Here at the global Microsoft Compromise Recovery Security Practice( CRSP ), we work with customers who have experienced disruptive security incidents to restore trust in identity systems and remove adversary control. During 2020, the team responded to many incidents involving ransomware and the deployment of crypto-mining tools. Ransomware is a growing threat to organizations and home consumers, as it is a low-cost, high-return business model. These attacks aren’t complex, they rely on tools and software exploits that have existed for many years and are still not remediated. They’re still attempt out for a simple reason: they still work.
In this post, we hope to share with you the most practical and cost-effective ways of never needing our services.
There is an old story about two hikers in the wilderness who read a birth coming towards them. One reaches for his running shoes and his friend says, “you’ll never outrun a bear.” The first hiker replies, “I don’t have to, I only need to outrun you.”
The theme behind this history echoes in the current cybersecurity threat landscape. The news are a lot of stories of cyberattacks, most of which are described as “extremely sophisticated.” However, the truth is the bulk of cyber incidents aren’t particularly sophisticated. Most attackers aren’t well-funded nation-states; they are just criminals trying to construct some fund. Direct financial gain is a key motivator behind cyberattacks in 2020. This is particularly true when the victims are small to medium enterprises and non-profit sectors, like schools and charities. An easy behavior in which you can improve your security posture is with quick and efficient patching.
In early 2020, Microsoft’s Detection and Response Team( DART) was engaged by a public sector organization in Australia to investigate a cyberattack. The DART investigation determined that an attacker was originating from a foreign IP address. The Incident Response( IR) investigation have found that the adversary started their attempt by scanning internet-facing infrastructure for exposed ports to attack. In this instance, a remote desktop connection was opened directly to the internet to enable a software dealer to provide support. A weak administrative password was quickly forced. With administrative access to the disclosed server, they performed some reasonably noisy network reconnaissance, utilizing commonly available hacking tools. Attackers promptly moved laterally across the network, escalating to Domain Controllers.
Following the DART investigation, the CRSP team worked to recover the environment through re-establishing trust in the identity systems, hardening defenses, and removing the adversary’s control. Although high profile and well-resourced, the public sector organization was a small organization of around 500 staff and had regrettably falling behind in security measures in recent years.
From the initial brute force attack, the attacker achieved realm dominance in a matter of hours. In this attack, the adversary showed its financial motivation by deploying crypto-mining tools across all servers and workstations. As it was at the weekend, the two attacks ran undiscovered for a period.
There was no indication that the attack was targeted specifically at the organization, the attacker’s motives appears to be purely fiscal. Crypto-mining is a low-risk, low-return payload, it requires no explicit choice on the part of the victim to pay them. Rewards are less but they are instant, perfect for high volume low-value attacks.
The lessons from this incident are: if you can make it more difficult than average, low-skill attackers often give up quickly and move to the next target. Basically outrunning your friend , not the bear. A focus on fixing up the basics will go a long way to protecting most small and medium-sized endeavors. Below are seven( wholly non-exhaustive) areas that can quickly stimulate you a harder target to hit–and are all things we implement when involved with patrons on reactive projects.
1. Patch everything, faster
Aiming for full patch coverage within 48 hours will noticeably improve your security posture. Patch your servers as soon as you can, with a focus on Tier 0 systems such as Domain Controllers and Microsoft Azure Active Directory Connect.
Application patching is equally important, particularly business productivity applications such as email clients, VPN patrons, and web browsers. Enable automatic to upgrade to your web browsers be it Edge, Chrome, Firefox, or others. Out of date browsers expose customer data and the device to compromise. Using the cloud and Windows Update for Business can help to automate patching and remove some of the upkeep burdens when your organization’s workforce is distributed, particularly with a distributed pandemic style workforce.
As part of a Compromise Recovery we work to make sure our customers can patch their most important assets within hours, this usually includes implementing rapid patch acceptance processes and test cycles for critical workloads. We consider a great deal of benefit in keeping your patching systems separate for your key workloads, like implementing a dedicated update management tool just for Domain Controllers.
2. Actively protect your machines
A well-configured up-to-date Windows device work Microsoft Defender for Endpoint or another widened detection and response( XDR) solution should be your first line of defense. Coupled with a security incident event management( SIEM) system for your critical and key business systems, this will help give you visibility over your important assets. Make sure people “re looking at” alertings and tracking activities.
After we have invest period with our customers, we like to make sure that everything that happens within their important business systems is being well monitored and overseen. Being able to react to anything which may occur in this environment is vital to maintain ongoing assurance in an environment.
3. Reduce your exposure
Opening any service to the internet comes with inherent risks. One hazard is that anything connected to the internet is routinely and regularly scanned. As we realise with the recent HAFNIUM exploit anything that is detected vulnerable are most likely be exploited within minutes of coming online.
