In many ransomware attacks, before anything appears to go awry for an end user, an attacker has already spent a significant amount of time inside a victim’s network. No matter the root point of compromise (phishing email, malicious software update, etc.), one click can set into motion a series of events that allow threat actors to infiltrate the victim’s network, take their time navigating through it, and eventually deploy the ransomware for extortion.
What often makes a ransomware attack so devastating for a victim organization is its sheer scope — the more information the attacker was able to compromise, the more leverage they have in holding the information hostage. We know that threat actors attempt to gain access to whatever they can get their hands on, so in turn, it’s important to limit this access appropriately before it can be compromised.
If an organization can control which users have administrative privileges, then secure these critical accounts with multi-factor authentication (MFA) mechanisms, it becomes extremely difficult for an attacker to encrypt servers, data stores, or even backup archives. In order to implement these technical safeguards, we recommend first adhering to the following philosophy:
Check Your Privilege
As recommended by the Center for Internet Security, or CIS, a basic control is that of administrative privileges. We often refer to this control as “the principal of least privilege,” where users within an organization only have access to the parts of the network that are required for their unique role. Employees in HR should not have access to sensitive client data, nor should sales representatives have access to employee records. This principal allows employees access to only the most relevant information as well as limits liabilities for the organization as a whole.
As described by David Kruse in our 20 for 2020 video series, “You need to draw lines in the sand around the systems and data that you want each employee to have access to based on their role. Information security relies on thinking the way a potential hacker might think, and limiting the scope of their attack before they launch it is a great way to prevent disaster.”
User accounts are what can differentiate each person accessing the computer system. Administrators of the network — whether they are the CIO to the technicians — fall into a criterion that needs proper definition. Having accounts that are shared by multiple employees pose a risk in this same vein; privileges need to be uniquely assigned and users need to operate within unique accounts. If accounts are shared, this leads to unreliable logging and auditing as it can be difficult to pinpoint exactly who was using an account at the time of a potential incident. An employee could leave a team, but the group password could potentially remain the same, opening the system up to unwanted access. The best practice is to have a single username and password per employee.
When establishing appropriate access for users, whether they be typical or administrative accounts, it’s important that users prove they actually are who they claim to be. This is where MFA comes into play. No matter how strong the password credentials may be to secure certain accounts, threat actors have equally strong attacks against them. Automated brute-force attacks can attempt thousands of combinations of characters in seconds, not to mention malicious tools like Mimikatz specifically designed to extract credentials of user accounts.
When credentials are in the wrong hands, a second barrier is required to protect the account.
MFA serves as this second barrier by verifying something a user can know (What is your mother’s maiden name? Where was your first job held?), something a user has (a unique key, a cell phone with a code), or something a user is (facial recognition, fingerprint scan). If a threat actor cannot verify the second factor of authentication, then the account remains locked, and a potential attack is prevented.
In an ideal scenario, every user account would enable MFA. While a traditional approach would recommend that only IT administrators use MFA, this is no longer an adequate solution. Threat actors are finding new ways every day to escalate a standard user to one with administrative privileges, eliminating barriers within a network. To thrive in the modern threat landscape, all access to all systems needs to have MFA beyond just the most privileged accounts.
Using MFA with web applications such as email and payroll platforms can also help with mitigating risk. A common threat vector to consider is Office365 as there is a large amount of sensitive data that can be gained from a single account. Not only is there a risk for data compromise in this case, but also the possibility to send malicious attachments or malware from a trusted, internal email address.
Tales from the Trenches
We’ve investigated numerous cases at Tetra involving compromised user credentials. One situation stands out in particular where a company used a Virtual Private Network (VPN) to access their internal network. The VPN was setup with geo-location blocking, which is a recommended safeguard as it only grants access to users from approved locations. Using this safeguard, the company allowed their users to work remotely via their VPN. Unfortunately, one of their remote users had pre-existing malware on their home computer that had the ability to scrape credentials for the work VPN. In having access to the home computer, the threat actor was able to authenticate themselves with the scraped credentials and login to the corporate network. Once inside, they were able to deploy malware to the system.
This is an example where MFA could have prevented the corporate network access, but it’s also an example of how MFA is not a perfect solution on its own. The user’s home laptop that connected to the VPN was compromised, so in this case, malware would have still been able to scan and spread to the corporate network as soon as the VPN was accessed. This is where network scanning and external defenses would come into play and ideally, multiple network defense systems would work together. Furthermore, users should not be able to remotely access the network from systems not maintained by the organization.
In order to ensure the authenticity of account users, we highly recommend implementing MFA wherever it’s possible, for whoever it’s possible. Our team crosses paths with numerous tools and services through our work. When it comes to Authentication and Authorization, here are some of our fan favorites: