This is a place for Systems Administrators and IT Professionals to find and share ideas, solutions and templates. If you have something that helps you solve a problem, chances are it will help someone else too. So pay it forward and send an email to TheAgreeableCow at gmail. Full mudos to you!

Tuesday 17 May 2016

Ransomware Mitigation Matrix


By now ransomware ought to have your attention. From a deployment perspective, it can be purchased cheaply and it comes with administrative consoles and installation packages that receive regular patches and updates that rival some commercial software. The malware infects you in new and changing ways, with network shares being discovered beyond mapped drives, RDP is becoming a 'Remote Distribution Protocol' and your backups are in a game of hide and seek.

This is a practical guide to reducing your risk of being exposed to malware in general, with a specific focus on Ransomware. This is not a new phenomena in IT circles, but the changing landscape makes it a threat that deserves more than a cursory review.

Having layers of protection reduces your risk.

The matrix below outlines three layers of risk mitigation, which is an important point to note; There is no silver bullet to preventing Ransomware and malware in general for that matter. You can have the best and most expensive email filtering in the world and still be exposed to staff downloading dodgy content from personal webmail. Throw in a top notch web proxy you say, only to find someone connecting a BYOD device or loading malware from a USB they found in the car park!

Defend your environment in three ways;
  1. Perimeter - Prevent malware from entering your network
  2. Runtime - Prevent Malware from running on your network
  3. Damage Control - Reduce impact of an outbreak
Having a layered strategy also allows you to defend your network even if you can't afford or maintain a premium product in one layer or another. Firewalls and email/web gateways whilst very effective, can be expensive and complex for example. So as much as this post mentions specific solutions, it's also about strategies - there is a lot you can do that is free or low cost and achievable with low administrative overheads. Further, by spreading your protection, it allows you to set policies and practices that are not over zealous or (mis)designed in ways that cripple your staff's productivity.

Which strategies should you apply?

The matrix below lists dozens of items to mitigate ransomware. Of these, the top three things you can do to protect your data are:
  1. Conduct regular backups and test restoration
  2. Separate access control to your backup files
  3. Make copies of your backups off network
 As pessimistic as this seems, insuring your data really is your best line of defense. It doesn't matter how many attacks you brush aside, it only takes one to sneak through using a new vector and your data will be compromised. At this point, all recommendations are not to pay any ransom and simply restore from backup.

OK, so backup are solid, what next? Realistically, mitigation is a balance between effectiveness and impact. That is, IT administrative effort, financial costs and the productivity burdens placed on your staff. A quick note on effectiveness - the items below are viewed in terms of the contribution towards mitigating ransomeware. Some items (such as a strong password policy or email TLS), may be very good at servicing a particular technical requirement. However in context, they may score a low effectiveness as they don't really contribute greatly in the overall threat profile or solution deliverables.

Initially, look for the easy wins (highly effective items, with minimal impact). There is also a lot of reward in clever network design that won't cost you a cent. Then look for solutions that are effective  over time with consistent return. Relegate solutions with a waning effectiveness, that requires constant IT attention and negatively impacts your staff productivity. As such, look for areas where effectiveness is steadily above both IT administration overheads and user impact.

Ransomware Mitigation Matrix

The second half of this post discusses these mitigation techniques in more detail.

Email Gateways
A strong email gateway is an excellent investment towards mitigating malware and assisting staff productivity through the reduction in illegitimate email traffic.

