[ppt]mitigating rapid cyberattacks (petya, wannacrypt, … · web viewmitigating rapid...
TRANSCRIPT
Mitigating Rapid Cyberattacks(Petya, WannaCrypt, and similar)
Mark SimosLead Cybersecurity Architect, Microsoft
Jim MoellerPrincipal Cybersecurity Consultant, Microsoft
Objectives
SHARE learnings about these attacks and mitigating them
1LEARN about your challenges and how we might help you overcome them
2
Rapid Destruction at Global OrganizationsPetya - Massive Technical and Business Impact
GEOGRAPHIES All
DURATION ~60 minutes
IMPACTED COMPUTERS
62,000 computers12,000 servers50,000 workstations
$200 Million
$300 Million
$310 Million
Example of Technical Impact (Anonymous)
Publicly Reported Losses
(By Different Organizations)
Session Outcomes
REVIEWHow rapid cyberattacks work
RECOMMENDSpecific measures to improve your defenses against rapid cyberattacks
What Made Petya Different
SUPPLY CHAIN Attack started in IT supply-chain, not phishing or browsing
MULTI-TECHNIQUEAutomated multiple traversal techniques effectively
FAST Automatic propagation (Worm behavior) left little time for security teams to react
“NEW” ATTACK INNOVATIONS
MASSIVE IMPACT
DESTRUCTIVE Destroyed assets (vs. silent theft or ransom demand)• Encrypted a master file table
(MFT), making it costly/difficult to retrieve data
• Replaced boot record with malicious code making machine unbootable
Non-technical mitigations were critical to business continuity
ENTER 2. Trojan MEDoc update installed launching malicious code
3. Multiple techniques used to spread rapidly:• MS17-010 Vulnerability
(released March 2017)• Credential theft and impersonation
1. Attackers compromised software update infrastructure for MEDoc financial application
• CLEARED WINDOWS EVENT LOGS• JUST STANDARD PRACTICE? • HIDING OTHER ACTIONS?
• ENCRYPTED MFT• MADE SYSTEMS
UNBOOTABLE
NETWORK & IDENTITY
SOFTWARE VENDOR
EXECUTE
TRAVERSE
PREPARE
Anatomy of a Petya Attack
DEVICE
1. TARGETING 3. PROCESS EXECUTION
EXECUTION• PSExec• WMIC
2. PRIVILEGE ACQUISITION
How Petya SpreadsTRAVERSE (Automated Worm Behavior)
IMPERSONATION1. Impersonate current session
(SYSTEM)2. Impersonate other active
local sessions (using token)
EXPLOITATION• MS17-010 (ETERNALBLUE) (Execute as SYSTEM on remote
host)
NETWORK 1. Acquire IP Addresses• Servers & DCs - DHCP
subnets • Other Hosts - Local
network 2. Validate IP Addresses• TCP/139 and TCP/445
CONNECTED SHARES
Note: Impersonation functionality has code similarities to Mimikatz
Petya Notes from the FieldTARGETED
Targeted at specific organizations.
OFFLINE RECOVERY REQUIRED
Online Backup servers were taken out.
COMMUNICATIONS DOWN
Office 365 online but Active Directory & Federation down.
Spread was inhibited by Windows 10’s Secure Boot, Server Core, and Network Isolation
Less widespread than WannaCrypt, but more severe.
Needed off-site backups and printed documents for restore procedures.
Fell back on Phone Calls, Text Messaging, WhatsApp, Twitter, etc.
