Wednesday, January 13, 2021

Cyber Security ROI for the CEO - Part Two - Ransomware Prevention

 


"...you can't defend. You can't prevent. The only thing you can do is detect and respond..." Bruce Schneier

What we will discuss in this section:

  1. Review of Part One 
  2. Let's discuss what Ransomware is...
  3.  What does a Ransomware attack look like?
  4.  Let's talk about Cyber Security Architecture
  5.  What is your business's appetite for change?

Setting the stage for success: Recapping Part One's Homework...

So we begin Part Two on solid footing. You are or should be well on your way to ensuring that your Cyber Security Tools (People, Process and Technologies) are aligned with your business critical requirements and that Risk, Compliance and Audit are meeting early and often with your Cyber Security Teams to leverage and enhance these alignments...

Let's discuss what Ransomware is...

You need to understand that ransomware is a business, very profitable, low risk , low cost, its all upside to the attacker. You need to have a solid plan to remove these incentives and drive up the "cost" to the attackers to incentivize them to go elsewhere.

It's not easy to find a scholarly definition of ransomware. Every vendor seems to have a definition that makes their product appear to be the silver bullet that will protect your business from ransomware. The following, is the best research paper and analysis of ransomware that I could find: via Science Direct, Technology University of Malaysia, July 9th, 2017 Ransomware Threat Success Factors Reference

It's dense and chewy but it gets us to a vendor agnostic point of reference.

Ransomware is an attack against your business - with the intent to deny you access to resources and extort money from you - bottom line, it is a crime. 

There is a lot you can do to protect yourself without spending a lot of money, that approach [People, Process & Technology] will be the focus of this article.

THE BOTTOM LINE: There is a high likelihood that your business currently owns and is not using or incorrectly implementing capabilities that can dramatically lower your risks of ransomware. That is the premise that the following recommendations are based on.

I was discussing Ransomware Prevention with a customer not long ago, a very profitable business with Billions in recurring revenue to protect, solid brand recognition and a consumer loyalty metric that was the envy of their competitors. They weren't really taking Cyber Security in general and ransomware in particular seriously (of course that statement is my opinion). Not being a FUD [Fear, Uncertainty and Doubt] person, I explained to them that a determined attacker could invest millions, hire the best hackers, etc...and target them because the potential payoff was so lucrative (the conversation was longer and more involved than this), they finally agreed to some of the recommendations you will find in this article, but, as always the greatest problem was and will always be, people's ability to absorb change. Some things never change, it all boils down to two things: (1.) people; and (2.) change management. You can have the greatest plans on the planet but if people will not utilize them, they are useless.

What does a Ransomware attack look like? 

Hopefully, if you are hit with a ransomware attack it will not be the well coordinated, targeted attack like Maersk shipping experienced in 2017, that attack is the stuff of legends.

Maersk Shipping and Not Petya

Most ransomware attacks progress something like this:

  1. An attacker gets in your network and gains elevated privileges
  2. The attacker uses these elevated privileges to identify your disaster recovery tools or site and/or backup tools
  3. The attacker downloads encryption keys to encrypt your backup media, regardless of type
  4. The attacker may take over other key systems or software applications in your business
  5. The attacker notifies you and demands payment

Let's talk about Cyber Security Architecture

Most businesses have adopted what we call a "defense in depth" approach to Cyber Security. It is neither good nor bad, but it does carry with it a burden of risk that given our evolving technology landscape may no longer be wise.

Minimizing risk in the following ways means you must also manage the change - People, Process and Technology.

From a practical perspective, we are making the recommendations below. These are not all inclusive nor are they intended to be, these recommendations are focused at small to medium sized businesses and common tools in most businesses IT / Cyber Security shops.

DISCLAIMER: I want to apologize in advance, given the nature of the current topic, what follows will be somewhat technical yet dramatically over simplified. Feel free to reach out for details if you would like them.

Things that remove a lot of risk, with little capitol expenditure:

Implement Structured Hardening - One source for system and application hardening recommendations

There are numerous sources for recommendations for system and software application hardening (chances are good that if you ask, the vendor will give you their hardening guides for free), it is in your best interest to invest the time to adopt an evolutionary approach to structures hardening.

Start out slowly, set a goal and stick with the plan. Make your systems and software applications hard to break into, by increasing hardening settings on a quarterly basis. Over time you will be dramatically reducing your attack surface.

Here is a great example of an evolving approach

Consider implementing the NIST Privileged Access Workstation [PAW] methodologies for your IT and Cyber Security Staff.

Implementing PAW as a standardized, hardened virtual machine can mitigate an ocean of risks. You can significantly enhance the security of this approach by putting the PAW VM's on their own VLAN and requiring multi-factor authentication or MFA to authenticate into the PAW VM. In this manner, the inherent risk of an IT or Cyber Security privileged account can be almost completely mitigated.