  • Malware and malicious object scanning should be automatic and thorough with dynamic updates for heuristic and signature based detection. Suspect items should be quarantined and fully separated from initial user access.
  • Greylists and Blacklists are techniques to reduce spam and malware traffic by deferring unknown sender requests and blocking servers (IP addresses), with poor reputation.
  • Anti-spoofing technologies such as DMARC, SPF and DKIM provide a level of confidence towards emails that seemingly originate from your own company - those that users are likely to open and action without question. Advanced threat solutions from companies like Mimecast take this further with strict anti-spoofing policies and even impersonation protection by quarantining email from domains or sender display names that match or are similar to those in your company's domain. 
  • Attachment sandboxing goes beyond signature based or heuristic scanning by preemptively opening attachments to analyse their behavior (such as automatically executing macros), before they reach your network.
  • URL scanning works as a realtime proxy to re-write hyperlinks in emails that force the destination web page to be inspected when clicked. This is particularly useful for seemingly benign sites that may pass initial inspection, only to weaponise a payload a short while after delivery.
  • Attachment policies allow an administrator to define specific files types that are outright unsuitable for email traffic and those which may be legitimate, but require further inspection. Typically any active content (scripts, executables etc), should be blocked, archives should be unpacked and inspected and even Office documents need to be treated with care if they contain macros. Enterprise solutions such as Mimecast block over 240 file types by default and there are a number of open source solutions such as ExeFilter that provide a good foundation.

Web Proxies
In order for malware to run on your network, it must first be delivered to your network. A web proxy provides an intermediary hop between your users and the Internet at large.
  • Malware and malicious object scanning is a primary defense against direct and indirect downloading of unwanted active content. The market is very competitive, but well worth your time to research. Look for reputable signature and heuristic scanning technologies.
  • Categorisation and Blacklists can impact users if over zealous, but they do provide administrators with a tool to identify and separate users from undesirable content. This could be anticipated (such as unscrupulous or antisocial sites, P2P networks etc) or known threats based on IP/DNS reputation subscription services.
  • Attachment policies for web proxies are much like email gateways as they represent a managed layer of blocking or inspection of content. I highly suggest a policy of least access, where active content (including archives, executables, scripts, malformed files and Office files with embedded scripts or macros), are denied by default. Approved download sites can be whitelisted over time, which certainly makes for more work upfront, but can really pay off in the long term.

Whilst traditionally seen as simple port/protocol filters, modern enterprise firewalls also provide a excellent investment towards intrusion prevention and application control.

  • Application Control allows an administrator to define access controls to Risk Categories (for example on a scale of 1-5), general Application Categories (such as TOR, P2P File Sharing or Webmail) and even Specific Applications (such as Dropbox or Facebook). It's important to note here that IT are not the "Internet Police". Our role is to advise and implement policy that best aligns with the business and risk profiles. These should generally be driven by other business units such as Human Resources and operational management.
  • Geo-blocking involves restricting network communications from entire countries, primarily breaking the link between your network and payload delivery. Depending on your business requirements, this might be a simple and effective decision. However, it's a very broad brush and can greatly impact legitimate traffic and is easily diluted - especially considering a lot of malware originates from the United States.
  • Port and IPS Control is essentially what most people think of when discussing firewalls. It's the traditional perimeter defense to keep the bad guys out by blocking illegitimate traffic. It's strength lies in good rule design and strong Intrusion Prevention signatures.
  • Prevent Access to 'Command and Control' Centers by blocking traffic from known bad IP addresses, either through vendor subscription services or sites like Ransomware Tracker. The process is quite reactive and it can be hard to keep up with the constantly changing lists.

Irrespective of the number of technical processes you have in place, at some point the users are going to play an important role in protecting your company's digital assets.
  • Security Awareness Training is a very effective way to raise awareness of the risks of malware and give your users practical ways to identify and avoid infection (both in the office and at home). With a recent surge in phishing attempts, it's important to think about the human factor in this equation. Look for training that doesn't embarrass and alienate users. Rather one that provides continuous cycle of assessment and education such as Wombat Security.
  • Password Policies help prevent the mis-use of legitimate accounts - why bother breaking down the door, when you have a key to open it! Length trumps complexity, but there is a good balance to find that matches your users and business profile.