MITIGATING ONE VECTOR ISN’T ENOUGHMost of Petya propagations was on impersonation “channel”97% patched was not enough to stop the spread
DUAL BENEFITS OF INVESTMENTSCredential theft, patch, and other investments also mitigate targeted attacks
Critical Element: Multi-Channel Propagation
CREDENTIAL THEFT IN RANSOMWARE Credential harvesting - Commonly seen in monetization strategies Propagation - Ransomware campaigns like Samas (and targeted data theft
campaigns)No propagation in mainstream in ransomware kits / malware, yet
RANSOMWARE INFECTION METHODS Normal malware distribution – Watering holes, phishing attachments/links,
etc. Propagation – Weaponize Office Documents on network shares (legit,
honeytrap) Remote Access – Compromised credentials used for remote access
CORPORATE CREDENTIALS MARKETS ARE GROWING 20+ markets selling compromised corporate credentials ~12 million corporate creds for sale
Attack Market Snapshot/Trends (as of Nov 2017)
Session Outcomes
REVIEWHow rapid cyberattacks work
RECOMMENDSpecific measures to improve your defenses against rapid cyberattacks
BUSINESS CONTINUITY / DISASTER RECOVERY (BC/DR)Rapidly resume business operations after a destructive attack
LATERAL TRAVERSAL / SECURING PRIVILEGED ACCESSMitigate ability to traverse (spread) using impersonation and credential theft attacks
ATTACK SURFACE REDUCTIONReduce critical risk factors across all attack stages (prepare, enter, traverse, execute)
Mitigation Strategy – Key ComponentsEXPLOIT MITIGATIONMitigate software vulnerabilities that allow worms and attackers to enter and/or traverse an environment
Summary of Key RecommendationsCreate destruction-resistant backups of your critical systems and dataImmediately deploy critical security updates for OS, browser, & emailIsolate (or retire) computers that cannot be updated and patchedImplement advanced e-mail and browser protections Enable host anti-malware and network defenses get near-realtime blocking responses from cloud (if available in your solution)Implement unique local administrator passwords on all systemsSeparate and protect privileged accounts
Quick wins: 0-30 Days
DIRECT ATTACK MITIGATIONRAPID ENABLEMENT
Less than 90 Days
DIRECT ATTACK MITIGATIONLONGER ENABLEMENT
Measures that directly impact the known attack playbook123
45
67
DEFAULT RECOMMENDATIO
NS
Validate your backups using standard restore procedures and toolsDiscover and reduce broad permissions on file repositoriesRapidly deploy all critical security updatesDisable unneeded legacy protocolsStay current – Run only current versions of operating systems and apps
1
5432
Next Quarter + Beyond
MITIGATION RECOMMENDATIONS
Focus on Prevention and Recovery
IDENTIFY
PROTECT
DETECT
RESPOND
RECOVER
65432
1
543
1
7 2
Rapid destruction leaves little time for detect + respond (e.g. 62,000 computers down in ~60 minutes)
ATTACK SURFACE REDUCTION
LATERAL TRAVERSAL / SECURING PRIVILEGED ACCESS
BUSINESS CONTINUITY / DISASTER RECOVERY (BC/DR)
EXPLOIT MITIGATION
Mitigation Strategy – Key Components2. Immediately deploy critical OS security updates
3. Rapidly deploy all critical security updates
5. Stay current
3. Isolate (or retire) computers that cannot be updated and patched
1. Create malware-resistant backups of your critical systems and data
1. Validate your backups using standard restore procedures and tools
7. Separate and protect privileged accounts
6. Implement unique local administrator passwords on all systems
4. Disable unneeded legacy protocols
2. Discover and reduce broad permissions on file repositories
4. Implement advanced e-mail and browser protections 5. Host anti-malware gets real-time blocking from
cloud
Summary of Additional Recommendations• Ensure outsourcing contracts and SLAs are compatible with rapid security
response• Move critical workloads to SaaS and PaaS as you are able• Validate existing network controls (internet ingress, internal Lab/ICS/SCADA
isolation)• Enable UEFI Secure Boot• Complete SPA roadmap Phase 2 (http://aka.ms/sparoadmap)• Protect backup and deployment systems from rapid destruction • Restrict inbound peer traffic on all workstations• Use application whitelisting• Remove local administrator privileges from end-users• Implement modern threat detection and automated response solutions• Disable unneeded protocols• Replace insecure protocols with secure equivalents (TelnetSSH,
HTTPHTTPS, etc.)
