[ppt]mitigating rapid cyberattacks (petya, wannacrypt, … · web viewmitigating rapid...

Mitigating Rapid Cyberattacks(Petya, WannaCrypt, and similar)

Mark SimosLead Cybersecurity Architect, Microsoft

Jim MoellerPrincipal Cybersecurity Consultant, Microsoft

Objectives

SHARE learnings about these attacks and mitigating them

1LEARN about your challenges and how we might help you overcome them

2

Agenda

1 Introduction

2 Review Attacks

3 Recommendations

4 Questions and Feedback

Rapid Destruction at Global OrganizationsPetya - Massive Technical and Business Impact

GEOGRAPHIES All

DURATION ~60 minutes

IMPACTED COMPUTERS

62,000 computers12,000 servers50,000 workstations

$200 Million

$300 Million

$310 Million

Example of Technical Impact (Anonymous)

Publicly Reported Losses

(By Different Organizations)

Session Outcomes

REVIEWHow rapid cyberattacks work

RECOMMENDSpecific measures to improve your defenses against rapid cyberattacks

What Made Petya Different

SUPPLY CHAIN Attack started in IT supply-chain, not phishing or browsing

MULTI-TECHNIQUEAutomated multiple traversal techniques effectively

FAST Automatic propagation (Worm behavior) left little time for security teams to react

“NEW” ATTACK INNOVATIONS

MASSIVE IMPACT

DESTRUCTIVE Destroyed assets (vs. silent theft or ransom demand)• Encrypted a master file table

(MFT), making it costly/difficult to retrieve data

• Replaced boot record with malicious code making machine unbootable

Non-technical mitigations were critical to business continuity

ENTER 2. Trojan MEDoc update installed launching malicious code

3. Multiple techniques used to spread rapidly:• MS17-010 Vulnerability

(released March 2017)• Credential theft and impersonation

1. Attackers compromised software update infrastructure for MEDoc financial application

• CLEARED WINDOWS EVENT LOGS• JUST STANDARD PRACTICE? • HIDING OTHER ACTIONS?

• ENCRYPTED MFT• MADE SYSTEMS

UNBOOTABLE

NETWORK & IDENTITY

SOFTWARE VENDOR

EXECUTE

TRAVERSE

PREPARE

Anatomy of a Petya Attack

DEVICE

1. TARGETING 3. PROCESS EXECUTION

EXECUTION• PSExec• WMIC

2. PRIVILEGE ACQUISITION

How Petya SpreadsTRAVERSE (Automated Worm Behavior)

IMPERSONATION1. Impersonate current session

(SYSTEM)2. Impersonate other active

local sessions (using token)

EXPLOITATION• MS17-010 (ETERNALBLUE) (Execute as SYSTEM on remote

host)

NETWORK 1. Acquire IP Addresses• Servers & DCs - DHCP

subnets • Other Hosts - Local

network 2. Validate IP Addresses• TCP/139 and TCP/445

CONNECTED SHARES

Note: Impersonation functionality has code similarities to Mimikatz

Petya Notes from the FieldTARGETED

Targeted at specific organizations.

OFFLINE RECOVERY REQUIRED

Online Backup servers were taken out.

COMMUNICATIONS DOWN

Office 365 online but Active Directory & Federation down.

Spread was inhibited by Windows 10’s Secure Boot, Server Core, and Network Isolation

Less widespread than WannaCrypt, but more severe.

Needed off-site backups and printed documents for restore procedures.

Fell back on Phone Calls, Text Messaging, WhatsApp, Twitter, etc.

MITIGATING ONE VECTOR ISN’T ENOUGHMost of Petya propagations was on impersonation “channel”97% patched was not enough to stop the spread

DUAL BENEFITS OF INVESTMENTSCredential theft, patch, and other investments also mitigate targeted attacks

Critical Element: Multi-Channel Propagation

CREDENTIAL THEFT IN RANSOMWARE Credential harvesting - Commonly seen in monetization strategies Propagation - Ransomware campaigns like Samas (and targeted data theft

campaigns)No propagation in mainstream in ransomware kits / malware, yet

RANSOMWARE INFECTION METHODS Normal malware distribution – Watering holes, phishing attachments/links,

etc. Propagation – Weaponize Office Documents on network shares (legit,

honeytrap) Remote Access – Compromised credentials used for remote access

CORPORATE CREDENTIALS MARKETS ARE GROWING 20+ markets selling compromised corporate credentials ~12 million corporate creds for sale

