Building blocks in a company risk assessment
Video and blog by Bjarke Alling
We see bad news – data breaches, hacks, ransomware – the moment we open our computers and look at the world around us. But typically, I find that only around 10-20% of people I speak with have looked inward and done a risk assessment of their own ransomware vulnerabilities.
Maybe because I am Danish, but I think of an organization’s identity and access management as three interlocking building blocks. These are 1) Active Directory, 2) external browser and API access, and 3) user account management.
In the video below, I’ll go over a few actual ransomware cases and dive into the three blocks for offsetting these vulnerabilities and then close with a look at some underappreciated hard and soft security skills. If you prefer to read, simply scroll past the video and you’ll find the content available in written words.
But before looking at these blocks, we need to talk about the main issue – passwords. An incredible 81% of hacking related breaches used either stolen and or weak passwords according to a 2017 Verizon report. And while this percentage varies in individual years, the issue remains unchanged – passwords.
As shown in this chart, passwords come with a conundrum – there is a clear high security, low security, convenient and inconvenient division.
A password with two-factor authentication – you type in your username, type in the password, then add the second-factor authentication– provides high security but convenience is lacking.
Down in the other corner with low security, but high convenience is the simple password. A big compromise between these two when we’re discussing high security and convenience is passwordless authentication – and sometimes even nameless authentication.
Targeting tradeoffs with blocks or silver bullets
Convenient or not, secure or not, these tradeoffs illustrate the messy world we live in. Dealing with this requires a methodical building block approach, not a silver bullet, Clint Eastwood approach. There are also many tools which are already in our identity and access management toolbox – some are open source while others are in commercial products. The tools are there and available, the real question is how and where we will use them.
Microsoft’s Active Directory
The Active Directory is a big target, but, it’s not a single bulls-eye hit. There are several phases to each attack as described in Autonomy of Targeted Ransomware Attacks by the Danish Center for Cyber Security. The initial phase often includes phishing attempts, drive-by, getting credentials and more. Then come lateral movements where attackers move around inside a company and start gaining access to systems that are more critical than the original system they attacked. We also see attackers gaining persistence by misusing legitimate remote access tools, and then escalating into a higher level.
So if there is weak access, public available RDP Access, poorly functioning VPN, a login service somewhere – these need to be considered as part of an attack vector. Once there is privilege escalation to the domain administrator level, they have access to a Windows machine and you are doomed.
Just remember the Maersk breach with NotPetya, Norsk Hydro, the Demant hearing aid company and ISS, a large cleaning and service company. They were all compromised on their Active Directory – and that was the start of every problem.
Here are some thoughts on ways to mitigate these AD issues:
- Network segregation. Split the networks into multiple segments and make sure that communication between the segments is isolated. That will help a lot when an accident does happen.
- Directory segregation. Split your Active Directory with multiple directories and then put a meta-directory on the top. Those things are simple to implement and tools exist already to do that.
- Multiple operating system platforms. There’s no reason to have only Microsoft Windows in your environment. Consider having some Linux systems spread that across because the more systems you have, the more complicated the attack will need to be.
- Protect admin accounts. Make sure that people do not have admin rights that should not. Make sure to limit the numbers of users and set up the tools that can support that goal.
- Use SIAM systems, logging systems, to monitor what goes on. It’s surprising that many companies have log files, but they do not have a centralized system for looking at them. There are many SIAM systems to choose from.
Here are some points to remember during your AD mitigation:
- Centralized monitoring capability is essential – regardless of whether it is in a big commercial product or open source.
- Your fallback mitigation plan should include tools for offsite hot disaster recovery and continuously scanning for malware in historic backups.
- Use (all of) your antivirus. The majority of antivirus products have tools that prevent encryption and ransomware attacks in multiple ways. Unfortunately, it is common to see companies that bought only the basic model where this functionality was not included.
- Train ahead of an event. An attack will happen and that’s just not the time to invent processes or contemplate what if. Be prepared in advance.
External Browser and the API Access Block
Hafnium and Kasaya are two examples why there is the need for this external browser and API access block. With the Danish Hafnium, the exchange server was attacked due to some malfunctioning code in a deep level of web access. With Kasaya supermarkets, an API issue caused problems in Sweden and with hundreds of other companies around the world.