Additional
Measures that increase recovery speed or additionally reduce risk 1
2
3
4
5
6
7
8
910
DEFAULT RECOMMENDATIO
NS
1112
Deployment Tip – Use security baselinesMany recommendations are configured by baselines
30 day / Item 4 – Enables SmartScreen (including enablement for 3rd party browsers) 30 day / Item 5 – Enables Windows Defender and MAPS services 30 day / Item 6 – Mitigates local account propagation (disables logon rights for local
accounts) Beyond / Item 4 – Disables SMBv1 And many other security features including credential guard capability and several
exploit guard features (exploit mitigations, attack surface reduction rules, etc.)
New Deployments Use recommended security baselines (e.g. Windows 10, Windows Server 2016)
Existing DeploymentsConsider deploying settings to existing computers (via staged pilot)
Download Security Baselineshttps://aka.ms/securitybaselines
Discover Blockers and Challenges
Rapid Application of
Security Updates
Deploying Latest Operating
System
Lateral Traversal / Secure
Privileged Access
Remove Legacy Protocols
Vendors (Microsoft, Others) that provided XXXXXX...
Stakeholders that understand XXXXXX…..
Tooling to automate the
XXXXX process….
Guidance that explained how to
XXXX….
We could follow these best practices if we had or did….
© 2017 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
ATTACK SURFACE REDUCTION
LATERAL TRAVERSAL / SECURING PRIVILEGED ACCESS
BUSINESS CONTINUITY / DISASTER RECOVERY (BC/DR)
EXPLOIT MITIGATION2. Immediately deploy critical OS security updates
3. Rapidly deploy all critical security updates
5. Stay current
3. Isolate (or retire) computers that cannot be updated and patched
1. Create malware-resistant backups of your critical systems and data
1. Validate your backups using standard restore procedures and tools
7. Separate and protect privileged accounts
6. Implement unique local administrator passwords on all systems
4. Disable unneeded legacy protocols
2. Discover and reduce broad permissions on file repositories
4. Implement advanced e-mail and browser protections 5. Host anti-malware gets real-time blocking from
cloud
Exploit Mitigation
Critical security updates for OS, browser, & emailProtect against highest impact vulnerabilities
IT Impact – IT Processes and priorities may need to change to meet this objectiveUser Experience Impact – Reboot of workstations or servers can cause temporary application or workstation downtime for users
Apply critical security updates 99%+ of computers within 4 days (Operating System, Email, browser)• Policy and process are documented (including validation/enforcement of results)
• See “Isolate (or retire) computers…” recommendation for handling exceptions• Capability to rapidly deploy emergency workarounds (scripts, settings, etc.)
Expected Organizational Impact
Description
Critical vulnerabilities allow code execution without user interaction and can: • Enable self-propagating malware (e.g. worms) • Facilitate rapid entry of any attack (such as browsing to a web page or opening email)
Note: Some guidance (ASD top 4 | Essential 8) recommends applying within 48 hours Operating system services (or daemons) are the ideal mechanism for rapid destruction attacks as they are always running and many accept inbound network trafficEmail and Web Browsers are the most popular entry vectors for most attacksFor Microsoft capabilities, Windows Update provides a rapid deployment capability
Rationale
Quick win0 to 30 days
C R I T I C A L 4 days
Isolate (or retire) computers that cannot be updated and patchedReduce opportunities for attackers to target legacy systems
For systems that cannot apply critical OS security updates within 4 days, apply alternate mitigations:• Upgrade any unsupported operating system to a current version• Retire unsupported system• Fully isolate systems from Internet and intranet / general-purpose networks
Description
Microsoft recognizes updating some operating systems is difficult because• Unsupported operating system required (for regulatory/support/etc. reasons)• Reboots associated with updates incur costs from interrupting business operations
While these may be valid reasons for not updating, connected vulnerable systems create a major risk to the organization– as illustrated by two Petya cases:
Case 1 – Significant business impact (halted business operations) because business critical ICS/SCADA systems were infected from the corporate intranet.
