With the close of 2016 approaching, I looked back and realized that Ransomware could have been the subject of my ProTip every month this year! Not only has it been regularly grabbing headlines throughout the last twelve months, but I’m sure 2017’s threat-surface will be subject to even more attacks. And while I’ve already provided tips on ransomware twice, this time I’d like to talk about the methodology behind a competent defense as we close out 2016.
Credential Abuse: this is the drum we beat here at STEALTHbits, and with good reason. After perimeter security has failed and a malicious actor targets data within an organization, credential abuse is nearly always the very next step in the attack. Or perhaps credential abuse is actually where the attack began: there was a malicious actor on the inside all along! Either way, to detect and protect against this we need to take a multi-tiered approach against the misused credential.
Securing your data should be the first step in both preventing an attack and mitigating the scope of an attack – even an attack leveraging the most privileged credentials! StealthAUDIT’s Data Access Governance Solution provides the tools necessary to secure your data, with reports providing visibility, and workflows to clean up any existing gaps:
Visibility into effective data access provided by StealthAUDIT facilitates cleaning up inappropriate access via built-in, automated workflows. Business owners of data can be ascertained though StealthAUDIT’s Attestation & Review functionality. I’ve already covered cleaning up the data itself with my ProTip in July titled “Entitlement Reviews for Sensitive Data”. These tools clear the path towards reducing your threat surface and attaining the goal of a Least Privileged Access Model.
But StealthAUDIT can reveal and do so much more! Anyone trying to prevent and mitigate the dangers of ransomware will find these features indispensable:
- Stale User & Group Cleanup
- Privileged User Reporting
- Stale Data Remediation
- Toxic Condition Alerts
- Anomalous Activity Insights
- Identification of Overprovisioning
- Actually, the list goes on and on…
However, even with Prevention & Mitigation measures simplified by StealthAUDIT, we still need to talk about the Detection/Response capabilities provided by StealthINTERCEPT. Identifying anomalous credential usage before an attack has begun is the purpose for most of StealthINTERCEPT’s analytics policies:
StealthINTERCEPT continuously examines Active Directory authentication traffic from several different angles. Highlighted in yellow, above, are two analytics, both trackings failed authentication attempts by specific users or to specific resources. Observing many failed attempts against a given account within a short time window can indicate that someone is trying to inappropriately obtain a credential by Brute Force. The other analytics are also designed to detect anomalous credential activity. Horizontal Movement Attacks looks for traversals across multiple hosts (a common component of pen testing) and can warn of someone trying to identify the privileges of an account (i.e., what’s available to the credential they have). The Golden Tickets analytic identifies when a Kerberos Ticket has had its TTL (Time To Live) parameters extended beyond a default range; these Golden Tickets threats are immediately actionable even before an attack has begun.
As concerns that final analytic in the menu, File System Attacks, I would point you to my other two Ransomware related ProTips this year:
- Last month came “Take Action Against Ransomware” explaining how spikes in file system activity are a clear indicator of either Ransomware or Data Theft scenarios. I also went on to explain how to use new features within StealthINTERCEPT to automatically deny access to targeted files by the very perpetrators our File System Attack Analytic identifies.
- Way back in March, “Ransomware Detection with StealthINTERCEPT” covered specific indicators of known Ransomware attacks. The trail of file extensions and instructions left by known Ransomware types is another immediately actionable event: I’d want to disable any associated accounts!
StealthINTERCEPT also provides a galaxy of additional Credential Abuse insights to advance your security interests beyond the limited scope of defending against a ransomware threat. Some of these are:
- Sensitive Group Membership Changes
- GPO Modifications
- Detection & Prevention of Unwanted or Disallowed Authentications
- Non-Owner Mailbox Logons/Lockdowns
- AD & Exchange Configuration Changes
- Administrator Activity Monitoring
As cybercriminals will leverage every advantage or trick are at their disposal, a formidable defense requires a holistic approach. Tools such as StealthAUDIT and StealthINTERCEPT, especially in tandem, can truly give us an advantage over ransomware in its many forms. But as I look forward to 2017, I can only wonder what new attack strategies will be developed. But whatever they may be, I’m confident that the basic elements of credentials and data access will continue to be the focal points for attackers and defenders alike.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Jeff is a Senior Engineer at STEALTHbits.