A significant cybersecurity incident is not only a business crisis: it can also become a powerful catalyst for enhancing fundamental IT capabilities. As a growing universe of products and service providers compete for attention to be included in the plan, a clear starting point may not be evident. Our team’s years of experience responding to threats across a variety of industries and client profiles have taught us much about which technologies and processes most impactfully reduce risk. One of the challenges we help our clients with daily is to implement measures that will tangibly improve their IT infrastructure’s resilience against ransomware and other attacks. That such enhancements also help clients present a more favorable risk profile to their cyber insurance carrier is a welcome additional benefit.
There are some that we feel so strongly about that we recommend implementing them immediately, even if that down-prioritizes other projects within your organization.
Where Should I Start?
The list of security standards and models with which organizations could align can appear daunting. Implementing robust resilience against cyber-attacks is a journey, and there are many approaches and tools that can reduce risk effectively. For organizations looking for a place to take the first steps, we recommend applying the risk-based approach outlined below. For more information on the lifecycle of attacks, refer to the MITRE ATT&CK framework as an industry-standard. For references to capabilities for mitigating intrusions’ impacts, the Australian Cyber Security Centre’s Strategies to Mitigate Cyber Security Incidents and related Essential Eight Maturity Model stand out among security standards as practical and prescriptive.
Tier 1 items provide critical coverage to reduce the risk of the most common types of attacks, ease the response, and mitigate the damage should an attacker gain entry. If your organization does not yet have these capabilities, we highly recommend starting towards that goal today.
Only when the Tier 1 foundational elements are substantially underway do we recommend implementing Tier 2 items to further enhance basic capabilities. Tier 2 will be the subject of a future article.
Endpoint Detection & Response (EDR) with Next Generation Antivirus (NGAV) Functionality: All servers and end-user systems have agents installed and blocking capabilities activated.
Install tooling on all servers and end-user systems to capture telemetry and block known or suspected malicious activity. If the scope of the environment is unknown (i.e., where you are not sure what constitutes “all servers and end-user systems”) then gaining an understanding of those parameters will be one of the first key steps in the implementation.
The telemetry will help security analysts and incident responders, either in-house or outside teams, quickly identify and resolve incidents. This capability can represent the difference between a minor intrusion that can be understood and contained within minutes and a full-blown ransomware attack that materially impacts your business. The blocking (NGAV) capabilities are also important. While not a silver bullet, leading vendors have robust capabilities to block known and unknown threats. It’s low-hanging fruit.
Multi-factor Authentication (MFA): Protect Internet-facing systems including email and VPN.
Implement MFA for Internet-facing systems so that authentication requires more than just a password. This could be a token generated by a smartphone application or a numeric code sent to the user’s mobile phone via text message. Focus on covering email, virtual private networks (VPNs) and other systems that could provide entry to the network. Covering Internet-facing applications and access to internal resources is also important, but less critical if starting from no existing MFA capability.
This type of MFA implementation is critical because without it, Internet-facing systems are one step away from being compromised. Users re-use passwords that can be exposed in other attacks and re-used against your systems and groups with malicious intentions constantly guess common passwords. Make this initial access component of the attack lifecycle harder to succeed.
This Microsoft tool randomizes built-in “local administrator” accounts’ passwords. We recommend it in Tier 1 because it is straightforward to implement, has no additional license cost, and is effective in mitigating this critical risk. Implementing full-featured Privileged Access Management (PAM) is also important, but not as important as quickly ensuring that each and every “local administrator” account has a unique password that is different from all other such accounts’ passwords.
When an attacker gains access to a system, whether through exploiting a known or new vulnerability, guessing a password, or convincing a user to click a malicious link, one of the first things they attempt to do is use that system as a pivot point to leapfrog to other systems within the network. Each computer running the Windows operating system has a master account that is able to execute any action on that system, including, crucially, the ability to run specialized programs that can obtain “skeleton keys” that enable access to other systems within the environment. If these passwords are the same on every system, it is very easy for an attacker to quickly move about the environment. The point at which the attacker begins lateral movement is often the inflection point where a simple incident turns into a complex, costly, impactful one.
Resilient Backups: Isolate archived data from intentional corruption by an attacker who gains access to the network.
Protect at least one backup mechanism from being corrupted deliberately by an attacker who has administrative-level privileges in the environment. There are multiple approaches to addressing this goal, typically involving a cloud-based secondary backup mechanism that is configured to be “immutable."
Many organizations have designed their backup systems to be resilient against physical disasters such as earthquakes that take a data center offline but did not design resilience against an attacker intentionally corrupting them. In the age of ransomware, the extortionists continue to refine their tactics to drive forward their business – which is convincing their victims to pay ransom demands. One of the ways they do this is to find and corrupt victims’ backup files – prior to encrypting files – to increase victims’ pain and incentivize them to pay quickly.
System, Patch & Vulnerability Management Tooling: Ensure every system can be managed.
Install tooling so that IT administrators can take control of any organization-managed system, whether in a physical data center, in a cloud environment, in an office, or in a hotel room with a road-warrior employee. Admins must be able to perform basic activities such as installing software, checking for operating system and application vulnerabilities, and installing patches.
Imagine that you’re experiencing an incident today. Users are reporting ransom notes and reporting problems logging into systems. You engage a team of outside specialists to help. They provide you a critical piece of software (EDR) that they need you to install on every system so that they can identify and help remove the attacker. The critical path to resolving this critical business interruption now requires this software to be installed… But you have no way to install software on a population of systems. Maybe they are remote users that do not connect into the network directly. Having this basic capability is crucial to investigating and resolving incidents and has a multitude of other benefits that reduce risk every day.
Understand Internet Footprint: Ensure available services are protected.
Frequently scan Internet-facing address space to ensure that the systems and services available to the Internet are expected and appropriately protected. High-risk services such as Remote Desktop Protocol (RDP), web-based management interfaces, Server Message Block (SMB), Telnet, File Transfer Protocol (FTP), and legacy Simple Network Management Protocol (SNMP) should not be generally accessible to the Internet. Necessary Internet-accessible systems should require multifactor authentication (MFA).
Assume that services available to the Internet at large will be tested frequently by potential attackers. Frequent scanning helps to ensure that network configurations have not inadvertently exposed systems that were not intended to be Internet-accessible. Should higher-risk services be compromised, an attacker may be one step away from dominating the internal network. Make this job more difficult by not presenting such low-hanging fruit.
Jim is a leader experienced in a variety of cybersecurity domains and adept at aligning diverse stakeholders ranging from technical specialists to executive leadership with business objectives. His pragmatic perspectives on IT and cybersecurity result from years of in-the-trenches experience attacking networks as a penetration tester and responding to targeted security breaches as an incident responder.
MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our platform approach enables victims of attacks to work with a Technical Advisor who provides the expertise and guidance needed in a time of crisis, and facilitates the delivery of all technical needs required, consistently and efficiently.Learn More
With experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.