Case 2 – ICS/SCADA business operations continued because legacy systems were completely isolated on a separate, inaccessible network.
Rationale
Quick win0 to 30 days
C R I T I C A L
IT Impact – IT Processes and priorities may need to change to meet this objectiveUser Experience Impact – Reboot of workstations or servers can cause temporary application or workstation downtime for users
All applicable critical updates are applied to 99%+ of computers in 4 days or less.• Policy and process are documented (including validation/enforcement of results)• Systems with unsupported / End of Life software products should be upgraded, isolated,
or retired• Capability to rapidly deploy emergency workarounds (scripts, settings, etc.)• While full deployment can take longer, create plan of actions and milestones (POAM)
within 90 days
Expected Organizational Impact
Description
Critical vulnerabilities allow code execution without user interaction and can: • Facilitate rapid entry of any attack• Enable self-propagating malware (e.g. worms) if application has a listening
service/daemonNote: Some guidance (ASD top 4 | Essential 8) recommends applying within 48 hours
Rationale
Rapidly deploy all critical security updates Protect against attacks using known vulnerabilities 4 days
Next Quarter + Beyond
Stay currentProtect against modern threats
User Impact – User educationIT Impact - Deploying new operating system and updating applications can have a significant impact on an organization – from deploying, upgrading, to training
• Adopt Cloud Services for workloads when available• Use the latest operating system and applications to protect against modern threats
• Windows 10 for Windows Workstations• Windows Server 2016 for Windows Servers• Latest revisions of Linux, Mac OSX, and Router/Switch/Mobile Device Operating
Systems• Ensure to enable any new security features as available (e.g. exploit guard, credential
guard, etc.)• While full deployment can take longer, create plan of actions and milestones (POAM)
within 90 days
Expected Organizational Impact
Description
• Cloud services have been largely unaffected by rapid destruction attacks• Technology providers like Microsoft constantly invest in security to keep up with threats
• Effectively mitigating some attacks requires new approaches that are impractical to retrofit into older systems (such as TPM hardware based security assurances and exploit mitigations)
• New capabilities frequently enable digital transformation initiatives that are top priority for CEOs at most organizations
Rationale
Next Quarter + Beyond
Part 2 – Business Continuity/Disaster Recovery
ATTACK SURFACE REDUCTION
LATERAL TRAVERSAL / SECURING PRIVILEGED ACCESS
BUSINESS CONTINUITY / DISASTER RECOVERY (BC/DR)
EXPLOIT MITIGATION2. Immediately deploy critical OS security updates
3. Rapidly deploy all critical security updates
5. Stay current
3. Isolate (or retire) computers that cannot be updated and patched
1. Create malware-resistant backups of your critical systems and data
1. Validate your backups using standard restore procedures and tools
7. Separate and protect privileged accounts
6. Implement unique local administrator passwords on all systems
4. Disable unneeded legacy protocols
2. Discover and reduce broad permissions on file repositories
4. Implement advanced e-mail and browser protections 5. Host anti-malware gets real-time blocking from
cloud
Create destruction-resistant backupsEnsure backups are difficult to encrypt/delete
Impact on IT – level of impact will vary based on the existing backup practices and may require changes to processes and/or backup technology
Protect critical systems against effects of erasure/encryption• Automatically backup all critical data, critical systems, and dependencies • Protect critical backups against online deletion/encryption attacks
(via multi-factor authentication or have the backups stored fully offline/off-site)
Expected Organizational Impact
Description
Rapid destruction attacks typically take down all on-premises servers including those supporting backup and deployment capabilities, slowing recovery of critical business systemsRecovering quickly requires backups exist and are not deleted/encrypted by the attack
Rationale
Quick win0 to 30 days
$
Validate backups using standard restore procedures and toolsBe ready to recover quickly
30 Days +IT Impact – Minor impact for staff to perform backup validation and disaster recovery exercises. Recovery processes may need refinement and continued practice
Validate your end to end recovery process• Include “Complete IT system down” scenario into Business Continuity / Disaster
Recovery (BC/DR) exercises to build readiness for rapid destruction attacks• All on-premises services will be unavailable (including communications, identity
systems, and fileservers/SharePoint where BC/DR procedures may be stored)• Regularly validate critical system backups files using standard restore procedures• Evaluate the use of cloud backup/recovery capabilities like Azure Site Recovery
