Mitigating Rapid Cyberattacks

Introduction
1 – Review Attacks
2 – Recommendations & Findings
3 – Discover Blockers
Next Steps

Geographies All
Duration ~60 minutes
Impacted Computers 62,000 computers
• 12,000 servers
• 50,000 desktops

RAPID
•Spreads through
enterprise in minutes
(no time for human
response processes)
AUTOMATED
•No human interaction
required after attack
cycle starts
DISRUPTIVE
•Intentional operational
disruption via
destruction/encryption
of data/systems

Name Role
Expectations
for today

Recommend
Specific measures to
improve your defenses
against rapid
cyberattacks
Review
How rapid cyberattacks
work
Discover
Potential blockers
preventing you from
implementing
recommended
mitigations

Supply Chain – Attack started in IT
supply-chain, not phishing or
browsing
Multi-technique – automated
multiple traversal techniques
effectively
Fast – Automatic propagation
(Worm behavior) left no time for
security teams to react
Destructive - Destroyed assets (vs.
silent theft or ransom demand)
• Encrypted a master file table
(MFT), making it costly/difficult to
retrieve data
• Replaced boot record with
malicious code making machine
unbootable
“New” attack Innovations Massive Impact

ENTER
ANATOMY OF A PETYA ATTACK
2. Trojan MEDoc update installed
launching malicious code
3. Multiple techniques used to spread rapidly:
• MS17-010 Vulnerability (released March 2017)
• Credential theft and impersonation
1. Attackers compromised software update
infrastructure for MEDoc financial application
• CLEARED WINDOWS EVENT LOGS
• OTHER POTENTIAL ACTIONS?
• ENCRYPTED MFT
• MADE SYSTEMS UNBOOTABLE
NETWORK
& IDENTITY
DEVICE
SOFTWARE VENDOR
EXECUTE
TRAVERSE
PREPARE

3. PROCESS EXECUTION
EXECUTION
• PSExec
• WMIC
2. PRIVILEGE ACQUISITION
TRAVERSE (Automated Worm Behavior)
IMPERSONATION
1. Impersonate current session
(SYSTEM)
2. Impersonate other active local
sessions (using token)
EXPLOITATION
• MS17-010 (ETERNALBLUE)  (Execute as SYSTEM on remote host)
1. TARGETING
NETWORK
1. Acquire IP Addresses
• Servers & DCs - DHCP subnets
• Other Hosts - Local network
2. Validate IP Addresses
• TCP/139 and TCP/445
CONNECTED SHARES
Note: Impersonation functionality has code similarities to Mimikatz

Targeted
• Targeted at specific
organizations.
Offline Recovery
Required
• Online Backup servers
were taken out.
Communications
down
• Office 365 online but
Active Directory &
Federation down.
Needed off-site backups
and printed documents
for restore procedures.
Used Manual Text
Messaging and Twitter
Spread was inhibited by Windows 10’s Secure
Boot, Server Core, and Network Isolation
Less widespread than
WannaCrypt, but
more severe.

Review
a. How rapid destruction
attacks work
b. Your current risk
factors for rapid
cyberattacks
Recommend
Specific measures to
improve your defenses
against rapid
cyberattacks
Discover
potential blockers
preventing you from
implementing
recommended
mitigations

Attack Surface Reduction – Reduce critical risk factors across all
attack stages (prepare, enter, traverse, execute)
Lateral Traversal / Securing Privileged Access - Mitigate ability to
traverse (spread) using impersonation and credential theft attacks
Business Continuity / Disaster Recovery (BC/DR) – Rapidly
resume business operations after a destructive attack
Exploit mitigation – Mitigate software vulnerabilities that allow
worms and attackers to enter and/or traverse an environment

1. Create malware-resistant backups of your critical systems and data
2. Immediately deploy critical Operating System security updates
3. Isolate (or retire) computers that cannot be updated and patched
4. Implement advanced e-mail and browser protections
5. Ensure host anti-malware solution gets real-time blocking
responses from cloud
6. Implement unique local administrator passwords on all systems
7. Separate and protect privileged accounts
1. Rapidly deploy all critical security updates
2. Validate your backups using standard restore procedures and tools
3. Disable unneeded legacy protocols
4. Discover and reduce broad permissions on file repositories
5. Stay current
DIRECT ATTACK
MITIGATION
RAPID ENABLEMENT
30 Days +
DIRECT ATTACK
MITIGATION
LONGER ENABLEMENT
D E F A U L T
R E C O M M E N D A T I O N S

