How to #StopRansomware – Prevention & Mitigation best practice – part 1
Merely five days ago, the BBC reported yet another ransomware case involving the notorious Russian hacker group known as Clop. This group disclosed on the dark web that they had successfully compromised the personal data of over 100,000 employees from prominent organizations such as BBC, British Airways, and Boots.
Given the prevailing circumstances, it comes as no surprise that on May 23rd, the CISA, NSA, and the FBI jointly issued an updated document called the “#StopRansomware Guide.” This comprehensive guide focuses on the prevention and mitigation of ransomware attacks.
The guide provides invaluable guidance to organizations, offering effective strategies to minimize the impact and likelihood of ransomware incidents and data extortion. It includes a collection of best practices that organizations can adopt to prepare for, prevent, and mitigate such incidents. These prevention best practices are categorized according to common initial access vectors. Additionally, the guide features a helpful checklist of best practices for responding to ransomware incidents.
Preparing for Ransomware and Data Extortion Incidents
Maintain offline, encrypted backups of critical data
To ensure the safety of critical data, it is essential to maintain offline and encrypted backups. Regularly testing the availability and integrity of these backups in a disaster recovery situation is crucial. It is advisable to conduct periodic tests of backup procedures to validate their effectiveness.
Emphasizing the offline aspect is of utmost importance since numerous ransomware strains actively seek out and attempt to delete or encrypt accessible backups. By keeping backups offline, the possibility of restoration becoming impossible unless the ransom is paid is significantly reduced.
It is essential to maintain and consistently update “golden images” of critical systems. This involves keeping image “templates” that contain preconfigured operating systems (OS) and associated software applications, enabling swift deployment for system rebuilding purposes, such as virtual machines or servers.
- Utilize infrastructure as code (IaC) to facilitate the deployment and updating of cloud resources. By keeping backups of template files offline, you can swiftly redeploy resources when necessary. It is essential to maintain version control for the IaC code and conduct thorough audits of any changes made to the templates.
- Alongside offline backups, it is recommended to store relevant source code or executables. Additionally, make sure to retain escrowed copies and license agreements. While rebuilding from system images is generally more efficient, certain images may not install correctly on different hardware or platforms. Having separate access to the software aids in such cases.
To provide an alternative option for system recovery, it is advisable to retain backup hardware that can be used to rebuild systems if rebuilding the primary system is not the preferred course of action.
- To facilitate restoration processes, it is important to consider replacing outdated hardware with up-to-date hardware. Older hardware can pose challenges in terms of installation and compatibility when rebuilding from system images. By upgrading to modern hardware, you can minimize potential hurdles and ensure a smoother restoration experience.
To prevent vendor lock-in and ensure robust cloud-to-cloud backups, it is advisable to consider implementing a multi-cloud solution. By utilizing multiple cloud service providers, you can mitigate the risk of all accounts being affected in the event of an issue with a single vendor. This approach provides added resilience and flexibility in managing and safeguarding your backups across different cloud platforms.
- It is worth noting that certain cloud vendors provide immutable storage solutions, which offer data protection without requiring a separate environment. However, caution should be exercised when utilizing immutable storage, as it may not meet compliance requirements for specific regulations. Additionally, misconfigurations in the implementation of immutable storage can result in substantial costs. Therefore, it is important to carefully assess the suitability of immutable storage for your specific needs and ensure proper configuration to avoid potential pitfalls.
Cyber Incident Response Plan
Establish and consistently update a comprehensive cyber incident response plan (IRP) along with a communications plan. This should include well-defined procedures for responding to and notifying relevant parties in the event of ransomware, data extortion, or data breach incidents. Regularly conduct exercises to test the effectiveness of the IRP. It is crucial to have a hard copy of the plan as well as an offline version readily accessible to ensure its availability even in offline scenarios.
Implement Zero Trust Architecture
To enhance security and mitigate unauthorized access to data and services, it is recommended to implement a Zero Trust Architecture (ZTA). This approach emphasizes the need for granular access control enforcement. ZTA operates on the assumption that a network is already compromised, and it employs a set of principles and strategies aimed at minimizing uncertainty when enforcing accurate, least privilege access decisions for each request within information systems and services. By adopting ZTA, organizations can significantly enhance their security posture and reduce the risk of unauthorized access.
Preventing and Mitigating Ransomware and Data Extortion Incidents
Best practices for prevention are categorized based on the typical entry points used by ransomware and data extortion perpetrators.
Initial Access Vector: Internet-Facing Vulnerabilities and Misconfigurations
- Regularly perform vulnerability scans to detect and promptly address vulnerabilities, particularly on devices exposed to the internet. This helps minimize the attack surface and enhances the overall security posture.
