If there’s one word on the minds of the c-suite and boards of directors these days, it’s ransomware. According to a recent report by Sophos, India tops the list of 30 countries affected by ransomware and the recovery cost from the impact amounted to over Rs 24.5 crore in 2021. Apart from the cost of the ransom payout any downtime of operations can cost millions of dollars and potentially have serious economic impacts.
One of the most important drivers of ransomware today is the vast number of software vulnerabilities and misconfigurations attackers are able to leverage to gain a foothold inside organizations and propagate their attacks. Once inside, attackers almost always target Active Directory (AD) weaknesses to escalate privileges and propagate code across the organization.
A compromised AD essentially means that hackers can deploy ransomware to every device in the organization. Even if “good” backups are available to restore systems, the time and costs involved will be significant. One of the most effective ways to stop ransomware attacks is to focus on the fundamentals, such as taking a risk-based approach to vulnerability remediation and regularly assessing AD configurations.
Scan for vulnerable assets continuously:
In taking a retrospective look at past ransomware attacks, a common trait emerges. Increasingly, ransomware strains are using software vulnerabilities as the initial attack vector. For instance, groups like REvil targeted Oracle WebLogic (CVE-2019-2729) and Pulse Secure (CVE-2019-11510) vulnerabilities. These flaws are dated and known, making it essential to continuously scan the entire attack surface, especially web apps, remote access infrastructure and OT devices.
Remediate AD misconfigurations: Misconfigurations play a huge role in ransomware propagation across the organization. For example, the Ryuk ransomware group was able to propagate an attack from a single email to complete domain-wide infection in just over 24 hours using common AD misconfigurations. AD contains the keys to the kingdom with login credentials, configuration settings and access policies. Once an attacker gains privileged access to AD, it is easy to own an organization’s entire IT infrastructure as it contains information about all users, endpoints, applications, and servers. Ensuring the AD is devoid of misconfigurations can play a significant role in reducing the risk of cyberattacks.
De-escalate privilege escalation: The purpose of monitoring AD is to spot unusual activity. AD changes and Windows event logs can be correlated to reveal misuses of privileged accounts and active misconfiguration exploits. Augmented with this technology, incident response teams can proactively stop ransomware attacks from spreading via AD. Integrate this data with your SIEM to collect information forwarded from the Windows Server event logs and other systems.
Prioritise vulnerabilities critical to the business: With over 18,000 vulnerabilities disclosed in 2020, it’s impossible, not to mention unrealistic to patch each and every one of them. By using real-time threat intelligence, organisations can understand the latest attack paths used by ransomware groups and formulate remediation strategies accordingly. Ransomware groups tend to focus on specific types of weaknesses and asset categories. By identifying these vectors and the most important business assets, organisations can predict which vulnerabilities to focus on and proactively address them.
Remediate, remediate, remediate: Very often, flaws identified by security teams are not remediated or patched. Security teams generally detect the vulnerabilities, but it is the responsibility of the IT teams and developers to make sure these are remediated. It’s therefore important to have risk-based vulnerability management solutions to automate workflows, correlate vulnerabilities with patches and verify that all instances of a vulnerability have been patched.
Measure risk-reduction: After doing all of the above, it’s important to track if your organisation is effectively reducing risk. This requires developing key metrics to measure and communicate how the operational controls are working and benchmarking data to compare performance across internal groups or externally against your peers. The metrics you set should cover foundational cyber hygiene practices such as your assessment capabilities, remediation speed and overall cyber risk reduction.
In this day and age, ransomware software packages exist along with millions of stolen access credentials on the dark web, allowing attackers with relatively lower technical capabilities to effectively execute ransomware attacks. To prevent the increasing number of ransomware attacks, Indian organisations should follow these six fundamentals. Failure to do so allows attackers to monetise poor cyber hygiene.
The author is Kartik Shahani, Country Manager, Tenable India.