As the technical lead for the incident response (IR) team at CDW, I see quite a few attacks that occur against organizations, with the most prevalent including phishing (most often leading to credential theft), advanced malware and ransomware. Ransomware is typically the most destructive for organizations that have not prepared or planned for this type of attack. These attacks are typically either network-based or exploit vulnerabilities in a target’s code.
Both methods allow attackers to accomplish their objectives quickly, but network-based attacks such as those conducted by the SamSam group are much more destructive. The SamSam group performs reconnaissance after its initial compromise of a host to ensure the attackers understand the IT environment, which leads to a rapid and thorough encryption of the environment. In one instance, the time between accidentally allowing internet Remote Desktop Protocol access to a server and the complete encryption of the organization was 16 hours, which included seven hours of performing password spray attacks against the RDP service on the exposed server to gain an initial foothold into the environment.
When a ransomware attacker obtains some type of interactive or automated access to a PC, typically the attacker’s initial steps are to disable or shut down any anti-virus software (and possibly uninstall it), and to stop volume shadow copies. Next, the attackers attempt to elevate their privileges if possible; the SamSam group has been very effective at privilege elevation.
CDW has worked multiple IR engagements in which SamSam obtained elevated access by using the password-stealing Mimikatz tool to gain domain administrator privileges. In these instances, a domain administrator had performed an interactive login to the server in the preceding days.
In some cases, commodity-based ransomware will simply launch right into encryption, hoping for the best. If an end user has access to more files than he or she requires, even such a relatively simple attack can be very effective. Some attackers will resort to using anything at their disposal. CDW even had a ransomware engagement in which the attacker utilized Microsoft BitLocker to encrypt the hard drive on a few systems.
To help prepare for, respond to and recover from this type of attack, IT leaders should review several key items to ensure that their organization is ready. CDW offers security advisory consulting services for organizations that need assistance in implementing any of these recommendations.
- The most common method of credential theft is through phishing attacks. Be sure to implement a best-of-breed email security solution that includes strong phishing protection, including a time-of-click URL protection and attachment analysis for malware and malicious actions.
- Implement multifactor authentication to protect all access methods to email (MFA is a must have).
Workstation and server security:
- Provide web security both on and off the network.
- Remove implied trust across workstations and servers in the environment through the implementation of the Microsoft Local Administrator Password Solution (or a privileged access management solution). Disallow privileged accounts from performing interactive login sessions to workstations (and other authentication methods that are vulnerable to credential theft).
- Replace legacy anti-virus products with an advanced endpoint security product that includes endpoint detection and response capabilities to increase the odds of blocking an attack.
- Use the model of least privilege to reduce the access an end user has to files and directories on file shares (ransomware thrives when a nonprivileged account has access to all the files on a file share).
- Implement Microsoft’s File Server Resource Manager as a low-cost prevention method of mass file encryption.
Security awareness training:
- An organization’s employees are the first barrier to most attacks. Make sure they are prepared by performing recurring security awareness training. Include anti-phishing campaigns for employee education and evaluation of phishing success rates.
Breach Detection and Response
Implement effective security monitoring and detection using a security information and event management solution (or managed SIEM through a service provider) to provide detection and response capabilities and include at the least the following data sources to monitor your environment:
- Microsoft Active Directory domain controller security events
- Microsoft Active Directory Federation Services security events
- Microsoft member server events
- Office 365 unified log events
- Network firewall logs
- Advanced endpoint security product events
- Passive Domain Name System query and response monitoring
Create a ransomware incident response playbook and perform tabletop exercises to practice response to a ransomware attack.
Disaster recovery and backups:
- Ensure backup services and systems have strengthened security, as many ransomware attacks specifically target backup systems.
- Create and test a disaster recovery plan that specifically addresses ransomware attack scenarios.
Cyber liability insurance:
- Obtain cyber insurance to provide for monetary recovery from cyber incidents.
- Most plans have reimbursement for incident response and forensic services.
- Some policies and insurers will also reimburse ransom payments.