IDENTIFY
PROTECT
DETECT
RESPOND
RECOVER
Mitigation recommendations

Attack Surface Reduction
Lateral Traversal / Securing Privileged Access
Business Continuity / Disaster Recovery (BC/DR)
Exploit Mitigation
2. Immediately deploy critical OS security updates
1. Rapidly deploy all
critical security updates
5. Stay current3. Isolate (or retire) computers that cannot be updated and patched
1. Create malware-resistant backups
of your critical systems and data
2. Validate your backups using standard
restore procedures and tools
7. Separate and protect privileged accounts
6. Implement unique local
administrator passwords on all systems
3. Disable unneeded legacy protocols
4. Discover and reduce broad
permissions on file repositories
4. Implement advanced e-mail and browser protections
5. Host anti-malware gets real-time blocking from cloud

1. Ensure outsourcing contracts and SLAs are compatible with rapid security
response
2. Move critical workloads to SaaS and PaaS
3. Validate existing network controls (internet ingress, Lab/ICS/SCADA isolation)
4. Enable UEFI Secure Boot
5. Complete SPA roadmap Phase 2:
• Reduce attack surface for Active Directory, Domain Controllers, and Service Accounts
• Time-bound privileges (no permanent admins)
• Just Enough Admin (JEA) for DC Maintenance
6. Protect backup and deployment systems from rapid destruction
7. Restrict inbound peer traffic on all workstations
8. Use application whitelisting
9. Remove local administrator privileges from end-users
10.Implement modern threat detection solutions
D E F A U L T
R E C O M M E N D A T I O N S
Additional

You can't defeat the
threats of the present
with tools from past
Photocredit:WikimediaCannonfromGaleraForte

We could patch 99%+ of our operating systems in 4 days if we had (or did)….

We could get all unsupported operating systems upgraded if we had (or did)….

We could deploy the credential theft recommendations if we had (or did)…
Unique local administrator passwords
on all systems (workstations, servers)
Separate and protect privileged accounts

We could retire SMBv1, LM, and NTLMv1 if we had (or did)…
TECHNOLOGY
(Platforms, Tools, etc.)
PROCESS
(procedures,
approvals, etc.)
PEOPLE
(Stakeholder buy-
in, funding, etc.)
Identifying
Dependencies
Removing
Dependencies

Next steps
<Highlight any action items identified in the meeting.>
Add customer
specifics
Person responsible Completion date Action

C R I T I C A L
IT Impact – IT Processes and priorities may need to change to meet this objective
User Experience Impact – Reboot of workstations or servers can cause temporary
application or workstation downtime for users.
Critical Operating System updates are applied to 99%+ of computers in 4 days or less.
• Policy and process are documented (including validation/enforcement of results)
• See “Isolate (or retire) computers…” recommendation for handling exceptions
• Capability to rapidly deploy emergency workarounds (scripts, settings, etc.)
Expected
Organizational
Impact
Description
Critical vulnerabilities allow code execution without user interaction and can:
• Enable self-propagating malware (e.g. worms)
• Facilitate rapid entry of any attack (such as browsing to a web page or opening email)
Note: Some guidance (ASD top 4 | Essential 8) recommends applying within 48 hours
Operating system services (or daemons) are the ideal mechanism for rapid destruction
attacks as they are always running and many accept inbound network traffic
For Microsoft operating systems, Windows Update provides a rapid deployment capability
Rationale
Quick win
0 to 30 days

For systems that cannot apply critical OS security updates within 4 days, apply alternate
mitigations:
• Upgrade any unsupported operating system to a current version
• Retire unsupported system
• Fully isolate systems from Internet and intranet / general-purpose networks
Description
Quick win
0 to 30 days
Microsoft recognizes updating some operating systems is difficult because
• Unsupported operating system required (for regulatory/support/etc. reasons)
• Reboots associated with updates incur costs from interrupting business operations
While these may be valid reasons for not updating, connected vulnerable systems create a
major risk to the organization– as illustrated by two Petya cases:
Case 1 – Significant business impact (halted business operations) because business critical
ICS/SCADA systems were infected from the corporate intranet.
Case 2 – ICS/SCADA business operations continued because legacy systems were
completely isolated on a separate, inaccessible network.
Rationale