Consider implementing a "privileged access workstation VM" model

Decouple Cyber Security Tools from Active Directory

It is a well documented fact that all of your IT and Cyber Security tools have a dark side that can be used against your business as a weapon if compromised.

By removing Active Directory integration form these tools and making them an "island of authentication" a compromised Active Directory USERID cannot be used to turn your trusted tools against your business. Yes, it is inconvenient, but the risk reduction and piece of mind more than make up for that. If you go the extra mile to enhance this by requiring Multi Factor Authentication [MFA] to use the tool, you will be dramatically increasing the trust of the tool as well.

Protection Profiles for your High Risk Workforce   

Make sure that your Cyber Security dollars are focused on those employees that are associated with high risk positions. Using a one size fits all approach to Cyber Security spending for all employees, regardless of the inherent risk of their position needlessly drives up the costs of Cyber Security. You would be better served by developing standardized "Protection Profiles" and allocating resources based on that model.

Elevated Privilege Account - Lifecycle Management

If you are like most businesses, your employees with "elevated privilege" accounts have a 7x24x365 risk profile. If their account is compromised by an attacker, that attacker also has a 7x24x365 window to prosecute an attack against YOU. 

If you are using Windows Server 2016 or 2019, you own a capability knows as "just in time administration" which allows you to "loan" elevated privileges to authorized personnel for a short time, then automatically remove them, dramatically shrinking the attack surface against your business. This capability you own now, and allows you to shrink this risk windows down to hours instead of always on. See the two examples below for how to implement and test this capability in your business.

EXAMPLE ONE

EXAMPLE TWO

Windows Service Accounts - Lifecycle Management

Your service accounts represent a large attack surface within your enterprise that can be used against you by an attacker. Service Account passwords are rarely if ever changed and a great many service accounts have elevated privileges. This represents an unacceptable risk to your business and chances you own the tools to remove this risk now.

Microsoft Active Directory has a capability currently referred to as "Group Managed Service Accounts" [GMSA], if you are like most businesses you are not leveraging this to minimize risk. By implementing GMSA's you can turn over password management and complexity to an automation, and specify the time to live for the GMSA's. You can migrate them from never changing (high risk) to say, changing every twenty-four hours. This greatly reduces the attack surface of non human accounts.

Here is a great reference to free cyber security capabilities in Windows Server 2019

Here is a great reference on GMSA's

E-mail Risk Reduction

There are many low cost ways to minimize risk in your current email systems. 

Going by the following acronyms: SPF; DKIM and DMARC. These may seem like small steps, but they can add up to a big risk reduction plus helping stop bad actors from impersonating your company and alerting you to such efforts. 

These mainstream email security tools are free to use and most likely built into your current email systems capabilities.

Here is a great reference on email risk mitigation

Defang URL's

Allowing URL's (hypertext links) in email is convenient but brings with it an unacceptable burden of risk. Depending on your email routing architecture, you can configure technologies to convert these URL's to plain text thus denying an attacker this convenience based attack surface.

Things that remove a lot of risk, but require capitol expenditure:

Enterprise Password Manager

An enterprise password manager is something that can reduce your attack surface significantly. A password manager should be able to: Manage work and personal passwords for your personnel (to minimize friction with adoption); and control password length, complexity and time to live.

An enterprise password manager should allow your human and non-human passwords to be long, complex and change often to minimize the attack surface and reduce risk.

Security Orchestration, Automation and Response [SOAR]

"...SOAR is a solution stack of integrated software programs that allow an organization to collect data about security threats, and respond without human intervention..."

The current threat landscape is an automation attacking your business, but, your business response is based on human reaction time. This gives the nonhuman attacker a significant advantage. The goal of SOAR is to move your business to a nonhuman response posture to greatly enhance your chances of mitigating an attack.

The following are some possible technologies that could be combined to create a SOAR capability for your business.

A great SOAR analysis

802.1x

802.1x is a capability that is built into your network now. It allows your wired and wireless network to become the first line of defense for your business. 802.1x can be implemented to require an authorization token from either the computer or the human or both BEFORE either is allowed to join your corporate network. This is a very powerful risk mitigation.

802.1x can be configured to notify your SOAR stack if a computer or human does not properly authenticate and your SOAR can, without human intervention, disable that network port the attacker is trying to utilize and call a human for assistance. Powerful stuff.

Here is a great 802.1x primer

DNS / IP reputation

Should an attacker get into your network, they will need to "phone home" for encryption keys to prosecute a ransomware attack against your business. By implementing a DNS and/or IP firewall technology, your SOAR can be notified of an outbound connection request to a known attack site and stop the attack instantly, then communicate with your SOAR to disable the network port of the threat actor, almost instantaneously.

