Here at the global Microsoft Compromise Recovery Security Practice (CRSP), we work with customers who have experienced disruptive security incidents to restore trust in identity systems and remove adversary control. During 2020, the team responded to many incidents involving ransomware and the deployment of crypto-mining tools.
Ransomware is a growing threat to organizations and home users, as it is a low-cost, high-return business model. These attacks aren’t complex, they rely on tools and software exploits that have existed for many years and are still not remediated. They’re still sought out for a simple reason: they still work.
In this post, we hope to share with you the most practical and cost-effective ways of never needing our services.
Update and maintain your basic security
There is an old story about two hikers in the wilderness who see a bear coming towards them. One reaches for his running shoes and his friend says, “you’ll never outrun a bear.” The first hiker replies, “I don’t have to, I just need to outrun you.”
The theme behind this story echoes in the current cybersecurity threat landscape. The news is full of stories of cyberattacks, most of which are described as “extremely sophisticated.” However, the truth is the bulk of cyber incidents aren’t particularly sophisticated.
Most attackers aren’t well-funded nation-states; they are just criminals trying to make some money. Direct financial gain is a key motivator behind cyberattacks in 2020. This is particularly true when the victims are small to medium enterprises and non-profit sectors, like schools and charities. An easy way in which you can improve your security posture is with quick and efficient patching.
In early 2020, Microsoft’s Detection and Response Team (DART) was engaged by a public sector organization in Australia to investigate a cyberattack. The DART investigation determined that an attacker was originating from a foreign IP address. The Incident Response (IR) investigation discovered that the adversary started their attack by scanning internet-facing infrastructure for exposed ports to attack.
In this instance, a remote desktop connection was opened directly to the internet to enable a software vendor to provide support. A weak administrative password was quickly forced. With administrative access to the exposed server, they performed some reasonably noisy network reconnaissance, utilizing commonly available hacking tools. Attackers quickly moved laterally across the network, escalating to Domain Controllers.
Following the DART investigation, the CRSP team worked to recover the environment through re-establishing trust in the identity systems, hardening defenses, and removing the adversary’s control. Although high profile and well-resourced, the public sector organization was a small organization of around 500 staff and had unfortunately fallen behind in security measures in recent years.
From the initial brute force attack, the attacker achieved domain dominance in a matter of hours. In this attack, the adversary showed its financial motivation by deploying crypto-mining tools across all servers and workstations. As it was at the weekend, the attack went undiscovered for a period.
There was no indication that the attack was targeted specifically at the organization, the attacker’s motivations appeared to be purely financial. Crypto-mining is a low-risk, low-return payload, it requires no explicit choice on the part of the victim to pay them. Rewards are less but they are instant, perfect for high volume low-value attacks.
The lessons from this incident are: if you can make it more difficult than average, low-skill attackers often give up quickly and move to the next target. Basically outrunning your friend, not the bear. A focus on fixing up the basics will go a long way to protecting most small and medium-sized enterprises. Below are seven (entirely non-exhaustive) areas that can quickly make you a harder target to hit—and are all things we implement when engaged with customers on reactive projects.
1. Patch everything, faster
Aiming for full patch coverage within 48 hours will noticeably improve your security posture. Patch your servers as soon as you can, with a focus on Tier 0 systems such as Domain Controllers and Microsoft Azure Active Directory Connect.
Application patching is equally important, particularly business productivity applications such as email clients, VPN clients, and web browsers. Enable automatic updating of your web browsers be it Edge, Chrome, Firefox, or others. Out of date browsers expose user data and the device to compromise. Using the cloud and Windows Update for Business can help to automate patching and remove some of the maintenance burdens when your organization’s workforce is distributed, especially with a distributed pandemic style workforce.
As part of a Compromise Recovery we work to make sure our customers can patch their most important assets within hours, this usually includes implementing rapid patch approval processes and test cycles for critical workloads. We see a great deal of benefit in keeping your patching systems separate for your key workloads, like implementing a dedicated update management tool just for Domain Controllers.
2. Actively protect your devices
A well-configured up-to-date Windows device running Microsoft Defender for Endpoint or another extended detection and response (XDR) solution should be your first line of defense. Coupled with a security incident event management (SIEM) system for your critical and key business systems, this will help give you visibility over your important assets. Make sure people are looking at alerts and tracking activities.
After we have spent time with our customers, we like to make sure that everything that happens within their important business systems is being well monitored and managed. Being able to react to anything which may occur in this environment is vital to maintain ongoing assurance in an environment.
3. Reduce your exposure
Opening any service to the internet comes with inherent risks. One risk is that anything connected to the internet is routinely and regularly scanned. As we saw with the recent HAFNIUM exploit anything that is found vulnerable will potentially be exploited within minutes of coming online.
