How to #StopRansomware – Prevention & Mitigation best practice – part 2
In this How to #StopRansowmare mini-series, last week we covered the areas of Preparing for Ransomware & Data Extortion Incidents as well as best practices for prevention categorized based on the typical entry points used.
Today we continue with
General Best Practices and Hardening Guidance
Adopt a thorough and all-encompassing strategy for managing its assets
- Gain a comprehensive understanding of your organization’s IT assets by conducting a thorough inventory, encompassing both logical components such as data and software, as well as physical elements like hardware.
- Ensure that you are aware of the data or systems that hold the utmost importance for health and safety, revenue generation, or any other critical services within your organization. Understand the interdependencies involved, such as knowing that “system list ‘A’ used to perform ‘X’ is stored in critical asset ‘B’.” This knowledge will assist your organization in establishing restoration priorities in the event of an incident. Implement more extensive security controls or safeguards specifically tailored to protect these critical assets. Achieving this requires coordination across the entire organization.
- Make certain that you securely store your documentation for IT assets and maintain offline backups as well as physical hard copies on-site.
Apply the principle of least privilege to all systems and services
- Ensure that user permissions are restricted when it comes to installing and running software applications.
- Limit user and role permissions for accessing or modifying cloud-based resources.
- Take steps to restrict certain users or roles from performing actions on customer-managed keys.
- Use group policy to block remote access by local accounts and refer to Microsoft’s guidelines on blocking remote use of local accounts and security identifiers.
- Implement Windows Defender Remote Credential Guard and restricted admin mode for Remote Desktop Protocol (RDP) sessions.
- Remove unnecessary accounts and groups, and restrict root access.
- Control and limit local administration.
- Regularly audit Active Directory (AD) to identify excessive privileges on accounts and group memberships.
- Utilize the Protected Users AD group in Windows domains to enhance security for privileged user accounts against pass-the-hash attacks.
- Conduct quarterly audits of user and admin accounts to identify any inactive or unauthorized accounts, with special attention given to remote monitoring and management accounts that may be publicly accessible. This includes auditing third-party access granted to Managed Service Providers (MSPs).
Make certain that all hypervisors and the corresponding IT infrastructure, including network and storage components, are regularly updated and hardened
There is a growing trend among ransomware attacks to target VMware ESXi servers, hypervisors, and other centralized tools and systems. This allows for rapid encryption of the infrastructure on a large scale.
Utilize industry best practices and activate security settings in conjunction with cloud environments to enhance overall security measures
- Examine the shared responsibility model for cloud services and ensure a clear understanding of the customer’s responsibilities in asset protection.
- Regularly backup data, either offline or through cloud-to-cloud backups.
- Activate logging on all resources and establish alerts for unusual usage patterns.
- Enable delete protection or object lock on storage resources that are often targeted in ransomware attacks (such as object storage, database storage, file storage, and block storage) to prevent data deletion or overwriting.
- Consider enabling version control to maintain multiple versions of objects in storage, facilitating easier recovery from unintended or malicious actions.
- Whenever possible, when utilizing custom programmatic access to the cloud, employ signed application programming interface (API) requests to authenticate the identity of the requester. This measure ensures data protection during transit and safeguards against various attacks, including replay attacks.
Take measures to mitigate the potential for malicious exploitation of remote access and remote monitoring and management (RMM) software
- Conduct audits of the remote access tools present on your network to identify any authorized remote monitoring and management (RMM) software.
- Scrutinize logs for any unusual usage patterns or instances of RMM software operating as portable executables.
- Utilize security software that can identify instances where RMM software is exclusively loaded in memory.
- Enforce the requirement that authorized RMM solutions are only used from within your network, utilizing approved remote access methods such as VPNs or virtual desktop interfaces (VDIs).
- Implement network perimeter measures to block both inbound and outbound connections on well-known RMM ports and protocols.
Deploy Zero Trust Architecture
Implement Zero Trust Architecture (ZTA) and utilize both logical and physical methods to achieve network segmentation within your organization. This includes separating different business units or departmental IT resources and maintaining a clear distinction between IT and operational technology. By employing network segmentation, you can effectively contain the impact of any intrusion and prevent or restrict lateral movement by malicious actors. However, it’s important to note that network segmentation can be compromised through user error or non-compliance with organizational policies, such as connecting removable storage media or other devices to multiple segments. It is crucial to enforce adherence to these policies to maintain the effectiveness of network segmentation.
Restrict usage of PowerShell to specific users on a case-by-case basis by using Group Policy
Ensure that you update Windows PowerShell or PowerShell Core to the latest version and remove any previous versions from your system. Additionally, make certain that PowerShell instances, running the latest version, have enhanced logging enabled for modules, script blocks, and transcription.
- PowerShell logs provide valuable information, including historical interactions with the operating system and registry, as well as potential tactics, techniques, and procedures employed by threat actors utilizing PowerShell.
- Regular checks should be performed to verify that log data has not been deleted or logging has not been disabled. Set the storage size limit for both logs to the maximum possible capacity.
Secure domain controllers (DCs)
To enhance the security of your domain controllers (DCs) and protect against malicious actors, it is recommended to utilize the latest supported version of Windows Server for your organization. The newer versions of Windows Server operating systems offer advanced security features, including integrated measures specifically designed to safeguard Active Directory.
- Regularly apply patches to domain controllers (DCs) to keep them up-to-date, prioritizing critical vulnerability patches for immediate implementation.
- Verify the security of domain controllers using open-source penetration testing tools.
- Minimize the installation of software or agents on DCs to reduce the risk of arbitrary code execution on the system.
- Restrict access to DCs exclusively to the Administrators group. Users within this group should be limited, and separate accounts should be used for day-to-day operations with non-administrative permissions.
- Set up the host firewalls on domain controllers (DCs) to block internet access. Generally, DCs do not require direct connectivity to the internet. Instead, servers with internet access can be designated to fetch the necessary updates on behalf of the DCs.
- Implement a privileged access management (PAM) solution on the DCs to facilitate the management and monitoring of privileged access. PAM solutions also provide logging and alerting capabilities to identify any abnormal activities.
- Activate additional safeguards for LSA Authentication to prevent code injection that can potentially compromise system credentials. Before enabling these protections, conduct audits on lsass.exe to gain insight into the programs that may be impacted by the activation of this security measure.
Retain and adequately secure logs from network devices, local hosts, and cloud services
- Establish a centralized log management system utilizing a security information and event management (SIEM) tool. This enables the organization to consolidate logs from various network and host security devices. By analyzing logs from multiple sources, the organization can assess individual events and evaluate their impact on the overall security posture.
- Ensure that logs for critical systems are consistently maintained and backed up, ideally for a minimum period of one year, to facilitate long-term analysis and investigations if necessary.
Establish a security baseline of normal network traffic and tune network appliances to detect anomalous behaviour
Configure host-based security products to optimize their ability to identify abnormal binaries, detect lateral movement within the network, and identify persistence techniques used by malicious actors. Fine-tuning these security measures will enhance the overall capability to detect and respond to potential threats effectively.
Next week in part 3 we will start looking at the Response Checklist in cases of Ransomware or data Extortion starting with Detection Analysis.