In Part 1 (Initial Access Defence and Checklist) we looked at ways of hardening your attack surface to defend against initial access. When it comes to ransomware there is a range of elements and variables in the kill chain that need to be successful for the outcomes to be achieved by the criminals. Here we are going to move further into the kill chain to look at further defences. Remember you need to have an “Assume Breach” mindset if you are going to be able to defend against ransomware, that being said, there is a hell of a lot of things you can do for 0 to low investment costs that provide a great ROI. Now some of this is going to be repeated guidance from part 1, that’s ok repetition is good (make sure you are covered from multiple perspectives). Ok let us get to it!
Ok so the threat actor has a foothold, the common vectors for this will be via:
- Remote Access Service (RAS) Access
- VPN/Perimeter Remote Code Execution Vulnerability Exploitation
- A reverse shell enabled by payload execution post phishing activities
- Drive by Download and Execution of Malware
- Social Engineering (e.g., Team Viewer etc.)
You can harden your attack surface and you can make is significantly harder and in some cases near impossible to penetrate an environment (see part1) but for now let us be realistic, something can always get through so let us prepare for that!
Common Kill Chain Activity
Ok if we have a reverse shell what do we do?
The threat actors will likely
- Enumerate the node we are on.
- Enumerate the network.
- Attempt to escalation privileges
- Disable Defences
- Attempt to establish persistence (ideally multiple ways)
- Attempt to spread to other systems (move laterally)
Userland vs Administrator Access
Now there is a key part here, in breaches the paths are not too different, but the starting point MUST be considered. If the threat actor has a remote control (shell) to a device and has administrator access at the outset, then you are giving them a leg up (do not do this).
We cannot forget the network
Now I am not going to go into egress hardening in this blog but start to think about it at least, do you really need all devices being able to talk on all ports to anything on the internet? Probably not.
- Look at deploying protective DNS
- Look at limiting egress traffic on ACLS
- Even if you limit egress to TCP 80 and 443 you will be making the attackers life harder (it will not stop them, but it should keep you running whilst making them jump through more hoops)
- Leverage web content filtering and proxy services
Hardening Step 1 – Remove administrator access
The first step to hardening an environment is to remove administrator access to PC devices, now there are a load of ways of achieving this, that can be as simple as a PowerShell script through to complex IAM/PAM solutions. I am going to assume you are running a Windows Active Directory Domain Environment for this (as it’s the most common deployment architecture for businesses).
Microsoft provide a cool solution called LAPS:
Initial Checklist – Hardening Access Privileges
- Remove end user administrator access
- If possible, deploy a solution such as LAPS
- Review privileges such as Debug rights
- Leverage sandboxing (virtualisation) to enable high privilege role requirements such as Software Development.
- Remove domain admins from the local\Administrator group
- ideally have this as only using LAPS or at least segment the access
- Deploy privileged access workstations (PAWS)
- Ensure you have up to date and well configured antimalware services
- Ideally have EDR, logging and other system hardening deployed
- Deploy application allow lists
- Monitor the devices for unusual activity (see EDR)
Hardening Step 2 – Privilege Escalation Defence
- Patch your systems, OS, applications, and firmware
- If possible, disable risky file extensions such as:
- Disable Macros (or disable macros from untrusted locations)
- Deploy hardening baselines e.g. https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-and-windows-server/ba-p/1999393
- Enable Windows Defender Attack Surface Reduction rules (ASR) you can do this via Group Policy
- Use allows lists e.g., AppLocker
- Restrict user systems and data access to only that required
Common Protocols for Lateral Movement
Ok this part is going to be interesting because we are going to look at the common protocols used for lateral movement, these are:
- Server Message Block (SMB/CIFS)
- Remote Procedure Call (RPC)
- Windows Remote Management (WINRM) via PowerShell
- Remote Desktop Protocol (RDP)
- Windows Management Instrumentation (WMI) (via SMB/RPC)
- Out of brand management e.g.
- Intel vPro
Now we have covered the major areas used for lateral movement (but that list is not everything, but we are going for broad coverage here).
Hardening Step 3 – Reducing Lateral Movement Potential
Now each of these topics is a blog or book in their own rights so let us look at this from a broad point of view:
- Limit windows remote management to a single admin machine or admin subnet (or group of admin machines)
- Consider disabling Remote Desktop (RDP) on PC devices
- Review server administration management options and look to limit access to PAWS
- Ensure you have local account lockouts enabled and ensure strong credentials are deployed
Network based vs host-based controls
Now reconfiguring and segmenting the network is a great idea, but it takes a lot of time and involves significant change in some instances. So, one way to improve your attack surface is to use a host-based firewall.
In most organisations the finance PC does not need to be able to SMB or RDP to the marketing PC and vice versa. The same goes with RDP, WMI, WINRM, SMB etc. So think about your network, if you can remote management control everything from everywhere, so can the criminals and they love this – so make them unhappy.
This blog post is quite high level, this part of the defence against ransomware process is quite involved. You can for 0 capex deploy controls into an environment using group policies to significantly make your environment stronger and more resilient against ransomware kill chains.
In this post we have talked about:
- Reducing the attack surface
- Hardening the configurations
- Reducing the ability for threat actors to gain higher privileges on PC/Server devices
- Limiting the ability for lateral movement
We need to quickly mention Active Directory, this is a huge subject but there is some common things that are abused by threat actors here as well, we’ll cover them in our next post! Be safe, be secure!