IT Impact – IT Processes and priorities may need to change to meet this objective
User Experience Impact – Reboot of workstations or servers can cause temporary
application or workstation downtime for users.
All applicable critical updates are applied to 99%+ of computers in 4 days or less.
• Policy and process are documented (including validation/enforcement of results)
• Systems with unsupported / End of Life software products should be upgraded,
isolated, or retired
• Capability to rapidly deploy emergency workarounds (scripts, settings, etc)
Organizational
Impact
Description
Critical vulnerabilities allow code execution without user interaction and can:
• Facilitate rapid entry of any attack (such as browsing to a web page or opening email)
• Enable self-propagating malware (e.g. worms) if application has a listening
service/daemon
Note: Some guidance (ASD top 4 | Essential 8) recommends applying within 48 hours
Rationale
30 Days +
C R I T I C A L

User Impact – User education.
IT Impact - Deploying new operating system and updating applications can have a significant
impact on an organization – from deploying, upgrading, to training.
• Adopt Cloud Services for workloads when available
• Use the latest operating system and applications to protect against modern threats
• Windows 10 for Windows Workstations
• Windows Server 2016 for Windows Servers
• Latest revisions of Linux, Mac OSX, and Router/Switch/Mobile Device Operating Systems
Expected
Organizational
Impact
Description
• Cloud services have been largely unaffected by rapid destruction attacks
• Technology providers like Microsoft constantly invest in security to keep up with threats
• Effectively mitigating some attacks requires new approaches that are impractical to
retrofit into older systems (such as TPM hardware based security assurances).
• New capabilities frequently enable digital transformation initiatives that are top priority
for CEOs at most organizations.
Rationale
30 Days +

Impact on IT – level of impact will vary based on the existing backup practices and may
require changes to processes and/or backup technology.
Protect critical systems against effects of erasure/encryption
• Automatically backup all critical data, critical systems, and dependencies
• Protect critical backups against online deletion/encryption attacks
(via multi-factor authentication or have the backups stored fully offline/off-site).
Organizational
Impact
Description
Rapid destruction attacks typically take down all online services including backup and
deployment systems, slowing recovery of critical business systems
Recovering quickly requires backups exist and are not deleted/encrypted by the attack.
Rationale
Quick win
0 to 30 days
$

IT Impact – Minor impact for staff to perform backup validation and disaster recovery
exercises. Recovery processes may need refinement and continued practice.
Validate your end to end recovery process
• Include “Complete IT system down” scenario into Business Continuity / Disaster
Recovery (BC/DR) exercises to build readiness for rapid destruction attacks
• All on-premises services will be unavailable (including communications, identity systems, and
fileservers/SharePoint where BC/DR procedures may be stored).
• Regularly validate critical system backups files using standard restore procedures
• Evaluate the use of cloud backup/recovery capabilities like Azure Site Recovery
Expected
Organizational
Impact
Description
Petya exposed major challenges with recovery processes at most affected enterprises:
• Exercising restore procedures and tooling would avoid these by proactively exposing
challenges before a real event
• Cloud services were largely unaffected by rapid destruction attacks
Note: This preparation also improve your resilience to ransomware attacks and natural
disasters.
Rationale
30 Days + $

User Impact – None
IT Impact – Deploy and configure solution, Update IT Support processes/practices
Ensure the local administrator account password on each system is unique:
• Unique random password for Administrator account on each workstation
• Unique random password for Administrator account on each server
• No other local administrator accounts should be active, enabled, or used
Key Resources: LAPS | Securing Privilege Access Roadmap
Organizational
Impact
Description
• Attackers regularly exploit presence of identical passwords on the local administrator
account (across workstations and/or servers)
• While Petya required an local (or domain) account to be logged in and impersonated
the credentials, the next attack likely will be able to use local accounts directly
• Targeted attacks regularly involve stealing and re-using local credentials
• Attack technique is automated in multiple tool(s) ( Death Star | GoFetch )
Rationale
Quick win
0 to 30 days

