All organizations grow and evolve in a different manner, with that growth often happening at the expense of periodic reviews of the IT infrastructure and security controls that were initially designed to host or protect intellectual property, critical applications, sensitive client or personal data. We have seen organizations get hit hard with ransomware and as we have worked through helping them recover, we have found that a little bit of planning could have significantly mitigated the severity of the incidents. Cybercrime groups are also becoming more prolific and have the resources to target multiple victims at once. Given the attack surface that most organizations present, there is a high likelihood that other groups will take an interest in an organization in the future, so the threat of a potential incident remains high even after recovering from one.
With the high possibility of an incident at any given time it can be a daunting task trying to defend against the unknown. One way to plan for this is to understand the goals of a ransom group. Once they gain access, they laterally move through the organization to reach a domain controller mapping the IT infrastructure as they go. From there, they work to identify critical systems and sensitive data to ransom, along with identifying backup and virtualization infrastructure that they’ll encrypt or delete to maximize the chance that the victim will negotiate. The end goal is to cause serious damage to an organization and its reputation. The team at Mandiant has done an excellent job of breaking down the attack lifecycle shown below, which can be referenced for more detail1.
With an understanding of a ransom group’s goals, let’s look at 8 examples of best practices that can be implemented to provide for a more resilient architecture.
Outside of Phishing, vulnerable software is the most prevalent avenue of ingress for a Threat Actor. Attackers can exploit a known vulnerability on an Internet facing asset, which often provides the access needed to quickly gain domain level credentials. Agent-based vulnerability management software, backed by periodic vulnerability scans of Internet and internal-facing assets to quickly highlight the parts of the infrastructure that have fallen through the cracks, can help minimize the attack surface greatly. This coupled with network segmentation discussed below are extremely effective at reducing the access a Threat Actor may have.
Use of static, default, or shared passwords along with legacy authentication for remote access poses a huge risk to organizations. Multifactor Authentication (MFA) so effectively mitigates this risk that some insurance carriers consider it a requirement for cyber policy renewals. MFA should be implemented as widely as possible, but specific focus areas to consider are access to email, external-facing or cloud-based systems, and sensitive systems such as domain controllers and backup solutions.
While the idea of defense in depth has been around for a while, most organizations still have a single, flat network. Flat networks allow Threat Actors to spread throughout the organization’s entire infrastructure with ease. Network segmentation is an effective way to stop lateral access and substantially reduces the attack surface a Threat Actor has access to. With this model, networks are divided into multiple smaller networks and access can be managed through the use of tags.
Through network segmentation, the most vital infrastructure can be made virtually inaccessible to all but the functions that require access. Network segmentation can also enable a larger zero-trust model by segmenting third-party vendors, effectively mitigating supply chain attacks. The recent Colonial Pipeline attack is a great example of this.
Backups are one of the best ways to safeguard an organization against destructive attacks as well as operational mishaps. The best approach is to have backups that are both immutable and indelible, which ensures that data cannot be changed, encrypted, or deleted. Immutability can mean several things, but it’s important to look for immutability that is not just logical but also physical. This could mean keeping two or three copies in different locations, using two different storage solutions, and storing one copy off-site in the cloud. This will reduce the chances of a threat actor gaining access to everything. This approach also ensures that a vulnerability in one of those solutions doesn’t compromise all your backups and it provides options if an attack takes out an entire datacenter or remote site. Frequency of system backups also plays a role. The more frequent a backup is taken; the less chance that data can be potentially lost in critical systems.
Endpoint Detection and Response (EDR) tools
Modern EDR tools help decrease the risk of a ransomware attack and are an integral part of investigating an incident. Lack of visibility is the primary reason why organizations struggle to understand the scope and impact of attacks and a properly configured EDR can give a much greater chance of detecting, alerting on, and blocking Threat Actor behavior. Things to evaluate when selecting an EDR are that they provide continuous and comprehensive visibility into real-time endpoint activity; allow for advanced threat detection, investigation, and response capabilities; allow for investigation and suspicious activity validation; and allow for malicious activity detection and containment.
Privileged Access Management
With just a few users, account and access management is relatively simple. However, most organizations have hundreds to thousands of accounts and credentials to manage. Many of those can be difficult to track or identify, including service accounts and secret keys that must be managed by administrators and application owners. Account management has caused numerous organizations to delay the recovery effort, as the restoration team can be overwhelmed with tracking which credentials are being used on which systems and how to change them without causing more business interruption. Privileged Access Management (PAM) solutions allow administrators to properly manage credentials by applying automation and policies to all enterprise accounts. Most PAM solutions also contain reporting and alerting mechanisms that allow better insight for security teams to review how credentials and policies are being utilized. Most critical is that implementing a PAM system, along with implementation of clearly defined identity and access management policies, can remove the manual effort that causes credentials to be forgotten.
Incident Response Playbooks
In a perfect world, everyone in an organization knows exactly what to do and when, should an incident occur. The good thing is that this is entirely possible if an organization periodically updates and tests an incident response playbook that clarifies roles and defines cross functional teams with clear communication paths and response protocols in the event of an incident. Some topics a playbook could cover include infrastructure restoration plans, backup viability, and team coordination mechanisms with entities like external counsel and 3rd party vendors. Creating the incident response playbooks is an important step, but organizations need to also test those playbooks through the use of tabletop exercises and mock security events or contests, such as purple/red team exercises. This helps to ensure that the processes documented in the playbooks work along with the implemented technologies when they’re needed.
Because a ransomware attack can threaten an organization’s reputation as well as have a monetary impact, it is also important to consider cyber insurance. In doing so, organizations can review how coverage addresses compensation for monetary loss, business interruption, fees and expenses associated with the ransom, and incident response. The insurance provider can also make recommendations for service providers, such as the ability to work with incident response and recovery providers.
MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our platform approach enables victims of attacks to work with a Technical Advisor who provides the expertise and guidance needed in a time of crisis, and facilitates the delivery of all technical needs required, consistently and efficiently.Learn More
With experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.