- Ensure regular patching and updating of software and operating systems to their latest available versions. This practice helps address known vulnerabilities and strengthens the overall security of the systems.
- Give priority to promptly patching internet-facing servers that process internet data, such as web browsers, browser plugins, and document readers, particularly for vulnerabilities that are known to be actively exploited.
- Recognizing the challenges faced by small and medium-sized businesses in maintaining updated internet-facing servers, the organizations behind the guide strongly recommend considering a transition to reputable “managed” cloud providers. This migration can help reduce, though not eliminate, the maintenance responsibilities for identity and email systems.
- Take measures to ensure proper configuration and enable security features on all on-premises, cloud services, mobile, and personal devices (such as bring your own device [BYOD]). For instance, disable unused ports and protocols that are not essential for business operations, such as Remote Desktop Protocol [RDP] on Transmission Control Protocol [TCP] Port 3389.
- Restrict the usage of Remote Desktop Protocol (RDP) and other remote desktop services.
If the use of Remote Desktop Protocol (RDP) is essential, it is crucial to implement best practices to mitigate risks. Threat actors frequently exploit exposed and inadequately secured remote services to gain initial access to a network. They may further navigate the network by leveraging the native Windows RDP client. Additionally, threat actors often target virtual private networks (VPNs) or exploit compromised credentials to gain unauthorized access. It is important to remain vigilant and take appropriate measures to secure RDP and other remote services to prevent such unauthorized access.
- Perform regular network audits to identify systems utilizing RDP. Close any unused RDP ports and enforce account lockouts after a designated number of unsuccessful attempts. Implement multifactor authentication (MFA) for enhanced security and ensure that RDP login attempts are thoroughly logged.
- Keep VPNs, network infrastructure devices, and remote work devices up to date with the latest software patches and security configurations. Implement MFA for all VPN connections to bolster security. If MFA is not in place, mandate the use of passwords with a length of 15 characters or more for teleworkers to strengthen authentication measures.
- Disable Server Message Block (SMB) protocol versions 1 and 2 and transition to version 3 (SMBv3) after addressing any dependencies that may be present in existing systems or applications and could potentially be disrupted by the disablement.
Initial Access Vector: Compromised Credentials
- Deploy multi-factor authentication (MFA) solutions that are resilient against phishing attacks for all services.
Specifically for email, VPNs, and accounts with access to critical systems, ensure the implementation of MFA. In cases where systems do not support MFA, fail to enforce MFA, or users are not enrolled with MFA, promptly report these findings to senior management for appropriate escalation.
- Evaluate the possibility of adopting password-less multi-factor authentication (MFA) methods that replace traditional passwords with two or more verification factors, such as fingerprint recognition, facial recognition, device PIN, or cryptographic keys. This approach enhances security and eliminates the reliance on passwords as a single point of vulnerability.
- Explore the option of subscribing to credential monitoring services that actively monitor the dark web for compromised credentials. These services help detect if any employee or organizational credentials have been compromised, allowing for timely response and mitigating potential risks associated with unauthorized access or account takeover.
- Deploy identity and access management (IAM) systems to empower administrators with the necessary tools and technologies to effectively monitor and manage the roles and access privileges of individual network entities across both on-premises and cloud applications. IAM systems help ensure proper governance and control over user access, reducing the risk of unauthorized access and enhancing overall security.
- Implement a zero trust access control approach by establishing robust access policies that tightly restrict user-to-resource access and resource-to-resource access. This practice is particularly critical when it comes to managing key resources in the cloud.
- Change default admin usernames and passwords.
- Do not use root access accounts for day-to-day operations.
- Implement password policies that require unique passwords of at least 15 characters.
- Enforce policies that automatically lock user accounts after a specified number of unsuccessful login attempts. Additionally, implement comprehensive logging and monitoring mechanisms to track login attempts, specifically for detecting and mitigating brute force password cracking and password spraying attacks.
- Store passwords in a secured database and use strong hashing algorithms.
- Disable saving passwords to the browser in the Group Policy Management console.
- Implement Local Administrator Password Solution (LAPS) where possible if your OS is older than Windows Server 2019 and Windows 10 as these versions do not have LAPS built in.
- Include comprehensive password security education in your annual security training program for all employees. Emphasize the importance of not reusing passwords across multiple accounts and the risk associated with saving passwords in local files.
- Use Windows PowerShell Remoting, Remote Credential Guard, or RDP with restricted.
