Encrypted files and a text file containing a ransom note clearly indicate that a company has fallen victim to a cyberattack. But this is only the end of a long chain of attacks. The perpetrators often move around the network unhindered and unnoticed for several weeks or months. IT forensic analyses also show that many attacks could be interrupted well before encryption using basic and simple security measures. These ten problems make such attacks easier for threat actors.
1. Unpatched security vulnerabilities
The problem: In recent years, there have been repeated security vulnerabilities in applications or operating systems that cybercriminals have exploited directly. Companies that use systems from Fortinet, Citrix, or Microsoft, in particular, can tell you a thing or two about this. Many companies do not patch even critical vulnerabilities promptly. So-called zero-day exploits are particularly risky. These vulnerabilities are usually unknown to the manufacturer, so no patch is available at first. However, the mere vulnerability of a system does not directly lead to compromise.
The solution: Close monitoring for early detection of anomalies is a good approach to quickly contain more serious malicious activities. In addition, those responsible should establish patch processes and set up good asset management. This gives you an overview of your system landscape and the respective patch status. Non-patchable or outdated systems should be operated in isolation. For example, hospitals use many medical devices that are based on outdated operating systems for technical reasons. These must not be allowed to communicate with the rest of the network and certainly not be accessible from the internet.
2. Gateway: Weak passwords
The problem: Weak passwords repeatedly make it easier for cybercriminals to gain access to a company network. A domain administrator password with six characters or a local administrator password with only two characters is no obstacle for perpetrators. It is more than clear that this issue is often neglected in practice, even though the requirements for secure passwords should have been widely known for a long time.
The solution: Strict password policies are needed to make it more difficult for threat actors to gain access. The BSI provides tips for secure passwords. All access points that are also accessible via the Internet should be additionally secured with multi-factor authentication. This includes VPN access in particular. As the number of users increases, so does the likelihood that one or more people will use weak or reused passwords. A good example of user groups that are difficult to control is universities and colleges.
3. Poor account hygiene
The problem: Attacker groups often succeed in obtaining higher access rights in a network with little effort. A popular approach is to use a compromised local administrator account to read cached password hashes from the working memory, as password hashes are cached each time a user logs in. This applies to logins with user or administrator accounts as well as service accounts. Often, the password hash can be used directly without knowing the actual password to log in as another person. Experts refer to this as a “pass the hash” attack.
When administrators with domain-specific admin rights log in to a simple PC for convenience, as is often the case, this highly privileged login is cached locally and can easily fall into the hands of cyber gangs.
The solution: To minimize such risks, account separation is required. Microsoft describes a good example of this in its tiering model. The idea behind this is to divide systems into different levels (tiers) and use a separate administrator account for each level. This approach prevents attackers from gaining access to higher-level systems when compromising a lower level. As a result, they cannot simply extend their permissions to gain access to sensitive parts of the infrastructure.
4. Network segmentation? Not happening!
The problem: Many companies still use large flat networks or forget that network segmentation only offers security benefits if the transitions are regulated. Otherwise, those responsible should not be surprised if cybercriminals can spread quickly throughout the network.
The solution: With well-designed network segmentation, significant barriers can be erected for threat actors that are difficult to overcome. Companies should strictly separate server and client networks and only allow explicitly necessary connections. Equally important is the separation of operational technology (OT) and IT. Production and control systems, for example, have no place in a pure office network. Companies with critical infrastructure, such as municipal utilities, must ensure that no access is possible. In addition, quick wins such as a management network can also be implemented. Here, only administrative accounts are granted access, each of which is secured via a VPN with a second factor. This provides a high level of security without interfering with the daily work of normal users.
5. Inadequate backups
The problem: Having a backup is not enough when it comes to data loss. It must also be recoverable. What’s more, cybercriminals specifically search for backups to delete or encrypt them as well. This increases the pressure on companies to pay ransom.
The solution: Backups should always be disconnected from the network and the internet. This means no connection to Active Directory and storage in a separate, isolated network segment so that they are usable after a ransomware attack. Time and again, criminal groups abandon their attacks when they cannot find or access the backup servers. This means they lose the leverage they need to enforce their demands. At the same time, the longer they search for the backup, the more time companies have to detect the attack.
A good backup strategy, therefore, also includes a securely stored offline copy of all information. The “3-2-1 principle” has proven to be best practice for data backups. According to this principle, three separate backup copies are created, two of which are stored on different media (e.g., hard disk & LTO tape) and one of which is stored off-site. In addition, those responsible should regularly test both the functionality and the restoration of the backups.
Incidentally, things become difficult if the backups are password-protected but the password is stored in a password manager that has been encrypted by the perpetrators.