Attack Market Snapshot/Trends (as of Nov 2017)

Session Outcomes

REVIEWHow rapid cyberattacks work

RECOMMENDSpecific measures to improve your defenses against rapid cyberattacks

BUSINESS CONTINUITY / DISASTER RECOVERY (BC/DR)Rapidly resume business operations after a destructive attack

LATERAL TRAVERSAL / SECURING PRIVILEGED ACCESSMitigate ability to traverse (spread) using impersonation and credential theft attacks

ATTACK SURFACE REDUCTIONReduce critical risk factors across all attack stages (prepare, enter, traverse, execute)

Mitigation Strategy – Key ComponentsEXPLOIT MITIGATIONMitigate software vulnerabilities that allow worms and attackers to enter and/or traverse an environment

Summary of Key RecommendationsCreate destruction-resistant backups of your critical systems and dataImmediately deploy critical security updates for OS, browser, & emailIsolate (or retire) computers that cannot be updated and patchedImplement advanced e-mail and browser protections Enable host anti-malware and network defenses get near-realtime blocking responses from cloud (if available in your solution)Implement unique local administrator passwords on all systemsSeparate and protect privileged accounts

Quick wins: 0-30 Days

DIRECT ATTACK MITIGATIONRAPID ENABLEMENT

Less than 90 Days

DIRECT ATTACK MITIGATIONLONGER ENABLEMENT

Measures that directly impact the known attack playbook123

45

67

DEFAULT RECOMMENDATIO

NS

Validate your backups using standard restore procedures and toolsDiscover and reduce broad permissions on file repositoriesRapidly deploy all critical security updatesDisable unneeded legacy protocolsStay current – Run only current versions of operating systems and apps

1

5432

Next Quarter + Beyond

MITIGATION RECOMMENDATIONS

Focus on Prevention and Recovery

IDENTIFY

PROTECT

DETECT

RESPOND

RECOVER

65432

1

543

1

7 2

Rapid destruction leaves little time for detect + respond (e.g. 62,000 computers down in ~60 minutes)

ATTACK SURFACE REDUCTION

LATERAL TRAVERSAL / SECURING PRIVILEGED ACCESS

BUSINESS CONTINUITY / DISASTER RECOVERY (BC/DR)

EXPLOIT MITIGATION

Mitigation Strategy – Key Components2. Immediately deploy critical OS security updates

3. Rapidly deploy all critical security updates

5. Stay current

3. Isolate (or retire) computers that cannot be updated and patched

1. Create malware-resistant backups of your critical systems and data

1. Validate your backups using standard restore procedures and tools

7. Separate and protect privileged accounts

6. Implement unique local administrator passwords on all systems

4. Disable unneeded legacy protocols

2. Discover and reduce broad permissions on file repositories

4. Implement advanced e-mail and browser protections 5. Host anti-malware gets real-time blocking from

cloud

Summary of Additional Recommendations• Ensure outsourcing contracts and SLAs are compatible with rapid security

response• Move critical workloads to SaaS and PaaS as you are able• Validate existing network controls (internet ingress, internal Lab/ICS/SCADA

isolation)• Enable UEFI Secure Boot• Complete SPA roadmap Phase 2 (http://aka.ms/sparoadmap)• Protect backup and deployment systems from rapid destruction • Restrict inbound peer traffic on all workstations• Use application whitelisting• Remove local administrator privileges from end-users• Implement modern threat detection and automated response solutions• Disable unneeded protocols• Replace insecure protocols with secure equivalents (TelnetSSH,

HTTPHTTPS, etc.)

Additional

Measures that increase recovery speed or additionally reduce risk 1

2

3

4

5

6

7

8

910

DEFAULT RECOMMENDATIO

NS

1112

http://aka.ms/sparoadmap

Deployment Tip – Use security baselinesMany recommendations are configured by baselines

30 day / Item 4 – Enables SmartScreen (including enablement for 3rd party browsers) 30 day / Item 5 – Enables Windows Defender and MAPS services 30 day / Item 6 – Mitigates local account propagation (disables logon rights for local

accounts) Beyond / Item 4 – Disables SMBv1 And many other security features including credential guard capability and several

exploit guard features (exploit mitigations, attack surface reduction rules, etc.)

