CrowdStrike has written about a number of very effective security controls and practices that you can put in place in your organization to drastically reduce your risk of a ransomware outbreak. Another great source of recommended security controls can be found in SANS CIS Controls version 8. These recommendations can dramatically reduce the risk to your operating environment.
The following recommendations are supported by what the CrowdStrike Falcon Complete™ team has found to successfully prevent and combat ransomware.
Tip #1. Practice Good IT Hygiene
Minimizing the attack surface is critical for every organization — it’s crucial that you gain visibility into every endpoint and workload running in your environment and then keep any vulnerable attack surfaces updated and protected.
IT hygiene’s primary benefit is to give you complete network transparency. This perspective provides a bird’s eye view, as well as the power to drill down and proactively clean out your environment. Once you achieve this level of transparency, the understanding of “who, what and where” that IT hygiene provides has tremendous benefits for your organization. You’re able to:
- Identify gaps in your security architecture. The clarity that IT hygiene provides allows you to see what hosts are running on your environment and whether they are protected. Having complete visibility enables you to effectively deploy your security architecture and ensure no rogue systems are operating behind your walls. The larger and more distributed your environment becomes — such as with workforces going increasingly remote — the harder it is to have visibility across all of your endpoints and identities (including both human and service accounts). Identifying the unmanaged assets in your environment allows you to target vulnerabilities and protect your valuable assets before attackers can reach them.
- See what is running in your environment. By proactively identifying outdated and unpatched applications and operating systems, you can manage your application inventory and solve security and cost problems simultaneously. Unpatched operating systems and applications have serious security and cost implications — make sure to identify which applications are running on your network and pinpoint unpatched apps to get ahead of attackers.
- See who is running in your environment. Account monitoring allows you to see who is working in your environment and ensure they’re not violating their credential permissions (including detection of tools or behavior trying to subvert those policies). System administrators remain highly targeted, and combined with poor password renewal policies, credential theft is a harsh reality. With insight into password updates, you can prevent credential creep by removing old administrative accounts or making sure users update their passwords regularly. Taking this a step further, visibility into unusual admin behavior or privilege elevation can prevent silent failure by tipping off your security team as soon as something suspicious occurs.
- Ensure user compliance. Making sure your users abide by your most up-to-date password policies keeps administrators and users compliant with your security requirements. Consistent and ongoing user education can ensure that password best practices are followed, and ridding your network of old accounts (including service accounts) can mitigate the risk of “credential creep” by former employees.
- Add defense-in-depth. Implement real-time detection policies to monitor for anomalous credential behavior use, including detection of lateral movement even on workstations that may not have a Falcon agent installed. In addition, enable risk-based conditional access to trigger MFA for human and service accounts without adding burden to users, ensuring higher compliance.
Once you have full visibility and understanding of your environment, your organization can identify hygiene-related security deficiencies and resolve them immediately. From there, security teams can quickly pivot to address the critical elements of comprehensive endpoint protection: prevention, detection, hunting and threat intelligence. These capabilities are key to a complete solution that can protect your organization from the most motivated, sophisticated attackers. With a “hygiene-first” approach, and the right security solution in place, you can protect your organization from ransomware attacks and stop breaches.
Tip #2. Improve Resiliency of Internet-facing Applications
CrowdStrike has observed eCrime threat actors exploiting single-factor authentication and unpatched internet-facing applications. BOSS SPIDER, one of the initial big game hunting (BGH) ransomware threat actors, routinely targeted systems with Remote Desktop Protocol (RDP) accessible from the internet. Less sophisticated threat actors operating ransomware variants such as Dharma, Phobos and GlobeImposter frequently gain access through RDP brute-force attacks.
Tip #3. Implement and Enhance Email Security
Gaining an initial foothold into a victim organization through a phishing email is the most common tactic for BGH ransomware groups. Typically, these phishing emails contain a malicious link or URL that delivers a payload to the recipient’s workstation.
Tip #4. Harden Endpoints
Throughout an attack lifecycle that ultimately culminates in a ransomware deployment, threat actors will often leverage a number of endpoint exploitation techniques. These exploitation techniques vary from exploiting poor AD configurations to leveraging publicly available exploits against unpatched systems or applications.
The list below includes some key system-hardening actions for defenders to implement. It is important to note this is not an exhaustive list, and system hardening should be an iterative process.
- Ensure full coverage across all endpoints on your network for endpoint security products, and for the endpoint detection and protection (EDR) platform. Each endpoint security platform should have strict anti-tampering protections and alerting in place if and when a sensor goes offline or gets uninstalled.
- Develop a vulnerability and patch management program. Doing so will ensure that all endpoint applications and operating systems are kept up-to-date. Ransomware actors leverage endpoint vulnerabilities for many purposes, including but not limited to privilege escalation and lateral movement. Existing Falcon customers can leverage CrowdStrike Falcon Spotlight™ vulnerability management for a near real-time way to understand exposure to a particular vulnerability across the environment, without the need to deploy additional agents and security tools.
- Follow Active Directory security best practices. Based on some of the most common AD downfalls observed by CrowdStrike Services during ransomware engagements, we recommend these steps:
- Avoid easy-to-guess passwords with weak authentication methods.
- Avoid having regular domain users with local administrator privileges, and local administrator accounts with the same passwords across the entire enterprise or large portions of the enterprise.
- Limit workstation-to-workstation communication. While this can be achieved using group policy objects (GPOs), it can be also achieved through a number of micro-segmentation software options.
- Avoid sharing privileged credentials. Poor security practices include shared administrative accounts and using administrator accounts for personal or day-to-day business activity that does not require administrator privileges.
