Monday, February 26, 2018

How to mitigate rapid cyberattacks such as Petya and WannaCrypt

In the first blog post of this 3-part series, we introduced what rapid cyberattacks are and illustrated how rapid cyberattacks are different in terms of execution and outcome. In the second blog post, we provided some details on Petya and how it worked. In this final blog post, we will share:

  • Microsofts roadmap of recommendations to mitigate rapid cyberattacks.
  • Outside-in perspectives on rapid cyberattacks and mitigation methods based on a survey of global organizations.

Because of how critical security hygiene issues have become and how challenging it is for organizations to follow the guidance and the multiple recommended practices, Microsoft is taking a fresh approach to solving them. Microsoft is working actively with NIST, the Center for Internet Security (CIS), DHS NCCIC (formerly US-CERT), industry partners, and the cybersecurity community to jointly develop and publish practical guides on critical hygiene and to implement reference solutions starting with these recommendations on rapid cyberattacks as related to patch management.

Roadmap of prescriptive recommendations for mitigating rapid cyberattacks

We group our mitigation recommendations into four categories based on the effect they have on mitigating risk:

EXPLOIT MITIGATION
Mitigate software vulnerabilities that allow worms and attackers to enter and/or traverse an environment

BUSINESS CONTINUITY / DISASTER RECOVERY (BC/DR)
Rapidly resume business operations after a destructive attack

LATERAL TRAVERSAL / SECURING PRIVILEGED ACCESS
Mitigate ability to traverse (spread) using impersonation and credential theft attacks

ATTACK SURFACE REDUCTION
Reduce critical risk factors across all attack stages (prepare, enter, traverse, execute)

Figure 1: Key components of mitigation strategy for rapid cyberattacks

We recognize every organization has unique challenges and investments in cybersecurity (people and technology) and cannot possibly make every single recommendation a top nor immediate priority. Accordingly, we have broken down the primary (default) recommendations for mitigating rapid cyberattacks into three buckets:

  1. Quick wins: what we recommend organizations accomplish in the first 30 days
  2. Less than 90 days: what we recommend organizations accomplish in the medium term
  3. Next quarter and beyond: what we recommend organizations accomplish in the longer term

The following list is our primary recommendations on how to mitigate these attacks.

Figure 2: Microsofts primary recommendations for mitigating rapid cyberattacks

This list has been carefully prioritized based on Microsofts direct experience investigating (and helping organizations recover from) these attacks as well as collaboration with numerous industry experts. This is a default set of recommendations and should be tailored to each enterprise based on defenses already in place. You can read more about the details of each recommendation in the slide text and notes of the published slide deck.

In prioritizing the quick wins for the first 30 days, the primary considerations we used are:

  1. Whether the measure directly mitigates a key attack component.
  2. Whether most enterprises could rapidly implement the mitigation (configure, enable, deploy) without significant impact on existing user experiences and business processes.

Figure 3: Mapping each recommendation into the mitigation strategy components

In addition to the primary recommendations, Microsoft has an additional set of recommendations that could provide significant benefits depending on circumstances of the organization:

  1. Ensure outsourcing contracts and SLAs are compatible with rapid security response
  2. Move critical workloads to SaaS and PaaS as you are able
  3. Validate existing network controls (internet ingress, internal Lab/ICS/SCADA isolation)
  4. Enable UEFI Secure Boot
  5. Complete SPA roadmap Phase 2
  6. Protect backup and deployment systems from rapid destruction
  7. Restrict inbound peer traffic on all workstations
  8. Use application whitelisting
  9. Remove local administrator privileges from end-users
  10. Implement modern threat detection and automated response solutions
  11. Disable unneeded protocols
  12. Replace insecure protocols with secure equivalents (TelnetSSH, HTTP HTTPS, etc.)

There are specific reasons why these 12 recommendations, although helpful for certain organizations/circumstances, were excluded from the list of primary recommendations. You can read about those reasons in the slide notes of the published slide deckif interested.

Outside-in perspectives on rapid cyberattacks and mitigation methods

In late November 2017 Microsoft hosted a webinar on this topic and solicited feedback from the attendees which comprised of 845 IT professionals from small organizations to large global enterprises. Here are a few interesting insights from the poll questions.

Rapid cyberattack experience

When asked if they had experienced a rapid cyberattack (e.g. WannaCrypt, Petya or other), ~38% stated they did.

Awareness of SPA roadmap

When asked if theyre aware of Microsofts Securing Privileged Access (SPA) roadmap, most, 66%, stated that they were not.

Patching systems

When we asked within how many days (<7 or 30 or 90) they can patch various systems, it seems most respondents believed their team is good at patching quickly:

  • 83% can patch workstations within 30 days; 44% within 7 days
  • 81% can patch servers within 30 days; 51% within 7 days
  • 54% can patch Linux/Other devices within 30 days; 25% within 7 days

Removal of SMBv1

When asked where they are on the path towards removing SMBv1, 26% said they have completed removing it, another 21% said they are in progress or in the process of doing so, and ~18% more are planning to do so.

Adopting roadmap recommendations

When asked what is blocking them from adopting Microsofts roadmap recommendations for securing against rapid cyberattacks, the top three reasons respondents shared are:

  1. Lack of time
  2. Lack of resources
  3. Lack of support from upper management/executive buy-in

To help organizations overcome these challenges, Microsoft can be engaged to:

  • Assist with implementing the mitigations described in SPA Roadmap and Rapid Cyberattack Guidance.
  • Investigate an active incident with enterprise-wide malware hunting, analysis, and reverse engineering techniques. This includes providing tailored cyberthreat intelligence and strategic guidance to harden the environment against advanced and persistent attacks. Microsoft can provide onsite teams and remote support to help you investigate suspicious events, detect malicious attacks, and respond to security breaches.
  • Proactively hunt for persistent adversaries in your environment using similar methods as an active incident response (above).
    Contact your Microsoft Technical Account Manager (TAM) or Account Executive to learn more about how to engage Microsoft for incident response.

Contact your Microsoft Technical Account Manager (TAM) or Account Executive to learn more about how to engage Microsoft for incident response.

More information

We hope you found the 3-part blog series on the topic of rapid cyberattacks and some recommendations on how to mitigate them useful.

For more information and resources on rapid cyber attacks, please visit the additional links here:

On-demand webinar Protect Against Rapid Cyberattacks (Petya, WannaCrypt, and similar).

Additional resources

Tips to mitigate known rapid cyberattacks with Windows 10 (and Windows Defender Advanced Threat Protection):

Mitigate backup destruction by ransomware with Azure Backup security features

Detect leaked credentials in Azure Active Directory

Rapidly detect polymorphic and emerging threats and enable advanced protection with Windows Defender Antivirus cloud protection service (formerly Microsoft Active Protection Service (MAPS))

Apply network protection with Windows Defender Exploit Guard

Safeguard integrity of privileged accounts that administer and manage IT systems by considering Securing Privileged Access (SPA) roadmap

Mitigate risk of lateral escalation and Pass-the-Hash (PtH) credential replay attack with Local Admin Password Solution (LAPS)

Mitigate exploitation of SMBv1 vulnerability via Petya or other rapid cyberattack by following guidance on disabling SMBv1

 



from Jenny Erie

No comments:

Post a Comment