Wednesday 20 April 2016

mitigating ransome ware

From http://blog.talosintel.com/2016/04/ransomware.html#more

 Preventing Initial Access


There are things can be done to prevent the attack before it even starts. If the attackers cannot establish initial access in the target network easily, this increases the likelihood that attackers will seek easier prey elsewhere. Our attackers are opportunistic and are looking to turn about a profit with as little effort as possible. If initial access cannot be easily established, this increases the likelihood they will seek out easier prey. Initial access usually comes in one of two forms: Exploitation of public-facing services, or phishing/social engineering.

DMZ Hardening tips


DMZ hardening amounts to a couple of key housekeeping and maintenance tasks:
  • Periodic port scans: Port scans can be utilized to map one's DMZ and gain a better view on actual services and operating systems an organization is exposing to the internet. Once you have a collection of exposed services, you can map the public addresses to private addresses, determine who owns the asset(s) and/or whether or not exposure of the service(s) is even necessary. The lower the number of services exposed to the public internet, the lower the attack surface available.
  • Vulnerability scans/remediation: Once publicly exposed services have been verified, utilize vulnerability scanners against the exposed services. Remediate findings as soon as possible.
  • Regular system maintenance:
    • Find and following system hardening guidelines, such as DISA's STIG[41]
    • Ensure that regular patch maintenance is being performed.
    • Ensure that DMZ system logs are being exported to a log collector/SIEM
    • Any publicly exposed systems/services that require authentication should require strong passwords; Consider implementing two-factor authentication (where possible) instead.
    • Any publicly exposed systems/services that require authentication should have rate limiting, or blocking based on the number of failed guesses to limit the success of brute force attacks

Mitigating Phishing/Social Engineering


While preventing initial access through phishing or social engineering is much more difficult, there are actions that can be taken to mitigate the risks:
  • Consider investing in a company-sanctioned file-sharing program for exchanging files between users in the organization and/or company partners. Utilizing a file-sharing solution, and instructing users to never share or accept files over email can almost completely mitigate phishing attacks utilizing attachments. Instruct your users that the mail server isn't for file exchange, nor is it meant for archiving files.
  • Inform users that do not have to regularly work with macro-enabled office documents to never enable macros. In fact, the majority of your userbase has no requirement to work with macros, disable office macros through group policy, only enabling them for business units with a specific need[42]. For those business units that cannot operate without office macros, consider digitally signed macros to further mitigate that risk.
  • Some phishing attacks are delivered through PDFs and will specifically target vulnerabilities in certain PDF reader applications (e.g. Adobe Reader) to achieve code execution. Consider using an alternative PDF reader and disabling extra functionality (e.g. javascript in PDF).
  • Ensure the email scanning gateways disallow sending and receiving executable files (exe, dll, cpl, scr), javascript (.js files) office documents with macros, and scans .zip files for contents.
  • Enforce checking/verifying SPF records to mitigate spoofed e-mails.
  • Ensure that you have a mail gateway solution that is updated with information on the latest phishing domains (e.g. senderbase, etc.)
  • More often than not, the new gTLDs, as well as dynamic DNS domains are heavily abused in malware campaigns due to how inexpensive they are to acquire. In most cases, they can be blacklisted with little to nothing worry about; they tend to have a very low business relevance. Blacklist dynamic DNS and gTLDs default, whitelist individual domains as required, and only if there is a specific business need.
  • Instruct users to trust but verify, especially for any messages from outside the company with attachments. Simply asking the sender "Did you send this?" Over the phone prior to opening the attachment is all it takes.
  • If users are in any way concerned that they have been phished, instruct them to report the incident. The users shouldn't fear your SOC or security department and should NOT be punished for reporting security incidents.
  • Notify users that IT and/or Security will never ask them for their passwords to reduce the effectiveness of phishing attacks that are attempting to gather user credentials.
  • Disallow the mounting of USB drives. This mitigates the "print my resume for me scenario" as well mitigating self-propagating malware that attempts to jump air gaps through compromised USB drives. If removable media cannot be disabled across the enterprise, at a minimum disable autorun for removable media via GPO, and instruct employees to never accept or use thumb drives from untrusted sources. Instruct users that all thumb drives should be scanned for viruses upon insertion and before users access the files; consider configuring antivirus to perform automatic on-access scans for any USB drives plugged into systems. If utilizing thumb drives in a sensitive airgapped environment is required, consider keeping a collection of thumb drives, tagging them as company assets and signing them out on each use.
  • Ensure that guests are signed in at reception, signed out, and always shadowed. Guests should have an escort with them at all times.
  • Tailgating, or the practice of unauthorized individuals following authorized individuals into a restricted area, and can be a big problem. Most people have a tendency to avoid confrontation, so this makes enforcing tailgating policies a little more difficult, especially when challenging individuals who appear to "have their hands full". This can be mitigated by writing into security policy a requirement that employee badges must be present and visible at all times. Additionally, all authorized guests, vendors, etc. should be required to adhere to this policy, and badge in to all gates and be escorted/shadowed by an employee at all times.