- Implement a clear segregation between administrator accounts and user accounts. Designate specific admin accounts solely for administrative tasks, ensuring they are exclusively used for such purposes. When granting administrative rights to individual users for their workstations, create separate accounts that do not have administrative access to other hosts, such as servers. In certain cloud environments, consider separating duties by restricting the account responsible for provisioning/managing keys from having permission to use the keys, and vice versa. It’s important to note that this approach may introduce additional management overhead and may not be suitable for all environments.
Initial Access Vector: Phishing
- Establish a comprehensive cybersecurity user awareness and training program that encompasses guidance on identifying and reporting suspicious activities, such as phishing attempts, as well as other incidents.
- Implement flagging external emails in email clients.
- Deploy filtering mechanisms at the email gateway to effectively identify and block emails containing known malicious indicators, including malicious subject lines. Additionally, implement firewall rules to proactively block suspicious Internet Protocol (IP) addresses.
- Enable common attachment filters to restrict file types that commonly contain malware and should not be sent by email.
- Implement Domain-based Message Authentication, Reporting, and Conformance (DMARC) policy and verification mechanisms to reduce the risk of receiving spoofed or tampered emails from legitimate domains. DMARC enhances domain protection by addressing email spoofing, but it’s important to note that it does not provide protection against incoming emails that have been spoofed unless the sending domain also employs DMARC. DMARC builds upon widely adopted protocols such as Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM), incorporating a reporting function that enables senders and recipients to enhance and monitor domain protection against fraudulent email activities.
- Ensure macro scripts are disabled for Microsoft Office files transmitted via email. These macros can be used to deliver ransomware.
- Disable Windows Script Host (WSH). Windows script hosting provides an environment in which users can execute scripts or perform tasks.
Initial Access Vector: Precursor Malware Infection
- Employ automatic updates for your antivirus and anti-malware software and ensure that the associated signatures are regularly updated. Configure the security tools to promptly escalate warnings and indicators, alerting the security personnel to potential threats. It is advisable to utilize a centrally managed antivirus solution as recommended by the authoring organizations. Such a solution enables the detection of both precursor malware and ransomware
- Implement application allowlisting and/or endpoint detection and response (EDR) solutions across all assets to establish strict control over software execution. This approach ensures that only authorized software is allowed to run, while unauthorized software is effectively blocked.
- Evaluate the implementation of an intrusion detection system (IDS) to effectively identify command and control activity as well as other potentially malicious network behavior that precedes ransomware deployment.
- Monitor and analyze indicators of suspicious activity, utilizing the Windows Sysmon utility to proactively identify and block the creation of malware files.
Initial Access Vector: Advanced Forms of Social Engineering
- Develop comprehensive policies that incorporate cybersecurity awareness training, specifically addressing advanced forms of social engineering, for personnel who have network access. This training should focus on equipping employees with the knowledge and skills to identify illegitimate websites and search results. Regular repetition of security awareness training is crucial to ensure that staff members remain informed and maintain a vigilant approach towards cybersecurity practices.
- Deploy Protective Domain Name System (DNS) solutions to enhance network security for remote workers. These services block malicious internet activity at its source, offering robust protection against threats such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware. Leveraging the existing DNS protocol and architecture, Protective DNS services analyze DNS queries and take immediate action to mitigate potential risks. State, local, tribal, and territorial organizations can consider implementing the no-cost MDBR (Managed DNS-Based Resolution) service to strengthen their security infrastructure.
- Evaluate the implementation of sandboxed browsers as a protective measure to safeguard systems against malware originating from web browsing activities. Sandboxed browsers create a secure environment that isolates the host machine from potentially malicious code, significantly reducing the risk of malware infections.
Initial Access Vector: Third Parties and Managed Service Providers
- Evaluate the risk management and cyber hygiene practices of third-party vendors or managed service providers (MSPs) that your organization relies on to fulfill its mission. It is important to consider that MSPs have been identified as potential infection vectors for ransomware, affecting numerous client organizations
- Implement the principle of least privilege and maintain a clear separation of duties when granting access to third parties. Ensure that third parties and MSPs are only provided access to devices and servers that are relevant to their specific roles and responsibilities.
- Evaluate the implementation of Service Control Policies (SCP) for cloud-based resources to restrict users or roles from accessing specific services or performing specific actions within those services. By utilizing SCPs, organizations can enforce granular control over permissions and prevent users from carrying out actions such as deleting logs, modifying Virtual Private Cloud (VPC) configurations, or altering log configurations.
Next week in part 2 we will continue with the General Best Practices and Hardening Guidance in case of Ransomware or Data Extortion.