RST: How to Limit External Exposure

At Tetra Defense, the ransomware cases we respond to and investigate daily share a recurring theme: there are simple, and oftentimes inexpensive preventative measures that can be taken before disaster strikes. As part of our series on our Ransomware Stress Test™, learn how your unique cybersecurity environment can benefit from limiting external exposure on the public internet.  

Root Cause

Ransomware is a crime with countless factorsInvestigations consider unique strain, threat actor motives, root cause of compromise, and even employee online behavior in the aftermath of an attack. No two cases are perfectly alike. At Tetra Defense, we’ve seen attacks on universities, financial organizations, fellow IT professionals, municipalities, maritime navigation companies, and even farms. The one thing that’s certain is that threat actors do not discriminate; they will avidly search for and attack any victim that could be a potential profit for them. For threat actors, their search usually begins where nearly all searches are made: the public internet.  

Every service and system an organization leaves exposed to the public internet is at risk of being compromised. Threat actors can attempt attacks with automated mechanisms: programs that continuously scan internet addresses looking for vulnerable hosts. Infiltrating an externally facing device is one of the most common ways attackers can gain a foothold in network. It is vital that the minimum number of services are open to access, and that those services are well-configuredupdated, and verified regularly. 

How to Manage Exposure

For externally facing devices, it is important to eliminate as many security risks as possible — a process known as “hardening” devices. Various hardening strategies exist depending on business need, but there are common areas of importance. We recommend performing vulnerability assessments on internet facing systems, implementing a patch management system, externally logging system and event log information, and limit running unnecessary services like Remote Desktop Protocol (RDP). 

1.     Vulnerability Assessment

The first step to checking for vulnerabilities is to learn your external IP address space. There are a number of ways to do this:

  • Checking with your ISP and asking for static IPS
  • Performing DNS lookups on your public website and any other hosts exposed
  • Google, “What is my IP?”

Once all of the organization’s IP addresses are found, vulnerability scans are ready to begin against these IP spaces. Keep in mind there may be obligations under certain compliance standards, such as the PCI-DSS, to work with a commercially Approved Scanning Vendor (ASV) to perform and remediate external vulnerability scans.

In order to learn what ports are available externally, we recommend free scanning services like Shodan.io. Once identified, its possible to remediate any unnecessary services running on internet facing devices. Shodan.io can be accessed directly from the internetsimply enter the IP addresses of publicly facing servers and it delivers quick insight into what ports are open on publicly facing devices. 

2.     Patching External Exposure

A high percentage of cyberattacks on externally facing devices could be mitigated by simply patching these types of vulnerabilities. Patch management is the process of updating software to remedy newly discovered vulnerabilities. Vulnerability announcements come hand-in-hand with exploits — as soon as a new patch is available, older versions become immediate targets for threat actors.  

Patch Management is a low-cost process that can help protect network infrastructure by keeping newly discovered exploits patched. Learning about the software and software versions running on systems (and only running required software on externally facing devices) will help streamline your patch management process. Implementing and following a patch management strategy is important for an organization to prevent the attacks that are most commonly executed by threat actors. 

3.     Proof of Exposure

Event log information allows an organization to track and audit changes to systems. Information about file access, unauthorized access, and activity by users is available in event logsWhile logs can be cumbersome, organizations can benefit from tracking activity as it can alert them if a device is accessed from an external network by an attacker, or if documents are accessed by an unauthorized user. There are many free and commercial solutions available to perform real-time monitoring and analysis of event logs, and it is something that should be taken into consideration by every organization. When building a comprehensive defense against external threats, it’s important to create a system that preserves proof. 

4.     The Problem with RATs

Widely used legitimate tools like Remote Access Tools (RATs) and Remote Desktop Protocol (RDP) are intended for IT Admins to remotely connect to a computer over a network connection. Attackers are constantly scanning the internet and looking for publicly facing devices that have this protocol enabled. Organizations should consider the risks involved before implementing any type of externally facing RDP access, or if RDP holds a significant business need to begin with. 

Tale from the Trenches

A very common attack vector used today by threat actors to deploy ransomware is publicly exposed remote desktop protocol. It is so common that on every incident response case, one of the first questions asked is “Do you have RDP exposed?” In many cases, the answer is obvious, but sometimes it can be difficult to identifyFor one client in particular, their entire infrastructure didn’t have exposed RDP, ruling out the possibility of an over-exposed networkThe unexpected culprit in this case was the physical HVAC machine within the building that had exposed RDP. While employees of this organization were not directly interacting with the heating and cooling system of their building, the HVAC system was connected to the internet, and its remote control ultimately led to the entire site being compromised and ransomed.  

It is common for outside vendors to require exposed RDP — this most often saves time, money, and allows for convenient service from anywhere in the world. In many cases, vendors completely rely on exposed RDP and may leave no other choice. If your vendor requires external RDP access, you may create an allow list in your firewall to only grant RDP access to the vendor’s IP address and block everything else to limit exposure. However, you may also want to look at other vendors using more secure means of connecting into your network such as a VPN. 

In our Ransomware Stress Test, the concept of “external exposure” is the most critical concept. As our incident response team actively resolves and investigates cyberattacks, they inform the frequency of attacks from exposed networks, and how devastating the consequences can be. While ransomware is a complicated, prolific crime, the root cause of this attack can be quickly thwarted by staying aware of how exposed internal networks are on the public internet.  

Check out some related content on our blog: