Reduce the Risk of Ransomware

The Cybersecurity and Infrastructure Security Agency (CISA) is leading a ransomware awareness campaign, Reduce the Risk of Ransomware, with information and resources for organizations and individuals to use. 

During Ransomware awareness campaign, CISA emphasizes nine key messages that promote smart cyber behaviors or actions that individuals and organizations should implement to help prevent and mitigate ransomware attacks.

1. Keep Calm and Patch On – Patching is essential for preventive maintenance that keeps machines up-to-date, stable, safe, and secure against malware and other cyber threats. 

2. Backing Up Is Your Best Bet – It is critical to set up offline, encrypted backups of data and to regularly test your backups. The more you automate your backup system, the more frequently you can back up your data. 

3. Suspect Deceit? Hit Delete – If an email looks suspicious, do not compromise your personal or professional information by responding or opening attachments. Delete junk email messages without opening them. 

4. Always Authenticate – Implement multifactor authentication (MFA) to prevent data breaches and cyber-attacks. This includes a strong password and at least one other method of authentication. 

5. Prepare and Practice Your Plan – Create, maintain, and exercise a basic cyber incident response plan and associated communications plan that includes response and notification procedures for a ransomware incident.

6. Your Data Will Be Fine If It’s Stored Offline – Local backups, stored on hard drives or media, provide a sense of security in case any issues occur. Keep your backup media in a safe and physically remote environment. 

7. Secure Your Server Message Block (SMB) – SMB vulnerabilities allow their payloads to spread laterally through connected systems like a worm. CISA recommends all IT professionals disable their SMB protocols to prevent ransomware and other malware attacks. 

8. Paying Ransoms Doesn't Pay Off – The U.S. government recommends against paying any ransom to cyber-crime organizations or malicious cyber actors. Paying a ransom only funds cybercriminals, and there is no guarantee that you will recover your data if you do pay. 

9. Ransomware Rebuild and Recovery Recommendations – Identify the systems and accounts involved in the initial data breach and conduct an examination of existing detection or prevention systems. Once the environment is fully cleaned and rebuilt, issue password resets for all affected systems and address any associated vulnerabilities and gaps in security or visibility.

CISA Resource: Reduce the Risk of Ransomware Awareness Campaign

CISA Ransomware Guide

• Part 1: Ransomware Prevention Best Practices
• Part 2: Ransomware Response Checklist

Risk Management Frameworks

One of the key elements for effective Threat Mitigation through appropriate Control Implementation is to correctly identify the Risk associated, without which the ability to Detect & Protect Security Gaps, Operating Costs and Strategic Roadmaps would get affected.

Effective Red Teaming or Adversary Emulation

The Colored Teams -

Red Teaming landscape -

Red Teaming approach -

The Attack Kill Chain -

Purple team stands for collaborative workflows -

Red Team focus areas -

Scantron - A Distributed Nmap Scanner

Scantron is a distributed nmap and masscan scanner comprised of two components. The first is a console node that consists of a web front end used for scheduling scans and storing nmap scan targets and results. The second component is an engine that pulls scan jobs from the console and conducts the actual nmap scanning. A majority of the application's logic is purposely placed on the console to make the engine(s) as "dumb" as possible. All nmap target files and nmap results reside on the console and are shared through a network file share (NFS) leveraging SSH tunnels. The engines call back to the console periodically using a REST API to check for scan tasks and provide scan status updates.

Checkout the Python Scantron API client for interacting with the Scantron API and driving automated workflows.

More details: https://github.com/rackerlabs/scantron

Microsoft Defender Antivirus and System Center Endpoint Protection to automatically mitigate CVE-2021-26855

Today, Microsoft has taken additional steps to further support their customers who are still vulnerable and have not yet implemented the complete security update. With the latest security intelligence update, Microsoft Defender Antivirus and System Center Endpoint Protection will automatically mitigate CVE-2021-26855 on any vulnerable Exchange Server on which it is deployed. Customers do not need to take action beyond ensuring they have installed the latest security intelligence update (build 1.333.747.0 or newer), if they do not already have automatic updates turned on.

The Exchange security update is still the most comprehensive way to protect your servers from these attacks and others fixed in earlier releases. This interim mitigation is designed to help protect customers while they take the time to implement the latest Exchange Cumulative Update for their version of Exchange.

