By: Todd Inskeep and Chris Taylor
Ransomware has been in the headlines with Petya, like WannaCry before it, spreading rapidly around the globe. If you are not familiar with this week’s news, organizations around the globe suffered another ransomware attack on Tuesday including pharmaceutical companies, Chernobyl radiation detection systems, the Kiev metro, as well as airports and banks.
Addressing these advanced attacks as simple malware outbreaks is not enough. Nor can you just replay the ransomware prevention handbook with good backups. Organizations need to fundamentally approach advanced threats by developing their risk mitigation options from the viewpoint of a dynamic and adaptive adversary and then evaluate those options within a business context. Current risk management approaches describe technical risks within a business context. Organizations should focus on Risk Containment strategies that preempt common adversary approaches and deliberately slow or limit the spread of the next advanced attack.
Three steps can help prepare your organization to contain and manage these types of advanced attacks:
1) Review how adversaries maneuver within an environment. Think about your networks and critical systems. Adversaries use the same high-risk ports, protocols, and services (PPS) as privileged users and support systems. High-risk PPSs include RPC, RDP, WinRM, and PowerShell remoting to communicate with other systems. Adversaries also use credential stealing attacks and leverage stolen credentials to authenticate and gain access to, or escalate privileges on additional systems.
2) Evaluate systems involved in high-risk PPS communications. Many organizations have some part of their network assigned to IT engineers, admins, and technical support personnel that frequently initiate communications broadly across the enterprise using these high-risk PPSs. There are also some infrastructure support servers that initiate and/or receive these types of requests. While these high-risk PPSs are required for portions of the infrastructure, there are large portions where high-risk PPSs are not required. Fortunately, organizations can reduce risk contagion with ACLs, network and/or host firewalls, two-factor authentication, less privileges, and purposeful design of their authentication systems.
3) Establish Risk Containment to protect the critical systems. The first element of a containment strategy is limiting the systems that can initiate or receive high-risk PPS communications to or from critical systems (e.g., Enterprise Resource Planning, Industrial Control Systems, Personal Health Information, other critical business services). Effective monitoring and eventual blocking unnecessary high-risk PPS can be achieved with a combination of network or system firewalls/ACLs. The second element of a containment strategy is to ensure effective account security. Separating privileged from non-privileged accounts, implementing strong passwords, and deploying multi-factor authentication can all inhibit an adversary from getting into critical systems. The last element is to protect the integrity of the authentication systems. Secure architecture for Active Directory forests and domains strongly inhibits an adversary from pivoting into critical systems.
Advanced threats and malware attacks are growing in frequently, ingenuity, and impact. Risk containment strategies that are based on business operations and built into the technical architecture help manage the overall risk, and will help companies respond and recover from cyberattacks more quickly.