The epidemic of ransomware attacks isn’t new. Ransomware attacks have been hobbling firms large and small for years. What is new is the dawning awareness, in C-suites and board rooms, that ransomware is more than a nuisance. It poses an existential threat to organizations across industries.
That message is driven home by incidents like the Colonial Pipeline attack, which shut down the Northeast United States’ main conduit for fuel, and the attack on meat processor JBS. Both incidents saw the affected company suffer with extended downtime and make multi-million dollar payments to the criminal gangs behind the attacks. Many, many more firms are attacked and held for ransom, but never make it into the headlines.
With the consequences of failure so high, what can organizations do to keep from being victimized? The list of proposed remedies is long - and growing. We are highlighting a few actions that organizations can take that will have an outsized effect in thwarting would-be ransomware attacks. Here are select recommendations to help thwart ransomware groups:
Secure Your Identities
The Colonial Pipeline attack is a great reminder why any effort to secure your organization from ransomware attacks needs to start with securing your users and sensitive accounts. Testifying before the U.S. Colonial Pipeline’s CEO Joseph Blount told senators that the company fell to the Darkside ransomware gang after a remote access VPN account had its password compromised. The password in question was “complex,” Blount said - not “Colonial123,” but it wasn’t backed up by 2-factor authentication, leaving it vulnerable to cracking.
Colonial isn’t alone in struggling to manage user identities within its environment. Especially at large organizations, managing large populations of both user and service accounts is challenging. That’s especially true with the embrace of remote work that has smashed whatever was left of the old corporate “perimeter.” Today, employees connect from remote offices, home offices and the local Starbucks. Their work is through a mixture of legacy, on-premises applications, third party cloud-based platforms and everything in between.
Sophisticated cyber criminal groups like Darkside, the group that attacked Colonial, know this. They phishing and watering hole attacks to capture credentials, or mine troves of stolen data for sale in so-called “dark markets” in the cyber underground. With a single compromised account to give them a toehold within an organization, ransomware groups then use purpose-built open-source tools like Mimikatz to perform increasingly automated post-exploitation activities including credential extraction or forgery. (E.g. check out "ManyKatz" report on the links between tools like Mimikatz and credential theft attacks.) Then the attackers leverage those to move laterally, elevating privileges and expanding access to sensitive assets such as domain controllers, finance and other critical systems.
Look for Warning Signs
To spot such attacks before the trap is sprung, organizations need to keep a firm hold on their user identities: securing service and user accounts with both strong passwords and second factors such as biometrics or one-time passwords. Organizations also need to monitor for signs that attackers are already lurking within their environment. Telltale signs like patterns of incorrect login attempts, enumerating user accounts or the creation of new user accounts in sensitive groups can indicate that an attack is in progress. As we’ve noted elsewhere, guidance from the OT-ISAC encourages firms to monitor for attacks on privilege accounts including lockout after a specified number of failed attempts and to note login attempts and monitor for suspicious account behavior.
Practice Least Privilege
Organizations need to do a much better job auditing user permissions and applying "least privilege" policies that limit the number of users with elevated or administrative privileges. Simply withdrawing unused privileges and shutting down abandoned or stale accounts can make an enormous difference by reducing the attack surface of your organization.
The same advice extends to user groups, as well as individual accounts. Messy privilege groupings in Active Directory are a major source of exposure for companies, as low privileged Active Directory users and objects may inadvertently gain high levels of access by way of group memberships. The record will show that malicious actors like Darkside have been far more adept at finding and exploiting these oversights than companies have been at policing them. That state of affairs needs to change. Ransomware groups regularly look at potential attack paths in Active Directory to plan their actions - defenders need to look at the same things, early and often.
Secure Critical Control Infrastructure
Beyond securing their users from attack, organizations need to focus their defensive energies and weaponry on the systems that are most likely to be the target of ransomware attackers once they have penetrated a network’s defenses. Here at QOMPLX we sometimes refer to this as “critical control infrastructure” like Active Directory and Kerberos, which are the pillars of most organizations’ identity infrastructure.
Given how central platforms like AD are to network operations, many firms adopt the attitude of “if it isn’t broken, don’t fix it.” But that kind of complacency can cost your organization dearly. Attacks on these platforms are critical to most, sophisticated ransomware operations, including those launched by Darkside and other groups. Often, these attacks take advantage of known vulnerabilities, like continued use of insecure protocols like NTLM in support of older operating systems and applications.
Organizations that want to keep ransomware off their network need to do a better job looking for targeted or automated attacks playing out within their environment. These include attacks on Active Directory and Kerberos, including Golden and Silver Ticket forgeries as well as Pass the Ticket and Kerberoasting. They also include more subtle types of detections, including attackers’ efforts to “live off the land” using common administrative utilities like Powershell and Regsvr32 to elevate their permissions to gain persistence within compromised environments.
QOMPLX Can Help
QOMPLX helps its customers to identify and counter sophisticated attacks and threats like cybercriminal ransomware groups. Tools like QOMPLX’s Identity Assurance and Privilege Assurance can spot suspicious behavior related to user permissions and monitor activities related to Active Directory and Kerberos to detect attempts to elevate privileges and forge phony identities.
If you want to learn more about how QOMPLX can help your company spot signs that may signal a compromise, request a meeting with QOMPLX or use the form below to contact us.