Matt Bromiley, senior consultant with Mandiant Managed Defense, discusses the top tricks and tips for protecting enterprise environments from ransomware.
If there is any cyber-threat at the top of everyone’s mind right now, it must be ransomware. Once a “nuisance” threat, ransomware has grown into a layered, multi-billion-dollar industry for attackers. These threat actors are no longer amateurs trying their hand at breaking and entering. Rather, we see threat actors source background information on their targets, collect reconnaissance data and execute an attack that swiftly brings an organization to its knees. Even worse – targets are scattered, with little rhyme and reason, other than money.
At Mandiant, we continue to see a surge of ransomware incidents targeting organizations of all industries, shapes and sizes. Threat actors seem to have little discernment for their victims (despite their public blog posts) and have targeted organizations ranging from pipelines to insurance agencies to higher-education networks. It is typical to see ransomware (or extortion) payment amounts in the millions or tens of millions of dollars. Given the media attention, exorbitant sums that few can afford, and overall widespread threat, why do we continue to see successful attacks?
The U.S. Department of Justice has issued internal guidance that ransomware attacks should be treated with the same priority as terrorist attacks – did this dissuade any attackers? It does not seem so. Instead, organizations must still maintain vigilance to protect their environment and limit attacker success rates. In this blog post, we look at the top five things you should go do right now.
Tip #1: Have a Plan
Let us start easy: Have a plan. If you have not suffered a ransomware attack, congrats! You now have time on your side – hopefully. Use that to get a plan in place, even if you do not have a security team. Start with this simple question: If you got hit by an attack right now, how would you respond?
Start to fill in each gap you identify, whether it’s how you would detect the incident, how you would reach out to counsel or how you would return data to normal operations. When you plan, assume data loss, and see if that impacts how you respond.
Tip #2: Work Together: Ransomware is More than Security.
Ransomware is no longer just a “security problem.” A ransomware attack impacts users, legal, HR, finance and many others, including of course the security team. You cannot successfully defend against an attack if the organization is siloed within itself. If you have silos in your organization, reach out to teams and establish collaborative relationships:
- System and server administrators are critical in auditing your Active Directory environment.
- Network engineers are responsible for uptime and traffic flow – they have insight into where packets can and cannot go in an environment.
- Work with the legal team to understand your organization’s position on ransomware and what contingencies are in place. The legal team should also be part of your incident-response plan (see Tip No. 1).
Establish these critical relationships now, as they will be crucial in auditing your environment, improving defenses, and if it ever happens, response and recovery from an attack.
Tip #3: Audit, and Limit, Highly-Privileged Accounts in Active Directory
One of the first objectives for attackers in a victim environment is to find and gain elevated credentials. These credentials are often necessary to achieve their objectives – they need privileges to find additional systems, move laterally around the environment, execute certain commands, establish persistence, etc. Far too often in our investigations we uncover environments with simply too many highly privileged accounts – and attackers are betting on this.
There are numerous tools available to attackers that profile Active Directory, some even finding the “shortest” path to achieve the ultimate domain-administrator account. Luckily for defenders, these tools work both ways: They can be used internally to perform your own “reconnaissance” and utilize that output to limit accounts with too many privileges.
Tip #4: Utilize Built-in Protections for Highly Privileged Accounts
On the heels of Tip No. 3, once you have audited and limited your highly privileged accounts to only those necessary, the next step is to utilize built-in protections that can mitigate various avenues of credential theft.
Newer Windows operating systems, for example, include protections such as Credential Guard and Remote Credential Guard for Windows 10 and Windows Sever 2016+. Utilize them. For older endpoints, utilize Restricted Admin Mode.
Put non-service, privileged accounts in the Protected Users security group – they will be protected around the domain. Disable methods that store clear-text credentials in memory. If you have endpoint detection and response (EDR) agents in place, see if they offer user account protections. Most attacker techniques to steal credentials are known, and many organizations, unfortunately, do not utilize the available protections for the solutions they have in place.
Tip #5: Implement and Simulate. Wash, Rinse and Repeat.
Once you have account protections in place, utilize open-source tooling or a security vendor to test your environment. No need to ransom yourself – instead, focus on earlier stages of an attack such as credential theft or lateral movement. What did you detect, what were you able to achieve? Frequent testing will not only give you more insight into your environment, but it will also show you where you have detection gaps and coverage.
We cannot simply plug in tools and expect to be defended with the “push of a button.” Proper information security requires knowledge of the environment and frequent testing and tuning. If you have not suffered an attack, good. Do not wait for the “if” – instead, minimize the “when.”
Your decision to act early could literally be worth millions of dollars.
Matt Bromiley is a senior consultant with Mandiant Managed Defense.
Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.