30 Days +
User Impact - Privileged users practices must be adjusted to separate account and workstation.
IT Impact - Organization needs to deploy and maintain the new set of workstations.
Separate and protect privileged credentials exposure to impersonation, theft and re-use
• Create separate accounts for privileged activities that is restricted from using e-mail and
browsing Internet.
• Ensure privileged accounts are used only on trusted workstations (such as PAWs)
• Enforce multi-factor authentication on privileged accounts
Organizational
Impact
Description
• Impersonation and credential theft for privileged accounts leads to rapid organization
compromise (and has been automated: ( Death Star | GoFetch )
• Separating privileged accounts and workstation dramatically increases cost of this attack:
• Standard users tasks expose accounts and workstations to compromise through
phishing attacks, drive-by download attacks, and many other Internet-based attacks.
• Purpose built workstations are simpler to protect and discourage overuse of privileges)
• These mitigations also protect against the most prevalent technique in targeted attacks
Rationale

IT Impact – Inventory environment and dependent devices, application compatibility testing,
remediate legacy systems (upgrade/migrate/retire/etc.), and deploy changes
End-users – Varies based on application dependencies, but should be minimal with effective
application testing plan.
Disable legacy protocols that create unneeded attack surface
• Server Message Block v1 (SMBv1)
• LanMan (LM) and NTLMv1 authentication
Expected
Organizational
Impact
Description
Successful worms require vulnerabilities in “universally” available components (e.g. running on
nearly all computers in nearly all enterprises)
Unneeded legacy protocols that are broadly available create significant organizational risk–
• SMBv1 – ~30 year old protocol that Microsoft is removing from Windows and strongly
recommends customers disable/remove (MS17-010 vulnerability in SMBv1 was used in Petya)
• LanMan and NTLMv1 – Legacy authentication protocols with well-known and significant
security weaknesses
Rationale
30 Days +

User Impact – Minimal negative impact on end-user experience
IT Impact – Deployment and management associated with the solutions
Email - Implement advanced protections for phishing attacks that include:
• Attachment/URL “sandbox detonation” – Protect against unknown malware and viruses
• Time of Click Protections – rewrite links to protect against malicious links in e-mail messages at
time of click (vs. just at time of send)
Browsing - Implement advanced browser protection solutions that include:
• Website analysis – Identify known malicious sites and suspicious site behavior
• Download file analysis – Evaluate downloaded files to warn if it came from a known malicious site
or is new/unknown (not on list of popular programs)
Organizational
Impact
Description
While Petya (and WannaCry [unconfirmed]) did not start with e-mail or browsing, this is an
extremely unusual phenomenon for cyber attacks.
• Phishing/Browsers are overwhelmingly used for almost all other attack patterns, so they
are very likely to be included in future attacks
Rationale
Quick win
0 to 30 days

User Impact – Minimal negative impact on end-users experience
IT Impact - Deployment and management associated with the solutions
Ensure your host anti-malware solution gets real-time blocking responses from a cloud
service.
Organizational
Impact
Description
• Rapid destruction attacks happen too fast for human response and you are reliant on
automatic responses like those found in Antimalware solutions
• Because every second counts in these attacks, your AV should immediately get the
latest signatures from the cloud when it detects suspicious behavior
• This feature (or similar) is available from several antivirus vendors (including the MAPS
service for Windows Defender AV) but it is not always enabled in production.
Rationale
Quick win
0 to 30 days
?

IT Impact – Plan/implement processes (and optionally tool(s)) to discover, reduce, and
monitor broad permissions.
Reduce risk from broad permissions
1. Discover broad write/delete permissions on Fileshares, SharePoint, and other solutions
• Broad is defined as many users having write/delete to business critical data
2. Reduce broad permissions (while meeting business collaboration requirements)
3. Configure continuous monitoring and/or ongoing discovery for broad permissions
Organizational
Impact
Description
• Destructive attacks spread and encrypt data using compromised accounts/workstations
• Most ransomware encrypts files on all mapped drives, causing significant impact
• Petya attacks propagated using logged in credentials
• Reducing these broad permissions can reduce the impact of destructive attacks
Rationale
30 Days +

Mitigating Rapid Cyberattacks

More Related Content

What's hot (20)

Similar to Mitigating Rapid Cyberattacks (20)

Recently uploaded (20)

Mitigating Rapid Cyberattacks