Additionally, there are publicly available resources of services available online. Not only are these results of interest to hackers looking to exploit resources but can be of use to those looking to enhance their security posture.
A firewall that restricts access to defined source addresses will mitigate the risk somewhat, as will placing them behind a VPN connection, especially one that requires two-factor authentication.
If your servers are in Azure or another cloud, use a network security group to restrict access to specific IPs, or even better use just-in-time access and Microsoft Azure Bastion.
In our customer example, Remote Desktop Protocol was exposed directly to the internet, with no mitigating controls.
We work with our customers to justify and reduce exposure of any internet-facing services within an environment. We work alongside administrative practices to make sure administrators can still fully maintain a system but doing so in a more secure way.
4. Reduce your privilege
Most attacks rely on the attacker obtaining administrative access. If we can limit exposure, we go a long way to blocking many attacks. Having a common local admin password makes lateral movement and elevation of privilege a trivial task for attackers.
Local Administrator Password Solution (LAPS), which manages local administration accounts on systems, has been available for nearly six years and is free. Nonetheless, on many engagements, we see it has not been deployed. Deploy it on your network today.
In our public-sector example, the attacker was able to extract highly privileged credentials from an application server. Deploying privilege management and just-in-time admin solutions add great value but can be complex and take time. Quick wins can be had by looking at the membership of your critical security groups, like Domain and Enterprise Administrators, and reducing to just those who really need it.
In all but the largest of environments, you should be able to count the number of Domain Administrators on the fingers of one hand.
Using a dedicated administrator workstation for high-value tasks reduces the risk that administrator credentials will be stolen. Even the most careful of people sometimes click the wrong link. It’s not a good idea to use your administrator account on the same PC that you read emails or surf the web due to the risks that it introduces to your privilege.
Use Managed Service Accounts with automatically rotating passwords, if an application vendor tells you that their service account needs to be an administrator, it’s time to push back hard.
Read more on our guidance surrounding securing privileged access.
Having dedicated hardened devices just for administrators is a great and cost-effective way to tactically increase your security. Having a standalone machine without email or web browsing greatly increases the difficulties attackers face.
For our public sector customer, limits to the use of privilege would have made it much harder for the attacker to move from the initial beachhead on the exposed server to the rest of the environment.
5. Utilize the power of the cloud
Consider what services you still need to run on-premises. If you don’t have a very explicit need to do it yourself, let someone else. The shared responsibility model in the cloud gives you the chance to reduce your exposure and delegate the security of the platform to a cloud provider. The cloud can scale automatically where traditional IT cannot, and the same should be said for security services in the cloud.
Look at what you are running and replace it with platform as a service (PaaS) or software as a service (SaaS) applications where you can.
As an example, on-premises Exchange servers are a great product, but they require maintenance, patching, and configuration. Migration of mailboxes to Exchange Online removes a lot of work and decreases the attack surface by blocking most malicious and phishing links before they get to mailboxes.
Running a secure web server in your environment can be hard if you can, in the longer term, move to a cloud-based solution in Azure or another cloud. This wouldn’t have been relevant in this instance, but it’s a common attack vector.
Utilize modern cloud-powered security tools like Azure Security Center and Azure Defender. Even if your servers reside on-premises or in another cloud, they can still be configured to report to the Security Center giving you a picture of your security posture. The use of a SIEM system such as Microsoft Azure Sentinel can give increased visibility of potential attacks.
Had our attacked customer been using cloud security solutions, they would have seen the attack happening.
6. Pay down your technical debt
Running legacy operating systems increases your vulnerability to attacks that exploit long-standing vulnerabilities. Where possible, look to decommission or upgrade legacy Windows operating systems. Legacy protocols can increase risk. Older file share technologies are a well-known attack vector for ransomware but are still in use in many environments.
In this incident, there were many systems, including Domain Controllers, that hadn’t been patched recently. This greatly aided the attacker in their movement across the environment. As part of helping customers, we look at the most important systems and make sure we are running the most up-to-date protocols that we can to further enhance an environment.
7. Look at your logs and act on alerts
As the saying goes, “collection is not detection.” On many engagements, the attacker’s actions are clear and obvious in event logs. The common problem is no one is looking at them on a day-to-day basis or understanding what normal looks like. Unexplained changes to event logs, such as deletion or retention changes, should be considered suspicious and investigated.
In this incident, the attacker’s actions could easily be traced through logs after the fact. A SIEM system, which collates logs from many sources, was traditionally a major investment and out of reach for all but large enterprises. With Azure Sentinel, it’s now within reach for everyone—with no requirements for on-premises infrastructure and requiring no upfront investment. Simply deploy agents to your systems (it doesn’t matter if they are on-premises, Azure, or another cloud).