Additionally, there are publicly available resources of services available online. Not merely are these results of interest to hackers looking to exploit resources but can be of use to those looking to enhance their security posture.
In our client instance, Remote Desktop Protocol was uncovered directly to the internet, with no mitigate controls.
We work with our customers to justify and reduce exposure of any internet-facing services within environmental issues. We operate alongside administrative practices to make sure administrators going to be able amply maintain a system but doing so in a more secure way.
4. Reduce your privilege
Most attempts rely on the attacker obtaining administrative access. If we can limit exposure, we go a long way to blocking many strikes. Having a common local admin password induces lateral motion and elevation of privilege a trivial task for attackers.
Local Administrator Password Solution( LAPS ), which oversees local administration accounts on systems, has been available for nearly six years and is free. Nonetheless, on many participations, we see it has not been deployed. Deploy it on your network today.
In our public-sector example, the attacker was able to extract highly privileged credentials from an application server. Deploying privilege management and just-in-time admin answers add great value but can be complex and take time. Quick wins is impossible to had by looking at the membership of your critical security groups, like Domain and Enterprise Administrators, and reducing to only those who really need it. In all but the largest of environments, you should be able to count the number of Domain Administrators on the fingers of one hand.
Using a dedicated administrator workstation for high-value chores reduces the risk that administrator credentials will be stolen. Even the most careful of people sometimes click the wrong link. It’s not a good mind to use your administrator account on the same PC that you read emails or surf the web due to the risks that it introduces to your privilege.
Having dedicated hardened machines just for administrators is a great and cost-effective way to tactically increase its own security. Having a standalone machine without email or web browsing greatly increases the difficulties attackers face.
For our public sector customer, limits to the use of privilege would have induced it much harder for the attacker to move from the initial beachhead on the disclosed server to the rest of the environment.
5. Utilize the power of the cloud
Consider what services you still need to run on-premises. If you don’t have a very explicit need to do it yourself, let someone else. The shared responsibility model in the cloud gives you the chance to reduce your exposure and delegate the security of the platform to a cloud provider. The cloud can scale automatically where traditional IT cannot, and the same should be said for security services in the cloud.
Look at what you are running and supplant it with platform as a service( PaaS) or software as a service( SaaS) applications where you can.
As an example, on-premises Exchange servers are a great product, but they require maintenance, patching, and configuration. Migration of mailboxes to Exchange Online removes a lot of work and lessens the attack surface by obstruct most malicious and phishing connections before they get to mailboxes.
Running a secure web server in your environment can be hard if you can, in the longer term, move to a cloud-based solution in Azure or another cloud. This wouldn’t have been relevant in this instance, but it’s a common strike vector.
Utilize modern cloud-powered security tools like Azure Security Center and Azure Defender. Even if your servers reside on-premises or in another cloud, they can still be configured to report to the Security Center giving you a picture of your security posture. The utilize of a SIEM system such as Microsoft Azure Sentinel can give increased visibility of possibilities attacks.
6. Pay down your technical debt
Running legacy operating systems increases your vulnerability to onslaughts that exploit long-standing vulnerabilities. Where possible, look to decommission or upgrade legacy Windows operating system. Legacy protocols can increase risk. Older file share technologies are a well-known attack vector for ransomware but are still in use in many environments.
In this incident, there were many systems, including Domain Controllers, that hadn’t been patched recently. This greatly aided the attacker in their motion across the environment. As part of helping customers, we look at the most important systems and make sure we are running the most up-to-date protocols that we can to further enhance an environment.
7. Look at your logs and act on alerts
As the saying moves, “collection is not detection.” On many participations, the attacker’s actions are clear and obvious in event logs. The common problem is no one is looking at them on a day-to-day basis or understanding what normal looks like. Unexplained changes to event logs, such as deletion or retention alterations, must be taken into consideration suspicious and investigated.
In this incident, the attacker’s acts could easily be traced through logs after the fact. A SIEM system, which collates logs from many sources, was traditionally a significant investment and out of reach for all but big endeavours. With Azure Sentinel, it’s now within reach for everyone–with no requirements for on-premises infrastructure and involving no upfront investment. Simply deploy agents to your systems( it doesn’t matter if they are on-premises, Azure, or another cloud ).
There is no magical engineering solution that is going to make you a harder target to reached. The Microsoft DART and CSRP squads are a great crowd of people, friendly and useful, but you really don’t have to meet us.
A determined, well-resourced threat actor will, in time, breach the best cyber defenses. In summing-up, it’s not possible to outrun the carry, but taking the first steps to induce yourself a harder target will make it much more likely that attackers will move on to easier targets.
To learn more about Microsoft Security answers, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
The post 7 ways to harden your environment against compromise appeared first on Microsoft Security Blog.