"...you can't defend. You can't prevent. The only thing you can do is detect and respond..." Bruce Schneier
What we will discuss in this section:
- Review of Part One
- Let's discuss what Ransomware is...
- What does a Ransomware attack look like?
- Let's talk about Cyber Security Architecture
- What is your business's appetite for change?
Setting the stage for success: Recapping Part One's Homework...
So we begin Part Two on solid footing. You are or should be well on your way to ensuring that your Cyber Security Tools (People, Process and Technologies) are aligned with your business critical requirements and that Risk, Compliance and Audit are meeting early and often with your Cyber Security Teams to leverage and enhance these alignments...
Let's discuss what Ransomware is...
You need to understand that ransomware is a business, very profitable, low risk , low cost, its all upside to the attacker. You need to have a solid plan to remove these incentives and drive up the "cost" to the attackers to incentivize them to go elsewhere.
It's not easy to find a scholarly definition of ransomware. Every vendor seems to have a definition that makes their product appear to be the silver bullet that will protect your business from ransomware. The following, is the best research paper and analysis of ransomware that I could find: via Science Direct, Technology University of Malaysia, July 9th, 2017 Ransomware Threat Success Factors Reference
It's dense and chewy but it gets us to a vendor agnostic point of reference.
Ransomware is an attack against your business - with the intent to deny you access to resources and extort money from you - bottom line, it is a crime.
There is a lot you can do to protect yourself without spending a lot of money, that approach [People, Process & Technology] will be the focus of this article.
THE BOTTOM LINE: There is a high likelihood that your business currently owns and is not using or incorrectly implementing capabilities that can dramatically lower your risks of ransomware. That is the premise that the following recommendations are based on.
I was discussing Ransomware Prevention with a customer not long ago, a very profitable business with Billions in recurring revenue to protect, solid brand recognition and a consumer loyalty metric that was the envy of their competitors. They weren't really taking Cyber Security in general and ransomware in particular seriously (of course that statement is my opinion). Not being a FUD [Fear, Uncertainty and Doubt] person, I explained to them that a determined attacker could invest millions, hire the best hackers, etc...and target them because the potential payoff was so lucrative (the conversation was longer and more involved than this), they finally agreed to some of the recommendations you will find in this article, but, as always the greatest problem was and will always be, people's ability to absorb change. Some things never change, it all boils down to two things: (1.) people; and (2.) change management. You can have the greatest plans on the planet but if people will not utilize them, they are useless.
What does a Ransomware attack look like?
Hopefully, if you are hit with a ransomware attack it will not be the well coordinated, targeted attack like Maersk shipping experienced in 2017, that attack is the stuff of legends.
Most ransomware attacks progress something like this:
- An attacker gets in your network and gains elevated privileges
- The attacker uses these elevated privileges to identify your disaster recovery tools or site and/or backup tools
- The attacker downloads encryption keys to encrypt your backup media, regardless of type
- The attacker may take over other key systems or software applications in your business
- The attacker notifies you and demands payment
Let's talk about Cyber Security Architecture
Most businesses have adopted what we call a "defense in depth" approach to Cyber Security. It is neither good nor bad, but it does carry with it a burden of risk that given our evolving technology landscape may no longer be wise.
Minimizing risk in the following ways means you must also manage the change - People, Process and Technology.
From a practical perspective, we are making the recommendations below. These are not all inclusive nor are they intended to be, these recommendations are focused at small to medium sized businesses and common tools in most businesses IT / Cyber Security shops.
DISCLAIMER: I want to apologize in advance, given the nature of the current topic, what follows will be somewhat technical yet dramatically over simplified. Feel free to reach out for details if you would like them.
Things that remove a lot of risk, with little capitol expenditure:
Implement Structured Hardening - One source for system and application hardening recommendations
There are numerous sources for recommendations for system and software application hardening (chances are good that if you ask, the vendor will give you their hardening guides for free), it is in your best interest to invest the time to adopt an evolutionary approach to structures hardening.
Start out slowly, set a goal and stick with the plan. Make your systems and software applications hard to break into, by increasing hardening settings on a quarterly basis. Over time you will be dramatically reducing your attack surface.
Here is a great example of an evolving approach
Consider implementing the NIST Privileged Access Workstation [PAW] methodologies for your IT and Cyber Security Staff.
Implementing PAW as a standardized, hardened virtual machine can mitigate an ocean of risks. You can significantly enhance the security of this approach by putting the PAW VM's on their own VLAN and requiring multi-factor authentication or MFA to authenticate into the PAW VM. In this manner, the inherent risk of an IT or Cyber Security privileged account can be almost completely mitigated.
Consider implementing a "privileged access workstation VM" model
Decouple Cyber Security Tools from Active Directory
It is a well documented fact that all of your IT and Cyber Security tools have a dark side that can be used against your business as a weapon if compromised.
By removing Active Directory integration form these tools and making them an "island of authentication" a compromised Active Directory USERID cannot be used to turn your trusted tools against your business. Yes, it is inconvenient, but the risk reduction and piece of mind more than make up for that. If you go the extra mile to enhance this by requiring Multi Factor Authentication [MFA] to use the tool, you will be dramatically increasing the trust of the tool as well.
