Part 2 – Active Directory
This is the second part of a three part series on Maersk, me, & notPetya, a blog post by Gavin Ashton about his experiences responding to and recovering from the NotPetya ransomware outbreak at Maersk.
Not everyone realizes that in the last several years ransomware has made significant advances in its ability to not just infect a single computer, but to also pivot from that computer and infect other workstations and servers. Following a common pattern in technology, the makers of ransomware have adopted techniques previously the domain of more advanced actors – in effect, commoditizing these techniques.
Like advanced persistent threat (APT) actors, the authors of modern ransomware abuse Active Directory to propagate ransomware throughout an enterprise network following the compromise of a single computer. These strains of ransomware programmatically discover and exploit credentials, using techniques like pass-the-hash to worm their way through an enterprise network. In a matter of minutes, a single compromised workstation can result in every domain-joined workstation, server, and domain controller falling prey to a ransomware attack. What happens to an organization when their backups are also joined to the Active Directory domain?
Gartner estimates that information security spending is increasing at annualized rate of 8.2%. Despite this and the attention paid to APT’s, these techniques remain effective against many organizations today – so, are we prioritizing the wrong things? In a single word: yes. As Gavin’s eight “basics” show, it doesn’t take a multi-million-dollar investment to improve Active Directory security. It does require something harder: shifting away from the instant-gratification culture in information technology, and unwinding decades of practices that treat all assets the same.
The tactics used by APT’s and modern ransomware are all rooted in the same thing: the abuse of the trust in Active Directory, and a lack of protection for the directory itself. It doesn’t matter how strong your endpoint controls are; if domain administrators are logging on to workstations (or servers), then the entire organization is at risk. In the next post in the series, we’ll discuss how privileged access management is essential to solving these problems, and how new approaches in PAM greatly improve upon the solutions of the last fifteen years.
As I mentioned in the first post of this series, we’ll be running a webinar with Identity & Security Expert and author of the viral “Maersk, me, & notPetya” blog post, Gavin Ashton, for a 60-minute crash course on why “Do[ing] the basics” is any organization’s best option for mitigating the risks associated with credential compromise and advanced threats. I will also provide attendees a useful and valuable real-world practitioners guide to leverage when implementing Gavin’s advice, providing specifics on the approaches and tactics organizations can leverage to quickly secure what matters most. Register here!
Gerrit Lansing is Stealthbits’ Field CTO. In his role, Gerrit leads strategic initiatives to improve customer engagement and Stealthbits’ products and positioning. He brings with him over a decade of experience in information security, with a focus on identity and privileged access management. Prior to joining Stealthbits, he started his career as an Information Security Analyst at Liberty Mutual before joining CyberArk Software where he held multiple roles including Director of Consulting Services and Chief Architect.
Gerrit holds a Bachelor of Arts in Administrative Science from Colby College in Waterville, ME.