6. Overworked IT staff
The problem: In many companies, it is commonplace for “IT” to have to take care of all tasks, from user support and installing printer drivers to network administration. But also maintenance and care of the server landscape and IT security. This often runs alongside other tasks and, in the worst case, is also a regulatory requirement. This leaves a lack of both technical expertise and time resources for fundamental and strategic tasks, such as setting up a well-designed network infrastructure.
The solution: Experience shows that around five percent of employees in medium-sized companies should be employed in IT. In addition, companies need their own IT security staff; otherwise, IT security will be neglected in day-to-day business, with fatal consequences. It is important to note that competitive pay is a key factor in the battle for skilled workers.
7. Poor IT service providers
The problem: Many companies outsource all or part of their IT to compensate for a lack of skilled workers. However, the devil is in the details when it comes to the skills and expertise of the service provider.
The solution: A good IT service provider can support your own IT department with specialist expertise that is lacking in your company. However, there are a few things to consider when choosing a service provider for IT security. Important criteria when making your choice include service level agreements, including response times from service providers. In an emergency, time is a crucial factor. If you have agreed with your service provider on 24-hour monitoring seven days a week throughout the year, for example, as part of a Managed Extended Detection and Response (MXDR) service, you should also designate contact persons in your own company who are available around the clock. It doesn’t help anyone if the service provider reports a security incident at 10 p.m. but no one is available to respond.
In addition, the entire IT infrastructure should be checked regularly, for example, with a penetration test. Such tests should also include the IT infrastructure provided by the IT service provider. A joint emergency drill can provide information about IT security competencies. Reporting chains and emergency processes can also be practiced and tested in this way.
8. Lack of security monitoring
The problem: Most incidents could be detected much earlier and thus stopped. However, the messages from the security solutions used are overlooked, get lost in a flood of irrelevant messages, or are misinterpreted due to a lack of expertise. As a result, IT forensic analysts repeatedly find very clear warning messages that have been ignored (consciously or unconsciously) or misinterpreted.
The solution: If you want to avoid such a scenario, you need to assign dedicated personnel to IT security. If you cannot or do not want to do this yourself, you should consider managed security services, such as a security operation center. However, one aspect is important here: the reporting chains. A smooth reporting process is needed so that managed security solutions can be fully effective.
9. Technical debt – outdated systems as a gateway
The problem: Technical debt is often also a consequence of a lack of personnel. Unfortunately, public administrations provide a prime example of this. Here, we repeatedly find significantly outdated IT infrastructures. But incorrectly set priorities also contribute to such situations.
The solution: Those responsible should not focus exclusively on new systems or security products as solutions, but should also regularly address technical debt. This is usually the first thing to be neglected when time and resources are scarce, but it is also an invitation to cybercriminals.
10. Panic mode in an emergency
The problem: After discovering a serious cyberattack, many companies often panic. Employees and management act frantically, but do little that is effective. Important decisions and work are delayed, which increases the damage. This phenomenon is affectionately referred to as “headless chicken mode.”
The solution: Experienced experts from an incident response team provide calm and structure. Only then can everyone work together to resolve the issue and get the systems up and running again. An emergency plan is essential. This should be available offline in advance, and not inaccessible on an encrypted server. This emergency plan specifically regulates responsibilities and procedures for emergencies. Who makes which decisions, who informs employees, customers, or stakeholders, and who talks to the investigating authorities? Otherwise, companies lose valuable time discussing responsibilities.
Another point: system prioritization. In other words, the question of which system needs to be checked first and restarted. Which systems are necessary for my infrastructure to run again? Which systems are business-critical so that salaries can be paid or production can be kept running?
Of course, it also helps to save a good internal response service provider on your speed dial. If you first have to call through the BSI’s list of qualified service providers, it takes longer and you don’t always get the best qualified service provider. Ideally, those responsible have already established contact with experts and even concluded an incident response retainer agreement. This gives companies the certainty that their case will be dealt with immediately.
Protecting against ransomware attacks
No company should rely on the principle of hope. Sooner or later, cybercriminals will find their way into a company’s network. However, if you observe and implement the ten points mentioned above, you will have many tools at your disposal to detect attack attempts at an early stage and initiate countermeasures. Ideally, the measures will be so effective that perpetrator groups will abandon the attack early on or it will be detected promptly.
Leonard Rapp is security engineer, DFIR at G DATA Advanced Analytics GmbH, and is responsible for incident response, coordination of digital forensics, and coordination of DFIR toolchain development.
This article is published as part of the Foundry Expert Contributor Network.
Want to join?
No Responses