New Deployments Use recommended security baselines (e.g. Windows 10, Windows Server 2016)

Existing DeploymentsConsider deploying settings to existing computers (via staged pilot)

Download Security Baselineshttps://aka.ms/securitybaselines

https://aka.ms/securitybaselines

Discover Blockers and Challenges

Rapid Application of

Security Updates

Deploying Latest Operating

System

Lateral Traversal / Secure

Privileged Access

Remove Legacy Protocols

Vendors (Microsoft, Others) that provided XXXXXX...

Stakeholders that understand XXXXXX…..

Tooling to automate the

XXXXX process….

Guidance that explained how to

XXXX….

We could follow these best practices if we had or did….

© 2017 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Reference – Recommendation Details




EXPLOIT MITIGATION2. Immediately deploy critical OS security updates


5. Stay current









cloud

Exploit Mitigation

Critical security updates for OS, browser, & emailProtect against highest impact vulnerabilities

IT Impact – IT Processes and priorities may need to change to meet this objectiveUser Experience Impact – Reboot of workstations or servers can cause temporary application or workstation downtime for users

Apply critical security updates 99%+ of computers within 4 days (Operating System, Email, browser)• Policy and process are documented (including validation/enforcement of results)

• See “Isolate (or retire) computers…” recommendation for handling exceptions• Capability to rapidly deploy emergency workarounds (scripts, settings, etc.)

Expected Organizational Impact

Description

Critical vulnerabilities allow code execution without user interaction and can: • Enable self-propagating malware (e.g. worms) • Facilitate rapid entry of any attack (such as browsing to a web page or opening email)

Note: Some guidance (ASD top 4 | Essential 8) recommends applying within 48 hours Operating system services (or daemons) are the ideal mechanism for rapid destruction attacks as they are always running and many accept inbound network trafficEmail and Web Browsers are the most popular entry vectors for most attacksFor Microsoft capabilities, Windows Update provides a rapid deployment capability

Rationale

Quick win0 to 30 days

C R I T I C A L 4 days

https://www.asd.gov.au/publications/protect/top_4_mitigations.htm

https://www.asd.gov.au/infosec/top-mitigations/mitigations-2017-table.htm

Isolate (or retire) computers that cannot be updated and patchedReduce opportunities for attackers to target legacy systems

For systems that cannot apply critical OS security updates within 4 days, apply alternate mitigations:• Upgrade any unsupported operating system to a current version• Retire unsupported system• Fully isolate systems from Internet and intranet / general-purpose networks

Description

Microsoft recognizes updating some operating systems is difficult because• Unsupported operating system required (for regulatory/support/etc. reasons)• Reboots associated with updates incur costs from interrupting business operations

While these may be valid reasons for not updating, connected vulnerable systems create a major risk to the organization– as illustrated by two Petya cases:

Case 1 – Significant business impact (halted business operations) because business critical ICS/SCADA systems were infected from the corporate intranet.

Case 2 – ICS/SCADA business operations continued because legacy systems were completely isolated on a separate, inaccessible network.

Rationale


C R I T I C A L

IT Impact – IT Processes and priorities may need to change to meet this objectiveUser Experience Impact – Reboot of workstations or servers can cause temporary application or workstation downtime for users

All applicable critical updates are applied to 99%+ of computers in 4 days or less.• Policy and process are documented (including validation/enforcement of results)• Systems with unsupported / End of Life software products should be upgraded, isolated,

or retired• Capability to rapidly deploy emergency workarounds (scripts, settings, etc.)• While full deployment can take longer, create plan of actions and milestones (POAM)

within 90 days


Description

Critical vulnerabilities allow code execution without user interaction and can: • Facilitate rapid entry of any attack• Enable self-propagating malware (e.g. worms) if application has a listening

service/daemonNote: Some guidance (ASD top 4 | Essential 8) recommends applying within 48 hours

Rationale

Rapidly deploy all critical security updates Protect against attacks using known vulnerabilities 4 days


https://www.asd.gov.au/publications/protect/top_4_mitigations.htm

https://www.asd.gov.au/infosec/top-mitigations/mitigations-2017-table.htm

Stay currentProtect against modern threats

User Impact – User educationIT Impact - Deploying new operating system and updating applications can have a significant impact on an organization – from deploying, upgrading, to training

