Ransomware Realities

Everything is much worse now, or is it?

”The world is burning, the world is burning but then if you look around, it always has been…”

Computer systems and security go together much like chalk and cheese! Probably sounds a bit odd but miniaturization, consumerization and mobility have put more technology out in the world than we can really comprehend, yet technology security is still dramatically overlooked by most organizations.

The insane pace of change, the drive for faster, better, cheaper and the reality that it probably isn’t a stretch to say most people (and organizations) do not really understand what ‘secure’ or ‘hardened’ looks like.

More than my opinion

I have been consulting for longer than I want to count, I have worked with all types and sizes of organizations, and I have worked in the channel, in the business consumer space and as a third-party advisor for lots of organizations. I do however also realist I do not know everything, in fact the more I learn and experience the more I know how little I know. I do however have some experience and have some knowledge of the domain to the point people sometimes call me names with fancy titles in them etc. So hopefully when I talk about this subject you realize it is not just some random opinion from some nerd on the internet (though that’s ok as well, opinions diversity of thought is a good thing (mostly)). So, what do I want to show you? Well, I want to show you a summary and abstraction of some recent audits we have run.

In the last month or so I have been conducting an initiative under the CV19 banner that aims to get quantitative data on the state of security from a range of UK organizations. This exercise is far from complete but given recent events I want to share some interim findings, so this is not just my opinion this is based on a sample of 11 organizations across a range of verticals (and different sized organizations).

Audit Method

To run the audits, I wanted to ensure repeatability and ensure consistency so I purchased a Ping Castle Auditor license so that we could audit organizations (free of charge) and have a fast an easy method of getting data. So, everything I am talking about comes from the same software and the same process. It is simple, the organizations take the binary and executes this from a standard active directory user position on the corporate backend, connections are made to active directory and data is gathered and a report is generated.

Findings

Here is the part that is interesting what did we find?

I almost certainly (I did not so I cannot say 100%) could compromise 10 out of 11 domains without using a complicated exploit chain.
10 out of the 11 domains audited had significant active directory vulnerabilities through misconfiguration
11 out of 11 domains did not rotate their KRBTGT passwords
11 out of 11 domains had many domain administrators
10 out of 11 domains had passwords stored in SYSVOL via Group Policy Preferences
10 out of 11 domains had service accounts with SPNs that had domain administrator privileges
I could have probably got to domain admin in 10 out of 11 of the domains without a 0-day exploit.

There are more findings, and I will take the time to write up a more technical post on this later, but I wanted to show something to people who are worried about 0-days and all kinds of complex kill chains, they are not what you need to worry about!

It is not all Doom and Gloom!

This might sound all doom and gloom, but I do not think of it that way. See I have been around a bit, so I tend to try and take a positive yet pragmatic take on this stuff. The sample of this audit is small, but it’s certainly in line with my 20 odd years’ experience in the technology sector.

What I do think is that it is not doom and gloom to be realistic with the challenges we face. I do not stay up at night worrying about ransomware, I do not think we should rain hellfire missiles down onto ‘Ev1l Hax0rz’, I do think we need to do better and that goes across the broad range of countermeasures and actions we as a human race should be taking, not just regarding ransomware but with technology security and privacy. What are these steps? Well that my friends will not fit into a single quick post, so I’ll save my thoughts on that for another time. Do you need to act, sure, do you need to panic? Not from where I am sitting, panic does not achieve the right outcomes and knee jerk reactions are not really known for being great if we look at history and human behavior! Do we need to change some things, absolutely but this is a complex issue and there isn’t a one shot answer!

Remember there’s lots of things you can do to understand your environment, understand your assets, manage your technology and create a much harder time for criminals. I posted about this a while ago: