The proliferation of Ransomware continues apace, which is no surprise given the motivation is monetary. Wherever there’s something of value that can be exploited, it will be exploited.
Every organization has to take the threat of Ransomware seriously and address the risk head-on.
Where do you start? You start with the basics: understanding what’s at risk and key ways to protect it. What’s at risk is your organization’s Data and the means to gain access to it, your users’ Credentials.
It’s all about access to data. While many forms of data breach are designed to steal or exfiltrate the data itself, Ransomware encrypts data in-place to make it impossible for you to access it without the encryption key. The beneficiaries of a Ransomware scheme are far more interested in money than in the content of the actual data, and the key to decrypt it is held ransom until you make payment. But even if you do choose to pay, there is no guarantee that you will actually receive the ransomed key, and there is nothing to say that you will not be attacked again and again in this way.
|Apply POLP (Principle of Least Privilege)
Only grant access when absolutely necessary and at the least level of privilege possible in order to perform duties.
|Wantonly escalated privileges, open access, and over-provisioned shares increase your attack surface and add unnecessary risk to data.|
|Real-Time Monitor Sensitive Data
Identify your sensitive data and track activity in real-time. Alert if any suspicious access attempts are made – failed or successful.
|Sensitive data should have a limited and known scope of users and activities. If there are deviations in activity, including failed attempts at access, this is a warning sign that ransomware may be in play. Real-time monitoring is also a best practice and can highlight potential Insider Threats.|
|Block Access to Sensitive Data
Enforce POLP by overriding native permissions to data. Block administrators from changing the permissions to gain access.
Grant explicit access only to the exact people required to access the data.
|Permission models are often not ideal. They are also changeable by an administrator.
Blocking an administrator mitigates the abuse of administrative credentials to change permission models (a type of Insider Threat).
|Monitor Known Ransomware Patterns
Look for known file extensions, file names, and any other words associated with ransomware activity; alert in real-time as soon as any of these things are detected.
|E.g., the “Cryptolocker” variants of ransomware use known file extensions and words (such as the instructions on how to decrypt the data).
Being alerted to such activity at its first attempt will allow you to minimize further attacks.
|Monitor High-Volume File Access
Look for high-volume file access within specific time windows (excluding known-valid activities).
|Ransomware does not attack one file and stop, but rather, tries to encrypt as much data as possible in many files. There exist more subtle variants that apply a slow approach, but most ransomware reveals itself in its high-volume file access. Being alerted to this at the earliest opportunity is the only way to minimize impact.|
|Automatically Block File Actions
Once a suspicious bulk file access has occurred, block the perpetrator’s credential from making further changes.
|Stop more data from being compromised once an attack has begun. While the initial data in the bulk file access may still become compromised, blocking the leveraged credential can significantly limit the scope of the attack.|
User credentials are the proverbial keys to the kingdom, the single most important mechanism of your IT infrastructure.
In most organizations, a full 80% of existing data is unstructured, and access to it is granted or denied through the use of credentials. For example, a logon profile (comprised of a username and password) assigned various levels of access to various stores of data is such a credential. As the vast majority of organizations use Active Directory as the main repository and directory for credentials, here are a few critical areas to consider:
|Segregation of Duty
Ensure accounts with escalated privileges, such as administrators, are not used to log on to machines unless absolutely required.
|Malware hijacks currently logged-in credentials and uses them to propagate to other machines. If the compromised account is privileged, it will be more likely to successfully logon to other machines to infect them.|
Whenever possible, disallow caching of credentials. (Understandably, this may not be feasible in many circumstances.)
|Malware can use a cached credential to propagate quickly and efficiently. If an infected machine with many different users (such as a hot desk, kiosk, terminal, etc.) caches credentials, many accounts may be compromised all at once.|
Only allow credentials to log on where they are actually needed. For example, restrict administrator logon sessions solely to jump/admin servers. For standard users, block authentication to application and data servers.
|Restricting where a credential can authenticate minimizes the possibility of Malware successfully propagating.|
|Monitor Authentication for known Malware patterns
Malware follows certain patterns which can be detected by analyzing authentication data. One such pattern is lateral movement (attempting to logon to many different machines). Many failed attempts to logon with a specific credential is another. These patterns and others are telltale signs of a compromised credential.
|Unless authentications are monitored in real-time, Malware can and often does go undetected, allowing it to propagate and potentially deploy a ransomware payload. Simply examining Windows log-on and log-off events cannot tell the full story. Such information is necessarily not in real-time and it cannot be cross-referenced efficiently in larger organizations. It would also be unwise to ignore the authentications generated by non-Windows platforms (e.g., Unix/Linux, MacOS, iOS, Android).|
|Monitor and Block changes to privileged credentials and groups in Active Directory
|Accounts with necessarily high levels of access can, by definition, access and make changes to data. If compromised, such accounts pose a very dangerous threat. Also, administrators have been known to sometimes circumvent official policies and procedures to make their jobs easier, which might include granting a credential excessive access. Haphazardly dropping a credential into an admin group to make headaches go away is increasing your attack surface and putting the data to which it now has access at greater risk.|
If you have to choose one place to start your pro-active fight against Ransomware and data breach, make it the credentials. The credentials allow the Malware to propagate. The credentials allow the Ransomware to encrypt your files. But effective prevention of credential abuse is to render Ransomware utterly ineffective.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Mark Wilson is a Director of Product Management at STEALTHbits Technologies.
He is lead Pre-Sales consultant in the EMEA region and a key member of the global Product Marketing team.
Mark has 18 years’ experience working in virtually all technical support and consulting roles across both public and private sectors in the UK, EMEA and Globally.
Areas of specialism include compliance, data governance, IAM, migrations and consolidations.