More details here: https://www.microsoft.com/security/blog/2021/03/18/automatic-on-premises-exchange-server-mitigation-now-in-microsoft-defender-antivirus/

A pragmatic approach to improve an Organization’s Security Posture

As the Security threat landscape, these days, changes and evolves on such a frequent basis, it has becomes imperative to stay vigilant of the Cyber criminals and their ever changing tactics and techniques in a continuous manner. Organizations traditionally invest on keeping themselves updated/vigilant about the latest developments in the threat landscape through the adoption of Cyber Threat Intelligence (CTI) capabilities. Various information sources such as Blog posts, Tweets, Research papers, White papers, Vendor reports, Threat reports, Organization’s own Telemetry etc. are processed, analyzed using advance Machine Learning (ML) and Artificial Intelligence (AI) algorithms to generate actionable intelligence such as indicators of compromise (IOC), malware source IP addresses, domain names, email addresses, malicious file hashes etc. for proactive defense against these threat vectors. This traditional CTI approach to stay vigilant, however, is a very daunting task as it definitely has some limitations and challenges, such as –

·         Apart from the ML and AI, it also requires a lot of manual time and effort to read and analyze Research papers, White papers, Vendor reports, Threat reports etc. to understand the context and generate actionable intelligence.

·         Validating the actionable intelligence is also time and effort intensive and monotonous work, which eventually could have significant false positives for Blue Teams and Operations Teams.

·         Actionable intelligence could be susceptible to changes as aspects like indicators of compromise (IOC), malware source IP addresses, domain names, email addresses, malicious file hashes etc. could change, rendering the proactive detection rules useless.

·         A major portion of the CTI generated may not be relevant for the Organization’s technology footprint.

·         A huge contribution towards getting relevant real time threat intelligence is subscription based and eventually it has cost implications.

In light of the above limitations/challenges and David Bianco's Pyramid of Pain, adoption of MITRE ATT&CK Framework provides a structured way to describe adversary Tactics, Techniques and Procedures (TTP) and behavior and allows a more widespread alignment across multiple Cyber Security domains viz. Threat Intelligence & Threat Hunting, Red Teaming, Risk Management, Intrusion Detection & Response, Security Engineering, 3^rd Party/Vendor Risk Assessment etc.

The Pyramid of Pain – “shows the relationship between the types of indicators you might use to detect an adversary's activities and how much pain it will cause them when you are able to deny those indicators to them”. This means, it is very easy for an adversary to change the malware source IP addresses, domain names, email addresses, malicious file hashes etc. to make rendering the proactive detection rules useless; however, it is very difficult for an adversary to change the tactics, techniques and procedures.

Hence instead of depending on just the IOCs and actionable intelligence to achieve resilience, adopting a TTP based detection and alerting mechanism is preferred. This is where adoption of MITRE ATT&CK Framework becomes the need of the hour to create a more effective threat-based awareness of Security loopholes that adversaries could exploit. This in turn improves the actionability of CTI for effective defense against these threat vectors.

Additionally, this framework could be leveraged to take strategic and tactical decisions around Vendor Partnership or 3^rd Party Security Software/Service investments. Plotting the coverage of these Vendors/Products against the detection/alerting/remediation capabilities against the ATT&CK TTPs and the Organization’s Security loopholes can channelize the Vendor Partnership or 3^rd Party Security Software/Service investments in the most pragmatic manner.

A quick snapshot of an Cyber Security Domains

This is a brief & conceptual map of all the major focus areas of Cyber Security. This is more of a quick snapshot of the Cyber Security Domains that requires proper planning and strategies carved out to improve an Organization's overall Security posture.    

Further, to deep dive into each of these sub areas, you may dissect it further to get a more granular picture of what all sub areas require more attention and focus.

Note: In no way this is a limited to or an exhaustive list at all, rather a POV representation.

 

Strategic Paths to Cyber Security

 

Open Source Inteligence (OSINT)

Good content to understand and learn OSINT

An Introduction to Open Source Intelligence (OSINT) Gathering

1. https://www.secjuice.com/introduction-to-open-source-intelligence-osint

 
What is OSINT? How can I make use of it?

