By Azeem Aleem, Gareth Pritchard and David Gray, RSA Advanced Cyber Defense
It’s mid-2017 and the news is alight with yet another alarming cybersecurity attack. A new strain of a malware variant, which on first analysis looks very similar to a previously reported malware strain called “Petya” (ransomware armed with the EternalBlue exploit amongst other methods including MS17-010, PSEXEC and auth-reuse to achieve lateral movement). EternalBlue is an exploit leaked by a team of hackers known as the ‘shadow brokers’.
This latest attack is not unlike the previously reported WannaCry (also known as WanaCrypt0r 2.0), which also used the EternalBlue exploit to infect machines over the network. This latest attack is much more impactful at a technical level as this malware uses low-level encryption, in which the hard drive itself is encrypted. In this scenario, recovery efforts are more difficult and time consuming as the disks themselves will need to be formatted or replaced before the operating system is reinstalled and the files replaced.
The previous WannaCry malware used high-level encryption, in which the actual files were replaced with encrypted versions, meaning the hard drive itself was unaffected and the files could be restored from a backup with relative simplicity assuming backups were available.
In the previous WannaCry attack emergency services and public safety were severely impacted due to hospitals closing and ambulances being re-routed due to the malware outbreak.
The full extent of this latest Ransomware attack is yet to be fully realized, however, published reports are indicating a mass infection across multiple organizations, including but not limited to, the Russian Central bank and the Ukrainian International Airport.
As the investigation around “Petya/NotPetya” continues, from a security perspective this attack could have been much smaller in scope, if not avoided entirely, using a combination of security strategies and defenses. Let’s take a closer look.
Patching without due care and attention could be just as damaging as not patching at all as rolling out untested patches has crippled organizations before. Always ensure the product being patched has full support from the product vendor. In cases where out-of-band patches for end-of-life operating systems are released for a critical vulnerability, the vendor may not fully support it following the emergency patch release. In these cases the vendor should be contacted to ensure full support will be provided during and after the initial patching of the system. A back-out plan to reverse the patch implementation in case the deployed patch affects system performance/security is also required during patching and maintenance activities.
Organizations must employ a stable upgrade and maintenance cycle to help combat this age of cyber threats. Failure to patch, update and upgrade (away from unsupported operating systems) can – at the very least – irreparably damage an organization’s reputation, or – in the worst case, as seen in the recent WannaCry ransomware attack – put public safety at risk.
Patch management should include, but not be limited to, operating system upgrades. Continuing to use operating systems no longer supported by the vendor are of the utmost risk as they provide a foothold for attackers to gain access to the wider network.
Many vulnerabilities pre-exist for unsupported systems, meaning older well-known exploits and malware become more publicly available to novice hackers (commonly known as Script Kiddies) greatly extending the threat landscape.
The last line of defense in a breach mitigation strategy is the end users. Many organizations operate under the mistaken belief that it’s the end users that should be protected from threats; however, to effectively protect the network, end users are need to be trained and empowered to identify potential threats and help protecting company assets from attacks.
Phishing and social engineering attacks are extremely simple to conduct, difficult to detect at a technology level and the most likely to succeed. An attacker can fail multiple times before gaining access with one single success. That single success may be a company’s user failing to recognize an attack resulting in a breach of the network. End user education is often overlooked in network protection, but is a critical and often last line of defense. This type of awareness spills over into the lives of the employees, their children, and friends – ultimately raising public awareness. This leads to an inherent responsibility to protect ourselves against cyber threats much more effectively now and even more so in the future.
The risk mitigation strategy must be built on the following actions:
Ransomware can only affect files it has access to; typical ransomware has access to the same data as the currently logged in end user. Maintaining end user access permissions can help limit the damage a ransomware infection may cause as not all end users need access to all critical systems.
As stated above the most effective way to reduce an organizations threat landscape is by conducting a Patch Management program.
Applications, software and hardware deemed not compliant according to the IT usage policy increases the attack surface of the company’s assets. Many organizations have a whitelist of applications that have been tested and are verified as safe for use within the organization. These compliant software packages should also be regularly upgraded and patched as well as monitored by the company’s security team for vulnerabilities and exploits reported by each vendor.
Regular scans should be conducted using a vulnerability scanning appliance on the company’s network in order to identify applications that may be vulnerable to exploitation.
A new-found vulnerability may not always be patched immediately due to patch availability from the vendor; however, in these cases the vendor of the vulnerable application will typically be able to provide a mitigation strategy until a patch is made available.
Alternative mitigation strategies include isolating the vulnerable applications/assets from the wider network, or temporarily limiting the communication protocols available to the vulnerable assets until patching can be completed.
Smaller organizations and home users can purchase internet security packages, which include solutions designed to protect against Ransomware. These packages use a similar method via preventing third party applications from accessing files selected by the user for protection.
