In my last installment, I outlined guidance for the first three ransomware initial attack vectors detailed in the MS-ISAC #StopRansomware guide. In this paper I will outline the last three initial attacks vectors found in the guide. The fourth vector they deal with is Precursor Malware Infections.

Researchers have found that ransomware infections are usually preceded by reconnaissance malicious code that lays the groundwork for the full ransomware attack to come. In some cases, ransomware deployment is the last step in a network compromise and is dropped to obscure previous post-compromise activities such as business email compromise. These malicious code packages have been dubbed ‘precursor malware.’ For example, malware such as Qakbot, Bumblebee and Emotet have been employed as precursors to ransomware attacks. Identifying and remediating such precursor malware can alert you to the possibility of an imminent ransomware attack, and can help you prevent the full ransomware attack from actually happening. For this attack vector, the guide recommends:

• Ensuring that antivirus and anti-malware software and signatures are automatically updated. In fact, the authoring organizations go one step further and recommend using a centrally managed antivirus solution.
• Using application allowlisting and/or endpoint detection and response (EDR) solutions on all assets to ensure that only authorized software is executable, and all unauthorized software is blocked. Application allowlisting is deeper than traditional application control solutions and works at the file level to screen against unwanted applications. EDR is cybersecurity technology that monitors and responds to threats on endpoints such as mobile phones, laptops and IoT devices that connect to your network. This is recommended for cloud-based resources.
• Implementing IDS systems. These can be used to detect command and control activity and other potentially malicious network activity that occurs prior to ransomware deployment.
• Monitor indicators of activity and block malware file creation with the Windows Sysmon utility. Sysmon has a file block executable option that can used to block the creation of malicious executables, DLL files, and system files that match specific hash values.

The fifth initial attack vectors listed in the #StopRansomware Guide is advanced forms of social engineering. Advanced forms of social engineering attacks include tactics such as search engine optimization (SEO) poisoning, imposter websites (drive-by downloads) and malvertising (malicious advertising). All of these techniques are used to extract information from users or to provide an avenue for attackers to inject malware into the network. To help counter this threat vector, the guide recommends:

• Ensuring that you have a good cybersecurity awareness training program that schools your employees in how to recognize and report advanced social engineering attempts against your network.
• Employing a protective DNS service. A protective DNS service is any security service that analyzes DNS queries to identify and mitigate threats.
• Implementing sandboxed browsers to help thwart malware that can be introduced through web browsing. Sandboxed browsers isolate the host machine from malicious code.

The sixth initial attack vector listed in the #StopRansomware guide is one that is on everyone’s mind since the MOVEit attacks started: third parties and managed service providers. In the modern business world, organizations are employing ever-increasing numbers of third-party software packages and managed service providers to perform all kinds of tasks for them. To be effective, these services need access to internal network information and devices, and become in effect a part of your internal network. This increases the attack surfaces available to ransomware attackers immensely. To help thwart these kinds of attacks, the guide recommends:

• Examining the risk management and cyber hygiene practices employed by managed service providers (MSPs) to ensure they are in line with best practices and your organization’s security requirements. They also recommend that you formalize security requirements in contract language with these providers.
• Ensuring the use of least privilege and separation of duties when setting up access of third parties. They should only be allowed access to those devices and servers that are within their role or responsibilities.
• Creating service control policies (SCPs) for cloud-based resources to prevent users or roles, organization wide, from being able to access specific services or take specific actions within services such as deleting logs or changing configurations outside of their role.

Implementing the recommendations found in the #StopRansomware guide encompasses the best advice available to date for preventing and mitigating ransomware attacks against your organization, and will help you remain competitive in the markets of today.

In this paper, I will outline best practices for preventing and mitigating ransomware attacks as detailed in the #StopRansomware Guide published by the Multi-State Information Sharing & Analysis Center. In this guide, measures for preventing and mitigating ransomware attacks are grouped according to six initial attack vectors employed by cyber-criminals to worm their way into your network. The first of these attack vectors that the guide addresses is Internet-facing vulnerabilities and misconfigurations. Most organizations should be used to addressing vulnerability and configuration management by now. What is changing is the degree to which organizations need to rigorously discover and address vulnerabilities and misconfigurations in a timely manner. For this attack vector, the guide recommends:

• Conducting regular vulnerability scanning to identify vulnerabilities on your networks. This is especially true of external, Internet-facing networks (in fact, we recommend employing continuous vulnerability scanning for these). We also strongly recommend that internal and wireless networks should also receive vulnerability scanning. In addition, we recommend penetration testing of your networks to help identify cascading failures and other subtle security flaws that simple vulnerability testing cannot identify.

