December 15, 2020

Strategies for Protecting Against Ransomware & Insider Threats

Ransomware. It has quickly become one of the most dreaded subjects of emails, texts, and instant messages across the IT world. On a nearly daily basis, administrators, engineers, and executives alike are waking up and learning that there has been attack in the early morning hours. Unfortunately, the first call to the support team is usually about a degradation of service (such as a user losing access to a file, server, or application) and is not met with the urgency demanded by a cyberattack. By the time your team has eyes on the situation the damage is done; the threat actor has been lurking in the environment for months utilizing compromised credentials of one of your domain administrators. As they are operating under the guise of a legitimate employee with “god rights” in your domain, they are met with no opposition as they document weaknesses and plant scripts and executables across the environment to perform tasks such as disabling antivirus, deleting VSS snapshots, and calling applications and features to aid in the cryptolocking process. Even while your antivirus software was enabled and running, it did not flag any of the processes planted by the assailant as malware as they utilized legitimate and built-in windows server tools. Encrypted servers are now laden with ransom notes, demanding a large payout be sent to an untraceable email address in exchange for a decryptor, else your data may be permanently lost. Recently the notes have become even more sinister, with credible threats to release data stolen from compromised systems for sale to the highest bidder on the dark web. The next days (or weeks) will be pivotal to the success or failure of the organization moving forward as they attempt to recover from the attack.

We must apply a new dimension of thinking to our plans for security and business continuity if we are to stand a chance against an endlessly evolving threat. Thanks to technology, no longer is our greatest fear losing too many drives in a single RAID group on our SAN. Inversely, never have we been so exposed to potential for user error or administrative oversight that allows access to data or systems where it should not exist, opening the door for a threat actor to enter our environment. A common denominator between ransomware attacks, and part of what makes them so difficult to combat and recover from, is that they had “permission” to move forward. If a user’s actions appear to be sanctioned and legitimate traditionally, security software will be none the wiser.

So how can we help prevent an attack which will likely come from “the inside”?

1. Reduce exposure by limiting permissions and enabling strict controls in Active Directory
a. Your entire IT staff likely doesn’t need to be domain administrators to perform their job functions
b. Reduction in “all powerful” users is a direct reduction in attack surface and points of entry
c. If ransomware is launched via a compromised account with very limited permissions, it is far less likely                   to do catastrophic damage
d. Force password complexity and frequent changes for all users

2. Utilize two factor authentication where possible
a. Logins requiring 2FA are significantly less likely to be compromised

3. Utilize security tools which look for suspicious behavior and not just known bad hashes associated with malware
a. Some of the latest attacks utilize built-in windows tools that will not be flagged by traditional AV
b. Behavioral based software monitors the steps taken by specific processes and flags suspicious actions

4. Train staff in common phishing practices and drill frequently
a. Phishing emails remain one of the most common methods of procuring credentials to later be utilized in                 an attack

Unfortunately, the best laid plans still can’t counter user error or mishandled credentials. So once we’ve done everything possible to enforce the above controls, we must proceed under the assumption that when the day comes the attacker will be on the inside with unhindered access and will enact complete destruction. How can we recover from a destructive process that is attacking and cryptolocking all domain-attached servers and network shares? The obvious answer would be to restore from backups, however traditional backup systems and associated savesets are often vulnerable to ransomware and will be just as damaged as the production applications (if not completely eliminated to prevent all recovery). When it comes to recovery from this kind of attack, we must use a new approach. From these threats and new requirements for resilience grew OpSus Backup, CloudWave’s backup as a service.

In order to understand how OpSus Backup can change (and simplify) the flow of recovery from an attack, review the below scenarios. The first outlines the process for a site with on site, self-administered backups:

1. A domain administrators user account is compromised at a facility, and a threat actor gains entry to the environment
2. The threat actor remains in the environment collecting data for 2 months as they have been able to identify the password policy enforces changes at 90-day intervals
3. While surveying the environment, the threat actor determines the backup environment is domain-joined and utilizing traditional CIFs\NAS storage devices
4. 75 days post-entry to the environment, the attacker launches scripts that destroy all of the backup data utilizing the domain administrators native permissions
a. The facility replicates backups to a secondary site for disaster recovery on the NAS appliance, however                     they are merely block for block copies of the source, and are therefore impacted/destroyed with the originals
5. The payload is dropped and production servers and data onsite are cryptolocked
6. After discovering the damage, administrators find that all recent backup data was destroyed during the attack
7. The site is forced to restore from very old tapes (if available) and begin a long and arduous road to recovery

The second scenario illustrates the process for the same site using OpSus Backup:

1. A domain administrators user account is compromised at a facility, and a threat actor gains entry to the environment
2. The threat actor remains in the environment collecting data for 2 months as they have been able to identify the password policy enforces changes at 90-day intervals
3. While surveying the environment, the threat actor searches for the backup environment with the intent of hampering any chance of recovery
a. The backup environment is not part of the production domain, therefore the stolen credentials do not grant the attacker any access to the backup server or savesets
4. The attacker begins looking for backup storage appliances onsite with the intent of destroying the savesets directly
a. While OpSus Backup utilizes a local disk share for rapid recovery (directly attached to the                             non-domain server), all backups are also stored in the cloud for safekeeping and flexibility
b. Ransomware does not easily spread to cloud devices as they are utilizing the S3 API (not exposed as SMB\CIFs\NAS etc.)
5. The payload is dropped and production servers and data onsite are cryptolocked
6. After discovering the damage, administrators likely find the OpSus Backup appliance still running and intact on premises
7. The site is able to restore contracted resources from local disk (or cloud if necessary)

Lastly, the same site is hit with an attack, and it’s an inside job.

1. The threat actor is aware the site is utilizing OpSus Backup and physically destroys the backup server prior to launching the attack
2. The payload is dropped and production servers and data onsite are cryptolocked
3. After discovering the damage, administrators find the backup appliance onsite is destroyed
4. However the appliance onsite is only a conduit for backups and restores, and is easily replaceable
5. As all data is stored in the cloud, the site is able to rapidly deploy a new physical appliance and re-enable OpSus Backup via this device
6. Access to the most recent savesets is granted to the appliance via the cloud libraries and the site is able to restore their data when safe to do so

Our hope is this information will help empower you to better protect your users, systems, and data. The IT world is often hectic and we are forced to accomplish heroic feats in shorter and shorter amounts of time (making maintaining security best practices more and more difficult). Please keep these important points in mind:

1. Limit access and permissions (only give what’s needed and remember every user is an attack vector)
2. Utilize 2FA wherever possible
3. Train and educate your staff on a regular basis
4. Implement a backup solution that is capable of saving you when items 1-3 fail. Your business may depend on it.