Where possible, organize for the email team to remove known malicious emails from the email servers. Attackers commonly take advantage of newsworthy events to leverage trust from end users in order to make phishing campaigns more successful. Pre-warning end users of a suspected phishing attack will help raise awareness and assist the end users in detecting these attacks.
Breach mitigation will not be completely effective in all cases as advanced attackers are well-funded, organized and capable. True zero-day vulnerabilities are previously undisclosed with the initial discovery often being made by a security researcher during (or after) incident response activities. By then it is too late. The zero day has performed its duty in breaching the targeted network for the attackers. The attacker’s goals may vary in impact and severity; from political to espionage the attacks may not differ, but the goal of selling or destroying data may have a very different impact on the victim. Monitoring for the emergence of evidence regarding what happened to the data after it was stolen may allow an organization to react swiftly to minimize damages as a result of the data leak or data destruction for financial gain. Regardless, a company can still prepare for most breach eventualities.
When developing threat detection, protection and prevention use cases, it’s useful to create a threat scenario. For example, a scenario on the impact and capability of a ransomware infection would highlight areas where attention is required for response and recovery actions.
This threat scenario highlights several potential issues, which may be prevented or prepared for prior to the realization of the threat. Typical ransomware infections scan network shared folders attached to the target asset, spreading themselves to connected shares using worm capabilities before encrypting any data or showing signs of infection on the original compromised asset.
Mitigation advice for ransomware often includes regular data backups to an offsite facility. As is the case for hardware failures and natural disasters, these backups do not include the latest available data. Ransomware attacks are more prevalent and likely to occur than total redundant hardware failures or natural disaster, thus requiring more in-depth analysis. Of course, backups are still necessary and provide some assurance of returning to business.
Payment, generally considered an invite to further ransomware and other potential attacks from threat actors, does not guarantee full resolution of the situation. The potential for future re-encryption, or decryption failure, makes paying the ransom a business decision. This decision should be made after conducting a risk assessment comparing the cost of temporary data loss, impact of downtime and the consequences of permanent data loss. To prepare for this scenario, stakeholders must be briefed, and ready to make a business decision. Third-party incident response groups are typically brought in during these situations.
Preparation allows these third-party incident response teams to act swiftly, quickly disrupting the attack, effectively minimizing impact and restoring service with minimal disruption.
The Mitigation strategy must be built on the following actions:
Running breach exercises allows a company to develop new complex attack scenarios and challenge a company’s team to conduct more advanced exercises to better prepare your organization.
However, with careful and guided preparation and prevention, a company is more than half way to mitigating a breach before it occurs. The final step, response, must be swift, decisive and exacting.
Having the ability to monitor the attack, and pull up the draw bridge (when deemed necessary) in seconds not hours, may aid in better understanding the attacker’s end goal. This can be useful for intelligence purposes, possibly identify the attacker’s potential exfiltration point, or uncover additional compromised assets in use (or potentially used to regain entry once you’ve remediated and recovered from the attack).
Responses must be tailored to the threat. The response for a breach attempting to exfiltrate sensitive data cannot be the same as a response for a ransomware attack. When developing attack scenarios, use cases should be coupled with Incident Response Procedures (IRP) tailored to the threat type. These procedures must be reviewed, analyzed and updated at the end of every related incident to ensure they are kept up-to-date, amended to resolve any issues encountered with the procedure and maintained with the applicable advancing analyst and technology capabilities. All other areas of the IRP should be targeted against the specific threat.
Attack vectors and TTPs are used to build Attack Scenarios, which are used to identify threat indicators. Threat indicators are mapped against data sources to identify exploitable Detection Logic. Detection Logic is mapped against IRP’s.
Example of Threat Scenarios
Example of Commonality across IRP’s identified
Example of internet access to internet without proxy IRPs
Response procedures should include steps for incident Triage, Investigation, Containment, Eradication and Recovery. Incident closure only occurs following a full debrief; this may be weeks or months following a breach. There are no prizes for closing a breach incident quickly as it is akin to a project. Forensic/malware analysis must be conducted and post-breach monitoring use cases implemented. These use cases must have an increased priority response to decrease response times in the event the attackers resurface or were not successfully removed from the network during the initial breach remediation (it is not uncommon for advance attackers to leave behind multiple backdoors). Do not underestimate advanced attackers when they use seemingly basic-attack methodology. Just as you would not use a precision laser to cut a loaf of bread, an advanced attacker would not use a zero-day vulnerability against a target vulnerable to well-known exploit code.
The Response strategy must be built on the following actions:
These strategies are only a small part of the overall security program an organization needs to maintain safe operations with minimal impact to the assets which keep the business running. Each strategy can be diversely expanded, reduced or combined according to business and security requirements. Leaving out any of these strategies negatively impacts the business and increases overall risk.
It’s incumbent on all of us to develop a threat mitigation strategy.
|Update your feed preferences|