So, what could have been done to mitigate these cases?
- Proxy service. This was part of the Hafnium case. Do not expose vulnerable APIs. Instead, put tools in front of them which can check the URL calls and block a given function. These tools exist.
- API Gateways. If you are using a specific API, the IDS and IPS system tools can help – even if they are quite complicated to configure, and a pain to manage.
- Mandatory Trust and Risk-Based authentication. When establishing communication among trusted parties, first put up tools that can examine incoming messages before you can accept them. And if you have risk-based authentication, you can evaluate further with a mathematical equation and monitor what goes on.
- Rethink your concept of accounts. Think about your various IoT accounts, your applications, and your people: These should not be in one big pot. Separate and segregate them in a way that you have oversight and can control what goes on.
User Account Management
A few famous cases in the user account management block are Colonial Pipeline, Brenntag, and JBS.
The Colonial Pipeline resulted from a VPN account that should have been deactivated years before, it was not, and suddenly half the East Coast of the USA could not get petroleum. This showed that a small breach combined with poor user account management can result in giant consequences.
So, what are the mitigation steps?
- I.D. validation of every account. You should not have a user account that you are not 100% sure is connected to a real human being. This is a simple and essential step.
- Passwordless logins everywhere – including your VPN, RDP, and even the WiFi. Each step strengthens the weak spots in your defense.
- Stop using only username-password access. This applies for all around the network, both the perimeter and also inner networks. Remember, once an attacker is inside the network, they can start lateral moves and find unprotected weaknesses.
- Remember the principle of least privilege – even for yourself. There is no reason to check a box that enables complete access. Yes, this is troublesome, complicated, but important. Make sure that only people that need access get access. There’s even no reason that you as an IT person in your company have access to everything. Limit your own access and just grant essential access permissions because you yourself are also a target.
- Real time monitoring of login activities. Look into who’s logging into the network. Typically, attacks take place over a long timeline – even over months. Monitor what goes on, who did what, where and when. Is there someone logging in 3:00 in the morning that normally would only log in during day time? All of this data is already available.
- Real-Time user account integration to payroll systems. Connect the payroll with your user system – and don’t wait for days, months, or years to deactivate accounts. In the Colonial Pipeline case, there was an external consultant with an account that had not been deactivated for years. Unfortunately, that consultant also reused the password on multiple accounts and then had a data breach.
- Automated deprovisioning. Everyone agrees that it’s important to get people on boarded quickly and efficiently. But it is even more important that accounts be deprovisioned when the individual stops work. Tools already exist which can do this automatically.
Putting blocks together with hard and soft skills
When we build with LEGO blocks, we need hard and soft skills. For hard skills there is the diagram that shows the precisely needed parts and blocks. The softer skills are innovation and learning from what others are building.
With security, hard skills include the Zero Trust framework laid out by the US NIST and others. It has become widely available from many vendors in the market. The standards and regulations from ISO and the ISAE agreements are also hard skills and valuable sources of information on how to plan and prioritize your efforts. In addition to GDPR, there is the upcoming European standard named NIS Version Two. It will probably come into effect in 2024 and it will be a big area of legal compliance. In the financial sector there is PSD2 and then eIDAS for those in the public sector. Think of these as a measuring stick for building that network correctly and determining where the blame is afterwards.
There is also the soft skill of sharing knowledge. The only way we can become stronger, more resilient against attacks is to talk about them. Please communicate when and if something happens to you. It doesn’t have to be in the middle of the event either, just when you are back and operational. Talk about what happened, how you mitigated it, and your conclusion. Exchanging this information is the only way that we as companies and individuals can become stronger and more resilient as we assemble these three security blocks.
About the author
Bjarke Alling, founder and group director of the LIGA IT security company. He is the former co-chair and current member of the National Danish Cyber Security Council, chair of the I.T. Security Committee, and member of the Board of the Danish ICT Industry Association.
Follow on LinkedIn: https://www.linkedin.com/in/bjarkealling/
Note: LIGA has no business dealings with the companies described in this post. All case information cited here is from data in the public domain.