The role of cybersecurity hygiene in a ransomware incident
Picture this: You arrive at work one morning only to find that your computer system has been locked, and a message on the screen demands a hefty ransom payment in exchange for access. What do you do?
Unfortunately, this scenario is becoming increasingly common as ransomware attacks continue to grow. The threat of a ransomware attack is so severe that even the most robust cybersecurity defenses can be rendered useless.
However, there is one critical line of defense that can significantly reduce the risk of a ransomware attack: good cybersecurity hygiene. First, let’s take a look at what ransomware is and the damage it can do to your business.
Ransomware: Understanding the threat better
Ransomware is pretty much what the name indicates — a cyberthreat that demands a payment (ransom) in exchange for access to valuable confidential information that was yours to begin with. But how can an entire business fall victim to this type of threat?
First, the attacker must gain access to an organization’s systems in order to deploy a ransomware payload. These attacks most commonly originate as phishing attacks, where a user opens a malicious e-mail or an attachment that executes malicious code or malware.
A common attack sequence is for an opened phishing e-mail to install a keylogger or remote monitoring malware onto the user’s system. The malware then captures credentials and other information over time.
These compromised credentials are used to move laterally to other systems, resulting in additional compromised accounts. This is done until the attacker successfully obtains credentials with sufficiently elevated privileges that can be used to accomplish their goal of deploying ransomware as widely as possible.
Prevention is always better than cure, and the same holds true in cybersecurity where organizations have been known to cough up large sums of money to recover from a ransomware attack. This is where cyber hygiene steps in.
Figure 1 – From the 2022 Verizon DBIR
Going beyond maintenance and upgrades
Cyber hygiene refers to practices and steps taken to maintain system health and improve online security. These practices are often part of a routine to ensure the safety of a user’s identity and other details that could be misused, stolen or corrupted. Cyber hygiene also includes vulnerability management, patch management practices and proper diligence to the application of security policies.
Cyber hygiene: Real-world examples
We can learn a lot about the importance of cyber hygiene and its ability to fight ransomware from real-world attacks. Often, what differentiates ransomware incidents are the impacted entry points. Here are two real examples of ransomware attacks and two very different recoveries.
In this incident, a user opened an attachment in a phishing e-mail, resulting in a keylogger being installed. A user logged into the compromised system with domain administrative privileged credentials and the attacker hit the jackpot! The attacker immediately had credentials that provided access throughout the environment. This provided easy access to the systems necessary to acquire additional privileged credentials and gain enough access to do significant damage. The attacker then quickly moved laterally throughout the network, discovering an impressive number of details about the environment, enabling them to deploy ransomware broadly throughout the environment before launching the attack. In addition to deploying the ransomware, the attacker had obtained the necessary credentials to destroy storage and online backup volumes, making the recovery effort even more difficult. The full recovery efforts from this ransomware attack took weeks.
What a save!
In a different incident, an unprotected Remote Desktop Protocol (RDP) was exposed to the internet. A known vulnerability was exploited and used to capture the credentials of a remote user of the service. These credentials were used to move laterally throughout the environment and eventually gain access to the domain administrative and other privileged accounts. This organization was lucky in that the damage was limited to a single database that they were able to restore from a recent backup.
Your cyber hygiene checklist 101
Is ransomware preventable? Not completely.
A non-zero percentage of the user population will click on that phishing e-mail or fall victim to a social engineering attack. This is going to happen.
Rather, businesses should aim to minimize the risk and potential impact when it does happen. The goal should be to make it as difficult as possible for the attacker to accomplish their objectives. The harder they have to work and the longer it takes, the more likely it is that their actions will be detected and addressed before any damage occurs.
What are the most important steps to take? Here are a few critical cyber hygiene steps to check for:
Enable multi-factor authentication
All MFA methods are not created equal. While MFA should be enabled for all privileged access, a mandatory MFA for ALL access credentials is highly recommended. Phishing-resistant MFA methods, including biometrics and physical FIDO2 tokens are also highly recommended.
The authentication can even be passwordless as long as a sufficiently strong and phishing-resistant authentication method is used. Phishing-resistant MFA would have prevented the lateral movement in both of the incidents mentioned above. Obtaining a username and password will not allow the attacker to authenticate if an additional phishing-resistant factor is also required.
Implement identity and access hygiene
Every enabled account and every assigned permission is a potential attack vector that can be exploited. Applying the principle of least privilege will help minimize this potential attack surface. Essentially, this means:
- Any account that is no longer required should be disabled or removed.
- Any access that is no longer required should be removed.
- Apply good security policies around identity and access, paying particular attention to service accounts/non-human accounts. For example, each application should have its own unique service account and you should not allow interactive login to these application-specific service accounts.
In the second incident referenced above, a cleanup of the domain admins group for the primary active directory domain reduced the size of the group from 35 pages down to two.
Monitor and verify configurations
Implementing and regularly reviewing effective monitoring configurations is a crucial aspect of cybersecurity hygiene, helping detect vulnerabilities and prevent potential security breaches.
For example, it is critical to ensure that every new server deployed has the appropriate security tooling applied, monitoring tools applied, and is configured to send logs to the MDR system. These configurations should also be verified and tested periodically.
In the first incident mentioned above, one of the reasons that the attacker’s activity was not detected prior to the attack was that critical systems were not sending logs to the MDR system due to configuration errors.
Avoid exceptions to policy
Security controls should be implemented in a way that minimizes friction on the business while providing the necessary level of security. If the controls introduce too much friction, users will find ways around the controls, or they will apply for (and be granted) business exceptions. This will result in gaps that an attacker can find. Consider a wall around a castle that has multiple gaps in it. The wall would not be very effective in that case, would it?
In the first incident, the user who opened the phishing e-mail had been granted an exception and was allowed to use domain admin privileges without requiring any MFA or using a privileged access management tool. The policies and tools to prevent the attack (or at least slow it down) existed, but due to exceptions they were not followed through, rendering them useless.
In summary, ransomware is a growing problem, and as long as the human factor is involved, it will not be possible to completely prevent an attacker from gaining access. If you practice good hygiene and apply basic security controls with proper diligence, you can eliminate the most common and simplest attack vectors, making the attacker’s job much more difficult. Ideally, this will provide you with more time to detect and remediate the attack prior to any damage. In the best case, it simply thwarts the attacker’s plans and forces them to look elsewhere for an easier target.
About the author
Global IAM Practice Lead, Atos
Allen joined Atos in 2016. He currently leads the strategy and portfolio for IAM services globally. He advises Atos customers on IAM strategy and roadmap, as well as leads the IAM domain of the global Atos Expert Community that drives innovation for the company. Previously, Allen was a global Practice Director for IAM solutions at Commercium Technology (CTI) and held similar positions at Unisys and Siemens. Allen is on the Executive Board for the Identity Defined Security Alliance and has held positions previously in industry organizations such as the Smart Card Alliance. Allen holds a BS in Computer Science from Louisiana State University with minors in Mathematics and French.