• Adopt Cloud Services for workloads when available• Use the latest operating system and applications to protect against modern threats

• Windows 10 for Windows Workstations• Windows Server 2016 for Windows Servers• Latest revisions of Linux, Mac OSX, and Router/Switch/Mobile Device Operating

Systems• Ensure to enable any new security features as available (e.g. exploit guard, credential

guard, etc.)• While full deployment can take longer, create plan of actions and milestones (POAM)

within 90 days


Description

• Cloud services have been largely unaffected by rapid destruction attacks• Technology providers like Microsoft constantly invest in security to keep up with threats

• Effectively mitigating some attacks requires new approaches that are impractical to retrofit into older systems (such as TPM hardware based security assurances and exploit mitigations)

• New capabilities frequently enable digital transformation initiatives that are top priority for CEOs at most organizations

Rationale


https://www.forbes.com/sites/gilpress/2015/02/27/new-pwc-survey-ceos-embrace-digital-transformation/#4b7278f245a1

Part 2 – Business Continuity/Disaster Recovery






5. Stay current









cloud

Create destruction-resistant backupsEnsure backups are difficult to encrypt/delete

Impact on IT – level of impact will vary based on the existing backup practices and may require changes to processes and/or backup technology

Protect critical systems against effects of erasure/encryption• Automatically backup all critical data, critical systems, and dependencies • Protect critical backups against online deletion/encryption attacks

(via multi-factor authentication or have the backups stored fully offline/off-site)


Description

Rapid destruction attacks typically take down all on-premises servers including those supporting backup and deployment capabilities, slowing recovery of critical business systemsRecovering quickly requires backups exist and are not deleted/encrypted by the attack

Rationale


$

Validate backups using standard restore procedures and toolsBe ready to recover quickly

30 Days +IT Impact – Minor impact for staff to perform backup validation and disaster recovery exercises. Recovery processes may need refinement and continued practice

Validate your end to end recovery process• Include “Complete IT system down” scenario into Business Continuity / Disaster

Recovery (BC/DR) exercises to build readiness for rapid destruction attacks• All on-premises services will be unavailable (including communications, identity

systems, and fileservers/SharePoint where BC/DR procedures may be stored)• Regularly validate critical system backups files using standard restore procedures• Evaluate the use of cloud backup/recovery capabilities like Azure Site Recovery


Description

Petya exposed major challenges with recovery processes at most affected enterprises: • Exercising restore procedures and tooling would avoid these by proactively exposing

challenges before a real event• Cloud services were largely unaffected by rapid destruction attacksNote: This preparation also improve your resilience to ransomware attacks and natural disasters

Rationale

$

30 days +

Part 3 – Lateral Traversal / Security Priv. Access






5. Stay current









cloud

Implement unique local administrator passwords on all systemsReduce opportunities for attackers to move laterally in your network

User Impact – NoneIT Impact – Deploy and configure solution, Update IT Support processes/practices

Ensure the local administrator account password on each system is unique:• Unique random password for Administrator account on each workstation• Unique random password for Administrator account on each server• No other local administrator accounts should be active, enabled, or usedKey Resources: LAPS | Securing Privilege Access Roadmap


Description

• Attackers regularly exploit presence of identical passwords on the local administrator account (across workstations and/or servers)

• While Petya required an local (or domain) account to be logged in and impersonated the credentials, the next attack likely will be able to use local accounts directly• Targeted attacks regularly involve stealing and re-using local credentials• Attack technique is automated in multiple tool(s) ( Death Star | GoFetch )

Rationale


http://aka.ms/laps


https://byt3bl33d3r.github.io/automating-the-empire-with-the-death-star-getting-domain-admin-with-a-push-of-a-button.html

https://github.com/GoFetchAD/GoFetch

Separate and protect privileged accountsKeep privileged credentials out of reach of standard users/workstations

User Impact - Privileged users practices must be adjusted to separate account and workstation IT Impact - Organization needs to deploy and maintain the new set of workstations

Separate and protect privileged credentials exposure to impersonation, theft and re-use• Create separate accounts for privileged activities that is restricted from using e-

mail and browsing Internet• Ensure privileged accounts are used only on trusted workstations (such as PAWs)• Enforce multi-factor authentication on privileged accounts