1. https://securitytrails.com/blog/what-is-osint-how-can-i-make-use-of-it

 
OSINT is a State of Mind

1. https://medium.com/secjuice/osint-as-a-mindset-7d42ad72113d

 
Online investigations with Open Source Information

1. https://firstdraftnews.org/how-to-get-started-in-online-investigations-with-open-source-intelligence-osint

 
How to find Information on Anyone

1. https://medium.com/@Peter_UXer/osint-how-to-find-information-on-anyone-5029a3c7fd56

 
2019 OSINT Guide

1. https://www.randhome.io/blog/2019/01/05/2019-osint-guide

 
Open-Source Intelligence (OSINT) Reconnaissance

1. https://medium.com/@z3roTrust/open-source-intelligence-osint-reconnaissance-75edd7f7dada

 
Google Hacking Techniques

1. https://securitytrails.com/blog/google-hacking-techniques

 
OSINT Frameworks:

1. technisette.com
2. osintcurio.us
3. osintframework.com
4. osintframework.de
5. https://github.com/jivoi/awesome-osint
6. Https://docs.google.com/document/d/1BfLPJpRtyq4RFtHJoNpvWQjmGnyVkfE2HYoICKOGguA  

Above information is taken from: https://www.osinttechniques.com/blog  

Exchange On-prem Mitigation Tool For ProxyLogon Exchange Server Cyberattacks

 

Microsoft on Monday released a one-click mitigation software that applies all the necessary countermeasures to secure vulnerable environments against the ongoing widespread ProxyLogon Exchange Server cyberattacks.

Called Exchange On-premises Mitigation Tool (EOMT), the PowerShell-based script serves to mitigate against current known attacks using CVE-2021-26855, scan the Exchange Server using the Microsoft Safety Scanner for any deployed web shells, and attempt to remediate the detected compromises.

"This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update," Microsoft said.

Detailed info: https://thehackernews.com/2021/03/use-this-one-click-mitigation-tool-from.html 

The 2021 CrowdStrike®️ Global Threat Report

 Get the CrowdStrike® 2021 Global Threat Report -- one of the industry’s most highly anticipated reports on today’s top cyber threats and adversaries.

The 2021 CrowdStrike®️ Global Threat Report

go.crowdstrike.com

Top Phishing Email Subjects

Cryptography at a glance

The Zero Trust Mindset

An excellent post about Zero Trust concept from Alex Weinert from Microsoft

Original Post: https://techcommunity.microsoft.com/t5/azure-active-directory-identity/zero-hype/ba-p/1061413 

In a Nutshell

Zero Trust, conceptually, asserts that traditional security models based on “the walled garden” are outdated, and that security models should assume that all requests should be treated as though they originate from an uncontrolled (external or compromised) network. Whether you think of this as “assuming breach” and operating as though the enemy is inside your perimeter or you think of this as operating in a perimeter-less environment, it’s all about operating as though you are in a pervasive threat environment. This is a simple concept, we don’t need to complicate it or dress it up because it has powerful implications.

The Zero Trust Mindset

I believe the most useful thing about Zero Trust is the mindset it creates. The mindset to adopt is that you are operating in a pervasive threat environment. An environment that demands that you continuously assess and re-assess the viability of your security strategy. Here are some key behaviors you might exhibit if you accept that you are operating in a pervasive threat environment:

• Don’t accept complacency. This is the single biggest shift of Zero Trust. In the world of flat networks and VPN, we assume that if the request is originating from a known network, it must be safe. We assume the models that protected us yesterday will protect us tomorrow. Zero Trust demands we abandon those assumptions and instead validate and exercise controls over as many aspects of access as possible, explicitly validating what we can, and accepting that the things we don’t explicitly validate remain uncertain.
• Assume all resources are on the open internet. One approach many customers have found valuable in countering their entrenched assumptions is to assume every user, device, and resource is on the public internet. Many of our most successful customers in this regard have simply moved as many resources as possible to the cloud, modernizing their security strategy as they go.
• Trust no single source. In a pervasive threat environment, accurate insights are key. A CISO once shared that “Pops told me, honest people all tell the same story, but liars lie differently.” Security models which rely on multiple sources of validation are much stronger – triangulation provides a much more accurate fix than single source validation. Similarly, control which relies on multiple elements (using device trust, location, and strong auth, for example) is better than that which relies on only one aspect of access.
• Breach containment. If we assume pervasive threats, we assume that some threats will break through our defenses. Containment strategies such as privileged identity management, role-based access, separation of duties and network segmentation can help contain adversaries who break through your first layers of defense.
• Standards are security. While innovation is wonderful, a maxim of security (especially encryption) is that nothing is provably secure, but time without breach is a good indicator. Avoid security theater or security through obscurity – heavily inspected, heavily used, and yes - heavily attacked standards provide a great anchor for your security strategy. Leverage modern authentication standards like OAUTH2, provisioning standards like SCIM, and credential standards like FIDO2 wherever possible (or buy products that do).
• There aren’t enough humans. You must automate everything you possibly can. There simply aren’t enough humans to handle the volume of telemetry and attacks you will be facing. Make use of cloud intelligence, machine learning, and most importantly automated response mechanisms like automatically locking at risk accounts or banning traffic from known bad IP addresses.