Impeding Lateral Movement and Propagation


If attackers make it through your initial defenses, your goal is to make it is hard as you can for them to move laterally inside your network. Through careful architecture and password management you can make lateral movement much more difficult.
  • Network segmentation is a massive part of impending lateral movement and containing threats easily. The majority of corporate networks are "flat" with little to no segmentation between business units, between users and data, between data specific to business units, etc. The reason you don't typically see network segmentation in large organizations is that it requires coordination and planning on a massive scale. Most networks grow as the need for capacity arises, with little to no thought on segmentation. Business acquisitions are usually focused on how to integrate additional assets quickly as opposed to securely. All of that aside however, the benefits of properly segmented networks cannot be denied. Segmentation can be used to stop and/or slow lateral movement, as well as contain threats. There are multiple components for segmented networks, and this should NOT be considered an exhaustive list, but consider implementing the following:
    • VLAN and subnet segmentation: Each business unit should have its own VLANs and subnets for logically separating access to data. Segmentation should NOT stop at the business unit, however. User workstations need to be segmented from the servers/services required for that business unit, as well as services that are used across business units (e.g. messaging, file sharing, e-mail, etc.) This list of VLANs and subnets should be meticulously maintained and available for both IT and Security staff. If you do not have this information by default, or are looking to try and figure out how to logically separate users, servers and business units, consider looking for DHCP scope configurations and using them as a rule of thumb for subnet and VLAN segmentation.
    • Dedicated firewall/gateway segmentation: firewalls are another important part of network segmentation and an often overlooked portion of internal network design. Understand which business units have a requirement to communicate directly with one another, and which ones do not. Understand which services and ports are required for that inter-business unit communication. Do ingress as well as egress filtering (doing this requires understanding the direction in which data flows for services). Firewall policy should be reviewed regularly. IT and Security staff should have access to the firewall policies and should be included in policy review decisions.
    • Host-based firewalls with ingress/egress filtering configured. Again, ingress and egress. Hosts should not be able to communicate via SMB (139/tcp, 445/tcp) between one another. If file server(s) are set up, then there should effectively be no need for this. If you can effectively disable host-to-host SMB communication, you prevent the attackers from being able to utilize the "pass the hash" for lateral movement. SMB communication should be limited to application distribution platforms, file shares, and/or Domain Controllers.
  • Application Blocking/Whitelisting: Application whitelisting is a built-in feature for windows that can be implemented via software restriction policies[43]. However, not unlike network segmentation it takes a significant amount of time to implement and test, especially if different business units have different application needs. As a stopgap measure, it may be easier to try and block executables that attempt to run from specific locations, such as %TEMP% or %APPDATA% directories on windows systems, making exceptions for certain applications only as necessary[44]. Not unlike network segmentation, whitelisting is a significant time investment, but it is a tremendous boon for containing and preventing initial access AND lateral movement.
  • Role-Based network share permissions (Least Privilege): File shares tend to get incredibly complex between multiple business units, folder permissions and share permissions for the network. Application of least privilege for file shares prevents the compromise of a single user resulting in the loss of most of the data on the network file share in the event of ransomware, as well as preventing compromised accounts being used to access data from different business units; If password security is poor, a compromised user account may be used by attackers to gather credentials stored on file shares with access the user should not have.
  • Proper credential management: Users should be trained to utilize a password manager along with strong passwords for storing network credentials. Train users to NOT re-use

Recovery


Backup recovery is your last line of defense to having to pay out a ransom to the attackers; it's your last bastion in the event that the worst has happened. Your ability to recover from this attack with minimal data loss and/or service interruption amounts to whether or not the system backups and/or disaster recovery sites were compromised as a part of the attacker methodology. Whether or not your backups were compromised depends on how well your backup systems and/or network and/or recovery sites were sufficiently segmented from your main network. Even in the event your organization does not utilize on-site backups at all, instead opting for cloud backup solutions (e.g. Amazon Glacier), if those cloud backup credentials are left in easily accessible locations, or if passwords are reused, our hypothetical adversary could easily delete all backup instances, resulting in 100% data loss if there is no other backup solution in place. The secure, off-site, enterprise backup solution could easily be defeated through password reuse and/or poor password management.

For enterprises utilizing backup solutions, there are a wide variety of backup methodologies; the SANS reading room has a comprehensive document on tape rotation schemes that is incredibly helpful for reviewing different tape backup schemes[45]. Typically as a part of a tape rotation policy, a portion of those tapes are delivered to an off-site storage facility. This is for disaster recovery purposes; if there a catastrophic failure at the site hosting an organization's data, the tapes at the storage facility are still there to recover from at a backup facility. In a scenario in which local backups are deleted, removed, or otherwise made inaccessible by the attackers, off-site backups are often your only hope of restoring service without paying the ransom. Depending on how often your backups are sent off-site determines how much data (if any) would be inaccessible or lost.

Conclusion


The past few years have seen a dramatic uptick in ransomware variants and their deployment on a global scale due. Cyber criminals see an easy opportunity for profit. It is inevitable that these adversaries would look to the past for effective malware behaviors to advance the efficacy of ransomware. Combined with new methodologies in targeting, we anticipate a trend towards ransomware that can self propagate and move semi-autonomously throughout a network to devastating effect.

To emphasize this, one need look no further than SamSam.exe, the malware sample recovered from a number of scattered enterprise network breaches mainly targeting the healthcare vertical. SamSam isn't complex, and it not fully self-sufficient, but it does exhibit some of the behaviors of a successful worm - rapid propagation, payload delivery (ransomware), and crippling recovery efforts. The age of self-propagating ransomware, or "cryptoworms", is right around the corner.

For too long, critical security controls and best practice for enterprise network security has been publicly praised and privately ignored. Drop-in appliances and security solutions can only do so much to protect the network, and will do little to stop this threat if networks continue to be architected and expanded without defense in depth in mind. If enterprises don't start making strides towards defensible architecture today, massive ransoms may end up getting paid tomorrow.
Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)