SANS case study on the DNS Firewall ROI

Security Information and Event Management (SIEM)

Your SIEM tool should be integrated into your SOAR "solution stack" such that your SOAR can automate defensive measures based on patterns that the SIEM can be configured to alert on.

For example: Your firewall logs are sent to your SIEM. Your SIEM is configured to compare outbound connection requests against your IP and DNS firewall threat intelligence database. If there is a match, your SOAR tool will tell your network management system to disable the connection to the computer from which the request was sent and notify a human to go take a look. This could happen in nano-seconds, compared to waiting for a human SOC analyst to "catch" the attack which might take minutes to hours or not at all.

What is your business's appetite for change?

Implementing any of the recommendations above will mean change. Change for your IT and Cyber Security Teams, for your Network Team, etc... As well as for your non technical employees.

Protecting your business against a sophisticated attacker will require your Executive Team to manage these changes and support your technology teams to implement the changes to protect your business.

There are no silver bullets nor easy answers. Just awareness and willingness. This does not have to be costly in dollars, but change also comes with a cost.

Next Steps

If you have questions or comments, please let me know: the_Secret_CISO@Protonmail.com

 

Copyright © 2021 by"the Secret CISO"

All Rights Reserved.

 

 

20 comments:

  1. nice https://secretciso.blogspot.com/2021/01/cyber-security-roi-for-ceo-part-two.html#comment-form

    ReplyDelete
  2. There is a quite well-known vCISO consultant known as Goetzman who works remotely in cybersecurity, and he has a chance to reduce cyber risks plus frauds. He supplies a fantastic level of data security and makes the company’s assets totally risk-free. If you check out this https://swaylbur.blogspot.com/2021/04/milwaukee-ciso-are-here-to-help-you-out.html site, you can get an increasing number of details about Goetzman.

    ReplyDelete
  3. Nice post. I was checking constantly this blog and I’m impressed! Extremely useful info specially the last part I care for such information a lot. I was seeking this certain info for a long time. Thank you and good luck. security company in cambodia

    ReplyDelete
  4. This article was written by a real thinking writer without a doubt. I agree many of the with the solid points made by the writer. I’ll be back day in and day for further new updates. http://securitycompany1122.pages10.com/Security-Company-in-Cambodia-42354223

    ReplyDelete
  5. Thanks for sharing this information. I really like your blog post very much. You have really shared a informative and interesting blog post with people.. prince security service

    ReplyDelete
  6. Thanks for a very interesting blog. What else may I get that kind of info written in such a perfect approach? I’ve a undertaking that I am simply now operating on, and I have been at the look out for such info. cambodia security company

    ReplyDelete
  7. Great Information sharing .. I am very happy to read this article .. thanks for giving us go through info.Fantastic nice. I appreciate this post. https://site-7032097-5889-106.mystrikingly.com

    ReplyDelete
  8. Positive site, where did u come up with the information on this posting? I'm pleased I discovered it though, ill be checking back soon to find out what additional posts you include. security guard

    ReplyDelete
  9. This comment has been removed by the author.

    ReplyDelete
  10. I definitely enjoying every little bit of it. It is a great website and nice share. I want to thank you. Good job! You guys do a great blog, and have some great contents. Keep up the good work. best security company in cambodia

    ReplyDelete
  11. I have read all the comments and suggestions posted by the visitors for this article are very fine,We will wait for your next article so only.Thanks! school security guard

    ReplyDelete
  12. This particular papers fabulous, and My spouse and i enjoy each of the perform that you have placed into this. I’m sure that you will be making a really useful place. I has been additionally pleased. Good perform! https://security6790s-site.yolasite.com

    ReplyDelete
  13. Thanks for picking out the time to discuss this, I feel great about it and love studying more on this topic. It is extremely helpful for me. Thanks for such a valuable help again. https://security-s-school-1cc6.thinkific.com/courses/your-first-course

    ReplyDelete
  14. Thanks for a wonderful share. Your article has proved your hard work and experience you have got in this field. Brilliant .i love it reading. security company in sihanoukville

    ReplyDelete
  15. I was reading some of your content on this website and I conceive this internet site is really informative ! Keep on putting up. security guard sihanoukville

    ReplyDelete
  16. Very informative post! There is a lot of information here that can help any business get started with a successful social networking campaign. best security guard sihanoukville

    ReplyDelete
  17. Great article Lot's of information to Read...Great Man Keep Posting and update to People..Thanks best khmer security company

    ReplyDelete
  18. Positive site, where did u come up with the information on this posting?I have read a few of the articles on your website now, and I really like your style. Thanks a million and please keep up the effective work. best security guard company

    ReplyDelete
  19. Hey what a brilliant post I have come across and believe me I have been searching out for this similar kind of post for past a week and hardly came across this. Thank you very much and will look for more postings from you. https://uniformsecurityguard.blogspot.com/2022/05/five-reasons-why-you-should-invest-in.html

    ReplyDelete