• Ensuring that all entities on your networks (operating systems, software/firmware applications and hardware devices) are regularly patched and updated to the latest versions. They also recommend prioritizing patching of internet-facing servers that operate software for processing internet data. Organizations should especially employ CISA’s Known Exploitable Vulnerabilities Catalogue available at their website to ensure they are addressing the most serious vulnerabilities. In addition, the guide recommends that organizations that have trouble keeping up with this process should consider migrating systems to reputable “managed” cloud providers to reduce, not eliminate, system maintenance roles for identity and email systems.
• Ensuring that all devices (on-premises, cloud services, mobile and personal) are properly configured and that security features are enabled. They recommend reducing or eliminating manual deployments and codifying cloud resource configuration through IaC. IaC templates should receive security testing prior to deployment. They further recommend that checking configuration drift routinely to identify resources that were changed or introduced outside of template deployment.
• Limiting the use of RDP and other remote desktop services, and if they must be used, applying best practices security measures to help ensure they are not misused. They also recommend regularly updating VPNs, network infrastructure devices, and devices being used to remote in to work environments with the latest software patches and security configurations. MFA should be used for VPN and all remote access.
• Disabling SMB protocols 1 and 2 and upgrading to version 3 after mitigating existing dependencies (on the part of existing systems or applications) that may break when disabled.

The second initial attack vector listed in the #StopRansomware Guide is compromised credentials. To prevent and mitigate successful attacks from this vector, the guide recommends:

• Implementing phishing-resistant MFA for all services, particularly for email, VPNs, and accounts that access critical systems. They further recommend employing password-less MFA that replaces passwords with two or more verification factors such as fingerprints or facial recognition.
• Considering subscribing to credential monitoring services that monitor the dark web for compromised credentials.
• Implementing identity and access management (IAM) systems.
• Implementing zero trust access control measures.
• Changing all default admin user names and passwords.
• Not using root access accounts for day-to-day operations, and rather creating users, groups and roles to carry out tasks.
• Ensuring that passwords of at least 15 characters are used. We further recommend using passphrases that are longer and harder to break, but that are easier to remember.
• Enforcing account lockout policies, and monitoring login attempts for brute force password cracking and password spraying.
• Storing passwords in a secured database and using strong hashing algorithms.
• Implementing local administrator password solution (LAPS) wherever possible.
• Protecting against local security authority subsystem service (LSASS) duping by implementing ASR for LSASS and credential guard for Windows 10 and Server 2016.
• Educating all employees on proper password security in your annual security training.
• Using Windows PowerShell Remoting, Remote Credential Guard, or RDP with restricted Admin Mode as feasible when establishing a remote connection to avoid direct exposure of credentials.
• Ensuring that administrators use separate access accounts for administrative duties and simple network access.

The third initial attack vector listed in the guide is phishing. As all of us know by this point, phishing attacks are one of the most common and successful attack methods employed by cyber-criminals. To prevent and mitigate ransomware attacks using this vector, they recommend:

• Including guidance on how to identify and report suspicious activity or incidents in regular user security awareness training.
• Implementing flagging external emails in email clients.
• Implementing filters at the email gateway to filter out emails with known malicious indicators.
• Enabling common attachment filters to restrict file types that commonly contain malware and should not be sent by email.
• Implementing domain-based message authentication, reporting and conformance (DMARC) policy and verification.
• Ensuring macro scripts are disabled for Microsoft Office files transmitted via email.
• Disabling Windows script host (WHS).

These are only the first three of the six initial attack vectors included in the guide. In my next paper I will outline the last three vector which include precursor malware infections, advanced forms of social engineering, and one of the most fearsome attack vectors currently plaguing us all: third parties and managed service providers.