Expected Organizational Impact
Description
Petya exposed major challenges with recovery processes at most affected enterprises: • Exercising restore procedures and tooling would avoid these by proactively exposing
challenges before a real event• Cloud services were largely unaffected by rapid destruction attacksNote: This preparation also improve your resilience to ransomware attacks and natural disasters
Rationale
$
30 days +
Part 3 – Lateral Traversal / Security Priv. Access
ATTACK SURFACE REDUCTION
LATERAL TRAVERSAL / SECURING PRIVILEGED ACCESS
BUSINESS CONTINUITY / DISASTER RECOVERY (BC/DR)
EXPLOIT MITIGATION2. Immediately deploy critical OS security updates
3. Rapidly deploy all critical security updates
5. Stay current
3. Isolate (or retire) computers that cannot be updated and patched
1. Create malware-resistant backups of your critical systems and data
1. Validate your backups using standard restore procedures and tools
7. Separate and protect privileged accounts
6. Implement unique local administrator passwords on all systems
4. Disable unneeded legacy protocols
2. Discover and reduce broad permissions on file repositories
4. Implement advanced e-mail and browser protections 5. Host anti-malware gets real-time blocking from
cloud
Implement unique local administrator passwords on all systemsReduce opportunities for attackers to move laterally in your network
User Impact – NoneIT Impact – Deploy and configure solution, Update IT Support processes/practices
Ensure the local administrator account password on each system is unique:• Unique random password for Administrator account on each workstation• Unique random password for Administrator account on each server• No other local administrator accounts should be active, enabled, or usedKey Resources: LAPS | Securing Privilege Access Roadmap
Expected Organizational Impact
Description
• Attackers regularly exploit presence of identical passwords on the local administrator account (across workstations and/or servers)
• While Petya required an local (or domain) account to be logged in and impersonated the credentials, the next attack likely will be able to use local accounts directly• Targeted attacks regularly involve stealing and re-using local credentials• Attack technique is automated in multiple tool(s) ( Death Star | GoFetch )
Rationale
Quick win0 to 30 days
Separate and protect privileged accountsKeep privileged credentials out of reach of standard users/workstations
User Impact - Privileged users practices must be adjusted to separate account and workstation IT Impact - Organization needs to deploy and maintain the new set of workstations
Separate and protect privileged credentials exposure to impersonation, theft and re-use• Create separate accounts for privileged activities that is restricted from using e-
mail and browsing Internet• Ensure privileged accounts are used only on trusted workstations (such as PAWs)• Enforce multi-factor authentication on privileged accounts
Expected Organizational Impact
Description
• Impersonation and credential theft for privileged accounts frequently leads to rapid organization compromise (and has been automated: ( Death Star | GoFetch )
• Separating privileged accounts and workstation dramatically increases cost of this attack:• Standard users tasks expose accounts and workstations to compromise through
phishing attacks, drive-by download attacks, and many other Internet-based attacks
• Purpose built workstations are simpler to protect and discourage overuse of privileges
• These mitigations also protect against the most prevalent technique in targeted attacks
Rationale
Quick win0 to 30 days
Attack Surface Reduction
ATTACK SURFACE REDUCTION
LATERAL TRAVERSAL / SECURING PRIVILEGED ACCESS
BUSINESS CONTINUITY / DISASTER RECOVERY (BC/DR)
EXPLOIT MITIGATION2. Immediately deploy critical OS security updates
3. Rapidly deploy all critical security updates
5. Stay current
3. Isolate (or retire) computers that cannot be updated and patched
1. Create malware-resistant backups of your critical systems and data
1. Validate your backups using standard restore procedures and tools
7. Separate and protect privileged accounts
6. Implement unique local administrator passwords on all systems
4. Disable unneeded legacy protocols
2. Discover and reduce broad permissions on file repositories
4. Implement advanced e-mail and browser protections 5. Host anti-malware gets real-time blocking from
cloud
Disable unneeded legacy protocolsReduce unneeded attack surface for automated propagation
IT Impact – Inventory environment and dependent devices, application compatibility testing, remediate legacy systems (upgrade/migrate/retire/etc.), and deploy changesEnd-users – Varies based on application dependencies, but should be minimal with effective application testing plan.
Disable legacy protocols that create unneeded attack surface• Server Message Block v1 (SMBv1) • LanMan (LM) and NTLMv1 authentication
Expected Organizational Impact
Description
Successful worms require vulnerabilities in “universally” available components (e.g. running on nearly all computers in nearly all enterprises)Unneeded legacy protocols that are broadly available create significant organizational risk:• SMBv1 – ~30 year old protocol that Microsoft is removing from Windows and
strongly recommends customers disable/remove (MS17-010 vulnerability in SMBv1 was used in Petya)
• LanMan and NTLMv1 – Legacy authentication protocols with well-known and significant security weaknesses
Rationale
Next Quarter + Beyond
Implement advanced e-mail and browser protectionsProtect against e-mail and browser based attacks
User Impact – Minimal negative impact on end-user experienceIT Impact – Deployment and management associated with the solutions
Email - Implement advanced protections for phishing attacks that include:• Attachment/URL “sandbox detonation” – Protect against unknown malware and
viruses• Time of Click Protections – rewrite links to protect against malicious links in e-mail
messages at time of click (vs. just at time of send)Browsing - Implement advanced browser protection solutions that include:• Website analysis – Identify known malicious sites and suspicious site behavior• Download file analysis – Evaluate downloaded files to warn if it came from a known
malicious site or is new/unknown (not on list of popular programs)
Expected Organizational Impact
Description
While Petya (and WannaCry [unconfirmed]) did not start with e-mail or browsing, this is an extremely unusual phenomenon for cyber attacks• Phishing/Browsers are overwhelmingly used for almost all other attack patterns, so
they are very likely to be included in future attacksRationale
Quick win0 to 30 days
Near-realtime blocking responses from cloudProtect users and computers against new threats
User Impact – Minimal negative impact on end-users experienceIT Impact – Deployment and management associated with the solutions
If available in your solutions, ensure your host anti-malware solution and your network defenses such as Intrusion Prevention Systems (IPS) get real-time blocking responses from a cloud service.
Expected Organizational Impact
Description
• Rapid destruction attacks happen too fast for human response and you are reliant on automatic responses like those found in Antimalware solutions and network defense solutions.
• Because every second counts in these attacks, your AV and network defenses should immediately get the latest signatures from the cloud when it detects suspicious behavior
• This feature (or similar) is available from several antivirus vendors (including the MAPS service for Windows Defender AV) but it is not always enabled in production
Rationale
Quick win0 to 30 days
?
Discover and reduce broad permissions on file repositoriesReduce the impact of a user compromise
IT Impact – Plan/implement processes (and optionally tool(s)) to discover, reduce, and monitor broad permissions
Reduce risk from broad permissions1. Discover broad write/delete permissions on Fileshares, SharePoint, and other
solutions• Broad is defined as many users having write/delete to business critical data
2. Reduce broad permissions (while meeting business collaboration requirements)3. Configure continuous monitoring and/or ongoing discovery for broad permissions
Expected Organizational Impact
Description
• Destructive attacks spread and encrypt data using compromised accounts/workstations• Most ransomware encrypts files on all mapped drives, causing significant impact• Petya attacks propagated using logged in credentials
• Reducing these broad permissions can reduce the impact of destructive attacks
Rationale
30 days +
…