 

We can distill all this down to three key principles:

• Move from assumption to explicit verification.
• Adopt a policy-based, least privileged access model.
• Design with the assumption that every element of your system can be breached.

Conceptual Architecture

We have seen that successful adoption of a Zero Trust approach benefits from some critical elements. We pulled this together conceptually in a conceptual architecture, pictured below.

 

 

The critical elements are as follows. First, the key resources:

• Verify Identity. Knowing who is requesting access is essential, and that identity must be validated explicitly, not inferred from the environment. Ensure you are secure at the point of access by bringing users into a common identity system, using strong auth and threat intelligence to validate authentication.
• Verify Devices. All data access requests result in the transfer of that data to a browser or app on a device. Knowing the state of that device is critical in a world where devices can be infected, lost, or stolen. Mobile Device Management (MDM) and Mobile Application Management are critical to protecting data once it is accessed.
• Protect Data. Wherever possible, data should be protected from unauthorized transfer by auto-classification and encryption. This protects against intentional or accidental misrouting of downloaded data.
• Harden Applications. Application access and configuration must be secure to mitigate intrinsic application risks, and to ensure access is governed by policy. Application behavior, including shadow IT, should be understood and monitored for and protecting from anomalies.
• Protect Infrastructure. Where you are using cloud workloads (IaaS or PaaS), ensure you are utilizing your cloud fabric according to best security principles, utilizing the intelligence and protection provided.
• Govern Networks. Mitigate lateral movement by using an intelligent, adaptive segmentation strategy for workloads, monitoring for and protecting from anomalous traffic patterns.

 

Then, the key tools to tie it together:

• Policy driven access. Modern micro-segmentation means more than networks. It requires we also gate access based on their role, location, behavior patterns, data sensitivity, client application, and device security. Ensure all policy is automatically enforced at the time of access and continuously throughout the session where possible.
• Automated threat detection and response. Telemetry from the systems above must be processed and acted on automatically. Attacks happen at cloud speed – your defense systems must act at cloud speed as well, and humans just can’t react quickly enough. Integrate intelligence with policy-based response for real-time protection.

 

Next Steps

Here are some next steps and related on demand sessions to help you go deeper on how to get started today:

Identity Teams:

1. Connect all your apps for single sign-on – Identity is your control plane, but only for apps and users that are visible to it!
2. Ensure strong identity with multi-factor authentication and risk detection.
3. Enforce policy-based access and least privileged access for breach containment.
4. Check out these sessions:
   • BRK2132: How Microsoft uses Azure Active Directory Identity Protection and Conditional Access to protect its assets
   • BRK4017: The science behind Azure Active Directory Identity Protection

 

Device Management Teams:

1. Register your devices with your Identity provider so you can consider device context in your policies.
2. Implement MDM security baselines with compliance reporting.
3. Implement role-based access control that allows view access for impact assessment.
4. Check out this session:
   • DEP50: Why Microsoft 365 device management is essential to your Zero Trust strategy

 

Network and Infrastructure Teams:

1. Enable a cloud workload protection solution across your hybrid and multi-cloud estate.
2. Use cloud-native controls to create micro perimeters.
3. Reduce attack surface by implementing just-in-time application and network segmentation.
4. Check out these sessions:
   • BRK3188: Protect your cloud workload from threats using Azure Security Center
   • BRK3185: Securing your cloud perimeter with Azure Network Security

 

Application and Data Teams:

1. Perform shadow IT discovery and implement a cloud control program – you can’t manage what you can’t see.
2. Agree on a label taxonomy and classify documents and emails – use default taxonomy for initial classifications.
3. Apply protections to high risk scenarios such as sensitive data and unmanaged access in apps.
4. Check out these sessions:
   • BRK2108: Top CASB use cases to boost your cloud security strategy
   • BRK2119: Secure your sensitive data! Understanding the latest Microsoft Information Protection capabilities

 

Finally, check out our Zero-Trust center and especially the maturity model which we hope will help you think about next steps on your journey.