- Note that the first two points above can be accomplished using AD with little to no additional costs. At an additional cost, a privileged access management (PAM) solution can provide a much more scalable and robust solution to the same problem and is discussed more later in this blog post.
Tip #5. Ransomware-proof Data with Offline Backups
In recent years, and since the emergence of ransomware as a top method of monetizing attacks, the developers behind malicious code have become very effective at ensuring victims and security researchers cannot decrypt affected data without paying the ransom for the decryption key. Further, when developing a ransomware-proof backup infrastructure, the most important idea to consider is that threat actors have targeted online backups before deploying ransomware to the environment.
For these reasons, the only sure way of salvaging data during a ransomware attack is through ransomware-proof backups. For example, maintaining offline backups of your data allows for a quicker recovery in emergencies. The following points should be considered when developing a ransomware-proof offline backup infrastructure:
- Offline backups, as well as the indexes (describing which volumes contain which data) should be completely separate from the rest of the infrastructure.
- Access to such networks should be controlled via strict access control lists (ACLs), and all authentications should be performed using multifactor authentication (MFA).
- Administrators with access to both offline and online infrastructures should avoid reusing account passwords and use a jump box when accessing the offline backup infrastructure.
- Cloud storage services, with strict ACLs and rules, can also serve as offline backup infrastructure.
- Emergency situations such as a ransomware attack should be the only time the offline infrastructure is allowed a connection to the live network.
Tip #6. Restrict Access to Virtualization Management Infrastructure
As mentioned earlier, threat actors engaged in big game hunting ransomware campaigns are continuously innovating to increase the effectiveness of their attacks. The most recent such development includes the ability to attack virtualized infrastructure directly. This approach allows for targeting of hypervisors that deploy and store virtual machines (VMDK). As a result, the endpoint security products installed on the virtualized machines are blind to malicious actions taken on the hypervisor.
To further understand how this attack would unfold, we will use some of VMware’s naming convention as it is the most common virtualizing product found in today’s enterprise environments.
Many ESXi systems (VMware hypervisors) do not have Secure Shell (SSH) protocol enabled by default and are usually managed via vCenter. If SSH is disabled, previously stolen administrative credentials are used to enable SSH on all ESXi systems. Once that is complete, a valid account is used to SSH into each ESXi system being targeted. Before the threat actor deploys the Linux-based ransomware, VMDKs hosted on the ESXi are stopped to allow the ransomware binary to access the files for encryption purposes. Systems impacted by the ransomware through this deployment method will be completely offline and inaccessible to the users.
Tip #7. Implement an Identity and Access Management (IAM) Program
Organizations can improve their security posture by implementing a robust IAM program that maintains an activity trail for all privileged and service accounts, with immediate identification for anomalous traffic or abnormal resource requests.
To help organizations implement an IAM program, CrowdStrike offers two Identity Protection modules: Falcon Zero Trust and Falcon Identity Threat Detection. Deploying these modules to an existing Falcon instance will create real-time layers of threat prevention of identity-based attacks and anomalies targeting an organization. The adaptive capabilities of this platform allow enterprises to automate responses with the right type of enforcement or notification based on identity, behavior and risk. For example, service accounts attempting to connect via RDP, or RDP connecting to an unusual destination, could be challenged via multifactor authentication or blocked by Falcon Zero Trust in real time.
Tip #8. Develop and Pressure-test an Incident Response Plan
Organizations sometimes become aware of threat actor activity within their environment, but they lack the visibility to address the problem or the right intelligence to understand the nature of the threat. Recognizing the threat and responding quickly and effectively can be the difference between a major incident and a near miss.
Incident response plans and playbooks help facilitate that speedy decision making. Plans should cover all parts of the response effort, across the organization. For the security team, they should provide aids to decision-making so that front-line responders don’t overlook important details while triaging alerts. They should also outline the extent of the security team’s authority to take decisive actions — such as shutting down business-essential services — if a ransomware attack appears imminent.
For the crisis management team, plans should identify who will be involved and what their roles and responsibilities are. It should also tee up important decisions, like when to activate an incident response retainer, whether to notify insurance carriers, when and how to involve in-house or outside counsel, and how to discuss ransom demands with executives.
Consider conducting regular tabletop exercises to test the incident response plan and processes. Some organizations may benefit from simulated exercises such as “purple team” engagements, where red teamers mimic ransomware operators’ actions on objectives, including data exfiltration and ultimately ransomware deployment. CrowdStrike also recommends regular exercising of your incident response plan, both planned and unplanned, such as utilizing a red team to conduct a mock attack operation.
Tip #9. Know When to Ask for Help
In the event that you believe your organization may be impacted by ransomware, calling in experts to help investigate, understand and improve the situation can make the difference between a minor incident and a major breach. In some instances, organizations become aware of threat actor activity within their environment but may lack the visibility to address the problem or the right intelligence to understand the nature of the threat. Getting educated about the latest threats and seeking help by activating an incident response team or retainer, such as those offered by CrowdStrike Services, may allow for detection and remediation before the threat actor is able to deploy ransomware or exfiltrate data from the environment.
It’s better yet to seek out expert assistance before you truly need it. A technical assessment can help you to proactively identify and understand factors about your organization’s network that could make future ransomware incidents more or less likely. It may take different forms, depending on your current needs and security maturity. For instance, if you experience an intrusion that was confined to a specific network segment or specific business unit, an enterprise-wide compromise assessment can give confidence that the attacker did not move into parts of the environment that were beyond the scope of the initial investigation. Alternatively, an IT hygiene assessment can identify weak passwords, Active Directory configurations or missed patches that could open the door to the next attacker.