms are ensuring that you have proper SPF, DMARC and DKIM records in place for your email domains. This avoids attackers forging emails from the same domain. Another measure is to apply email headers for all external received email to give information to employees that the email they received is from an external sender. Now we have also seen phishing emails coming from inside the organization where an attacker managed to compromise a user account, so there can also be insider threats. Therefore, it’s important to understand and educate the end-users about how to spot phishing emails or if someone is trying to lure information out of the users.
- Data protection – If your infrastructure and data get encrypted by ransomware, it’s important to have proper data protection mechanisms. There have been cases where the backup data has gotten encrypted as part of the ransomware attack as well, so there are a couple of aspects we should consider. Firstly, backup services and systems should be disconnected and not directly accessible from the same domain or infrastructure, that way there is no way the attackers can directly access the backup systems. Secondly, the backup data should be immutable so that the ransomware variant cannot overwrite or change the backup data. You should also follow the 3-2-1 Rule, where you have 3 backups, 2 different media (disk/tape) and 1 off site. This will ensure that you can successfully restore if needed. Lastly, you should have processes in place that verify the backup and restore procedures and ensure that you can restore data.
- Visibility – Having visibility on what is going on in your infrastructure is also an important aspect to be able to detect if there is an on-going attack or if someone is trying to do some reconnaissance. We have seen that many attackers are just selling remote access to customer environments and letting others handle the ransomware deployment, so having insight about if someone managed to get access is important. This means that we need to have proper logging in place from different systems such as Active Directory, Windows Security Event Logs, Network logs and other appliances from Syslog, NetFlow and others to be able to see the whole picture. This log source should be collected into a centralized log source which can be then used to monitor for abnormal behavior. For example, something as simple as monitoring for EventID 4625, which detects if someone has failed logon attempts to an Active Directory domain.
- Other related actions to reduce risk – There are also other mechanisms which can prevent certain lateral movement after an initial compromise. Such as
- Disable older versions of SMB protocol
- Ensure SMB Signing is enabled
- Upgrade to newer versions of PowerShell and remove older versions
- Download Local Administrator Password Solution (LAPS) from Official Microsoft Download Center to ensure password rotation for local administrator accounts
- Monitoring DNS traffic for queries to malicious domains can be done using Log Analytics and DNS monitoring (or Sentinel)
- Block Traffic to and from Tor Addresses using some form of IP reputation or DNS filtering (preferably both) and NDR (Newly Created Domain Records)
Assume breach and how to secure yourself for future threats
Much of the techniques attackers use to distribute their ransomware is possible because of the way Active Directory is configured and has historically operated, where end-users and devices have been part of a large trust-based architecture. Which means that if you are on the inside you can, based upon the architecture, get access and SSO to resources if you have access.
The way ahead and also to remove this risk is to start looking into moving your endpoints to use Azure Active Directory.
However, nothing is guaranteed to protect you 100% from attacks, and one thing that many CIOs and CISOs need to start to understand is that one day you will get attacked, so start planning your security and governance based upon if you have already been hacked. Also going back to the point that attackers now also use data exfiltration as part of their extortion techniques, it’s important to start looking into DLP options to ensure that information and data is encrypted and thereby not accessible for attackers, even if they managed to get access to the data.
Related:
