Ransomware attacks do not always follow the same steps, but addressing these three trends will allow you to secure Active Directory and disrupt attacks.
Attacks are plaguing organizations around the world every day. New ransomware variants, new exploits, more tactics … it seems the attackers come up with something new every week. But, there is a silver lining. Every new attack and breach offers an opportunity to analyze the process the attacker took. From this analysis, we see three distinct trends emerging. By analyzing these trends and securing the tools an attacker is most likely to rely on to be successful, security professionals can reduce risk.
Trend 1: vulnerabilities and misconfigurations
Ransomware attackers are initially compromising enterprises by one of two attack methods:
- Attackers are exploiting vulnerabilities within the hardware, operating systems, software, applications, etc. of the devices they target. We all know that patching is essential, but it can be like remembering to take our vitamins: we often forget or can’t be bothered because we don’t see the benefits until it is too late. So, we’ll say it again: patch your systems (and take your vitamins, too!).
- Attackers are leveraging misconfigurations related to hardware, operating systems, software, applications, etc. Just as there are thousands of vulnerabilities to patch, there are thousands of security settings to be configured, many of which are not secured correctly. With simple queries, an attacker can determine what is running on the device they’ve compromised, allowing them to know exactly which misconfigurations to look for. Securing these configurations before the attacker can ever see them is essential.
Trend 2: gaps in existing tools and practices
Current security tools and practices are not sufficient to secure our networks. The following is a list of common tools and practices. While each of these is useful, they all leave security teams with major gaps in coverage:
- Pen testing
- Active Directory monitoring
- SIEM solutions
- User Behavior Analytics
- Artificial Intelligence
- Endpoint Detection and Response (EDR) and antivirus (AV)
Many of these solutions offer point-in-time visibility, meaning the results are quickly outdated. Other solutions might be more continuous, but they are not digging into the depths of the network infrastructure to give information at the level the attacker sees.
Trend #3: Active Directory is a pathway
Regardless of the entry point a ransomware attacker targets, Active Directory is always involved as a next step in the attack. Over and over again we see forensic proof that Active Directory was leveraged to move laterally and gain privileges in order to deploy ransomware.
For example, RYUK and XingLocker (a variant of MountLocker) specifically need Active Directory to be involved, otherwise, these attacks fail. Attackers know how to enumerate and analyze Active Directory, so they rely on it for a successful breach and deployment of their malicious software. Active Directory is at the center of authentication and resource access for most organizations, which is another key reason attackers love to leverage it.
The solution: three steps for reducing ransomware risk
Bucking these three trends, and addressing the key tools in your infrastructure that are most likely to gain the focus of the attackers, will help you see and target what the attackers are targeting. The following three steps are foundational for securing Active Directory and managing vulnerabilities to reduce the risk of ransomware.
- All of the environment needs to be secured, immediately. Easy to say, not so easy to do. The existing hardware, operating systems, applications, software and Active Directory itself all need to be secured. Security professionals should expect an attacker to enumerate and analyze any and all aspects of the network and prepare accordingly.
- The work invested in securing your network and all devices should not go to waste. Once you have patched and secured configurations throughout the network, including Active Directory, these efforts need to be maintained constantly. That means 24X7 continuous and automatic analysis of all vulnerabilities and configurations needs to occur. Think of it as continuously keeping your attack surface as small as possible.
- The ability to detect attacks is vital. Simpler attacks, such as password spraying and guessing, need to be detected as soon as they are started, so they can be shut down immediately. Likewise, even more advanced attacks, like DCSync, DCShadow and Golden Ticket, which are all used to leverage Active Directory, need to be detected as they occur. Due to the nature of these attacks, many commonly available tools cannot correctly detect them. Yet, these advanced attacks are used for persistence and backdoors, as well as to open up new attack paths. Sophisticated solutions are needed to fill these gaps in monitoring and detection.
By: Derek Melber