Description

• Impersonation and credential theft for privileged accounts frequently leads to rapid organization compromise (and has been automated: ( Death Star | GoFetch )

• Separating privileged accounts and workstation dramatically increases cost of this attack:• Standard users tasks expose accounts and workstations to compromise through

phishing attacks, drive-by download attacks, and many other Internet-based attacks

• Purpose built workstations are simpler to protect and discourage overuse of privileges

• These mitigations also protect against the most prevalent technique in targeted attacks

Rationale



http://aka.ms/cyberpaw

https://byt3bl33d3r.github.io/automating-the-empire-with-the-death-star-getting-domain-admin-with-a-push-of-a-button.html

https://github.com/GoFetchAD/GoFetch

Attack Surface Reduction






5. Stay current









cloud

Disable unneeded legacy protocolsReduce unneeded attack surface for automated propagation

IT Impact – Inventory environment and dependent devices, application compatibility testing, remediate legacy systems (upgrade/migrate/retire/etc.), and deploy changesEnd-users – Varies based on application dependencies, but should be minimal with effective application testing plan.

Disable legacy protocols that create unneeded attack surface• Server Message Block v1 (SMBv1) • LanMan (LM) and NTLMv1 authentication


Description

Successful worms require vulnerabilities in “universally” available components (e.g. running on nearly all computers in nearly all enterprises)Unneeded legacy protocols that are broadly available create significant organizational risk:• SMBv1 – ~30 year old protocol that Microsoft is removing from Windows and

strongly recommends customers disable/remove (MS17-010 vulnerability in SMBv1 was used in Petya)

• LanMan and NTLMv1 – Legacy authentication protocols with well-known and significant security weaknesses

Rationale


https://aka.ms/smb1rs3

https://aka.ms/stopusingsmb1

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Implement advanced e-mail and browser protectionsProtect against e-mail and browser based attacks

User Impact – Minimal negative impact on end-user experienceIT Impact – Deployment and management associated with the solutions

Email - Implement advanced protections for phishing attacks that include:• Attachment/URL “sandbox detonation” – Protect against unknown malware and

viruses• Time of Click Protections – rewrite links to protect against malicious links in e-mail

messages at time of click (vs. just at time of send)Browsing - Implement advanced browser protection solutions that include:• Website analysis – Identify known malicious sites and suspicious site behavior• Download file analysis – Evaluate downloaded files to warn if it came from a known

malicious site or is new/unknown (not on list of popular programs)


Description

While Petya (and WannaCry [unconfirmed]) did not start with e-mail or browsing, this is an extremely unusual phenomenon for cyber attacks• Phishing/Browsers are overwhelmingly used for almost all other attack patterns, so

they are very likely to be included in future attacksRationale


Near-realtime blocking responses from cloudProtect users and computers against new threats

User Impact – Minimal negative impact on end-users experienceIT Impact – Deployment and management associated with the solutions

If available in your solutions, ensure your host anti-malware solution and your network defenses such as Intrusion Prevention Systems (IPS) get real-time blocking responses from a cloud service.


Description

• Rapid destruction attacks happen too fast for human response and you are reliant on automatic responses like those found in Antimalware solutions and network defense solutions.

• Because every second counts in these attacks, your AV and network defenses should immediately get the latest signatures from the cloud when it detects suspicious behavior

• This feature (or similar) is available from several antivirus vendors (including the MAPS service for Windows Defender AV) but it is not always enabled in production

Rationale


?

https://blogs.technet.microsoft.com/mmpc/2015/01/14/maps-in-the-cloud-how-can-it-help-your-enterprise/

Discover and reduce broad permissions on file repositoriesReduce the impact of a user compromise

IT Impact – Plan/implement processes (and optionally tool(s)) to discover, reduce, and monitor broad permissions

Reduce risk from broad permissions1. Discover broad write/delete permissions on Fileshares, SharePoint, and other

solutions• Broad is defined as many users having write/delete to business critical data

2. Reduce broad permissions (while meeting business collaboration requirements)3. Configure continuous monitoring and/or ongoing discovery for broad permissions


Description

• Destructive attacks spread and encrypt data using compromised accounts/workstations• Most ransomware encrypts files on all mapped drives, causing significant impact• Petya attacks propagated using logged in credentials

• Reducing these broad permissions can reduce the impact of destructive attacks

Rationale

30 days +

…