Protection Profiles for your High Risk Workforce
Make sure that your Cyber Security dollars are focused on those employees that are associated with high risk positions. Using a one size fits all approach to Cyber Security spending for all employees, regardless of the inherent risk of their position needlessly drives up the costs of Cyber Security. You would be better served by developing standardized "Protection Profiles" and allocating resources based on that model.
Elevated Privilege Account - Lifecycle Management
If you are like most businesses, your employees with "elevated privilege" accounts have a 7x24x365 risk profile. If their account is compromised by an attacker, that attacker also has a 7x24x365 window to prosecute an attack against YOU.
If you are using Windows Server 2016 or 2019, you own a capability knows as "just in time administration" which allows you to "loan" elevated privileges to authorized personnel for a short time, then automatically remove them, dramatically shrinking the attack surface against your business. This capability you own now, and allows you to shrink this risk windows down to hours instead of always on. See the two examples below for how to implement and test this capability in your business.
Windows Service Accounts - Lifecycle Management
Your service accounts represent a large attack surface within your enterprise that can be used against you by an attacker. Service Account passwords are rarely if ever changed and a great many service accounts have elevated privileges. This represents an unacceptable risk to your business and chances you own the tools to remove this risk now.
Microsoft Active Directory has a capability currently referred to as "Group Managed Service Accounts" [GMSA], if you are like most businesses you are not leveraging this to minimize risk. By implementing GMSA's you can turn over password management and complexity to an automation, and specify the time to live for the GMSA's. You can migrate them from never changing (high risk) to say, changing every twenty-four hours. This greatly reduces the attack surface of non human accounts.
Here is a great reference to free cyber security capabilities in Windows Server 2019
Here is a great reference on GMSA's
E-mail Risk Reduction
There are many low cost ways to minimize risk in your current email systems.
Going by the following acronyms: SPF; DKIM and DMARC. These may seem like small steps, but they can add up to a big risk reduction plus helping stop bad actors from impersonating your company and alerting you to such efforts.
These mainstream email security tools are free to use and most likely built into your current email systems capabilities.
Here is a great reference on email risk mitigation
Defang URL's
Allowing URL's (hypertext links) in email is convenient but brings with it an unacceptable burden of risk. Depending on your email routing architecture, you can configure technologies to convert these URL's to plain text thus denying an attacker this convenience based attack surface.
Things that remove a lot of risk, but require capitol expenditure:
Enterprise Password Manager
An enterprise password manager is something that can reduce your attack surface significantly. A password manager should be able to: Manage work and personal passwords for your personnel (to minimize friction with adoption); and control password length, complexity and time to live.
An enterprise password manager should allow your human and non-human passwords to be long, complex and change often to minimize the attack surface and reduce risk.
Security Orchestration, Automation and Response [SOAR]
"...SOAR is a solution stack of integrated software programs that allow an organization to collect data about security threats, and respond without human intervention..."
The current threat landscape is an automation attacking your business, but, your business response is based on human reaction time. This gives the nonhuman attacker a significant advantage. The goal of SOAR is to move your business to a nonhuman response posture to greatly enhance your chances of mitigating an attack.
The following are some possible technologies that could be combined to create a SOAR capability for your business.
802.1x
802.1x is a capability that is built into your network now. It allows your wired and wireless network to become the first line of defense for your business. 802.1x can be implemented to require an authorization token from either the computer or the human or both BEFORE either is allowed to join your corporate network. This is a very powerful risk mitigation.
802.1x can be configured to notify your SOAR stack if a computer or human does not properly authenticate and your SOAR can, without human intervention, disable that network port the attacker is trying to utilize and call a human for assistance. Powerful stuff.
DNS / IP reputation
Should an attacker get into your network, they will need to "phone home" for encryption keys to prosecute a ransomware attack against your business. By implementing a DNS and/or IP firewall technology, your SOAR can be notified of an outbound connection request to a known attack site and stop the attack instantly, then communicate with your SOAR to disable the network port of the threat actor, almost instantaneously.
SANS case study on the DNS Firewall ROI
Security Information and Event Management (SIEM)
Your SIEM tool should be integrated into your SOAR "solution stack" such that your SOAR can automate defensive measures based on patterns that the SIEM can be configured to alert on.
For example: Your firewall logs are sent to your SIEM. Your SIEM is configured to compare outbound connection requests against your IP and DNS firewall threat intelligence database. If there is a match, your SOAR tool will tell your network management system to disable the connection to the computer from which the request was sent and notify a human to go take a look. This could happen in nano-seconds, compared to waiting for a human SOC analyst to "catch" the attack which might take minutes to hours or not at all.
What is your business's appetite for change?
Implementing any of the recommendations above will mean change. Change for your IT and Cyber Security Teams, for your Network Team, etc... As well as for your non technical employees.
Protecting your business against a sophisticated attacker will require your Executive Team to manage these changes and support your technology teams to implement the changes to protect your business.
There are no silver bullets nor easy answers. Just awareness and willingness. This does not have to be costly in dollars, but change also comes with a cost.
Next Steps
If you have questions or comments, please let me know: the_Secret_CISO@Protonmail.com
Copyright © 2021 by"the Secret CISO"
All Rights Reserved.