Client computer security if done properly, represents a great opportunity to mitigate ransomware at both the Perimeter and Runtime stages. If done poorly, it really puts a great burden on the rest of your strategies to perform flawlessly.
  • Software Application Policies such as SRP and Applocker are some of your strongest defense strategies, by preventing unknown or unwanted software from running on your computer. Earlier Software Restriction Polices whilst effective, were complex and hard to maintain. Applocker (for those on modern Windows Enterprise platforms), make the process much easier. Combining the default rules, generated rules (perhaps simplified to a handful of publisher whitelists), with some auditing, is an effective and low impact way to get started.
  • Macro Management is becoming more important with the rise in phishing attacks, particularly if you are not able to provide in-line sandboxing of Office files. Group Policies such as Protected View can apply settings to warn or block macros from running automatically. In practice however, I've seen users become complacent and just habitually click their way though to an infection. If suitable, perhaps look to only allow macros that are signed and trusted.
  • Antivirus and anti-malware software is another one of those default areas that you need to invest in. Unfortunately, their effectiveness is waning and so realistically they are just another tool in your toolkit - one that you want to have, but not one that you solely rely on.
  • Firewalls also play an important role at the client level by restricting workstation to workstation propagation. Even if you don't enable within the domain, ensure to turn it on for mobile devices that roam to home or public networks.
  • Malware mitigation software such as EMET, DEP and Antihook, work much like antivirus, but focus on analysing software heuristics and behavior (as opposed to signature definitions).
  • Enforcing the UAC prompt (as annoying as it can be), places a pause on the automated running of software with elevated access. Ideally you'll combine this with separated access control.
  • Disabling Windows Scripting Host or re-writing file associations for scripting files (such as .js or .hta), will prevent these common vectors from triggering,. Unfortunately, they are often required for legitimate processes, so test appropriately.
  • Showing all file extensions can help avoid masking tricks with files that use double extensions such as yourfile.doc.exe. To enable push out the registry key "HideFileExt" to 0.
  • Enable web browser features such Popup and Ad Blocking as well SmartScreen filters to reduce your attack surface. Particularly is you are unable to use a web proxy solution.
  • Sandboxing can also be done client side using software such as Sandboxie or Hybrid Analysis. They give your IT team and even users a way to test files securely before exposing them directly to your network.
  • Managing mobile media such as USB thumb drives is still an important, albeit reducing vector for infection. This can be mitigated through user awareness training or technical prevention with Group Policy or endpoint security software.

Securing your servers is an important measure across all three threat areas, but particularly important in Runtime and Reducing Impact of an Outbreak.
  • Detecting and Actioning unusual behavior is critical to alerting you to the fact that something nefarious is happening in your environment and gives you the opportunity to shut it down as soon as possible. This could be something simple like a custom honeypot monitor through to event log monitoring and high end IDS solutions. For example LogRythymEventSentryBroIDS, pfSense. They are particularly effective if responses are automated (as opposed to say just an email), although obviously this can be impacting with false positives.
  • Hide Network Shares by creating them with an appended dollar sign, such as \\server\sharename$ for example. This will prevent malware from enumerating shares that are not mapped, but would otherwise be easily discoverable on the network.
  • Application hardening is essential if your exposing servers to the internet at large. This primarily focuses on edge services such as websites, proxies, Remote Access gateways etc. Design with Best Practices in mind, implement a DMZ and apply hardening tools such as IISCrypto.
  • DNS Management can compliment your other efforts by providing yet another layer of control to your Internet connections. Have a look at OpenDNS.
  • Document Management Systems are a considerable financial investment, require significant administrative resources and will impact your users. However, they do provide an excellent layer of abstraction between your users and the underlying document stores. Examples include SharePoint, iManage or even cloud services such as NetDocuments and Office365.
  • File Screens are Group Policy enforced rules that prevent certain types of files from being saved to your network. They can be useful to prevent downloading of executable content (for example if you're using Folder Redirection on My Downloads) and also to provide an early warning system of an outbreak.
  • Enforce Muti-Factor Authentication to restrict password propagation, particularly for remote and privileged access. RSA SecurID, Google Authenticator.
  • Enforcing secure communications for services such as websites (https) and email traffic (TLS) provides a way to mitigate traffic interception for phising bait
  • Enabling Shadow Copies used to be a solid solution for quick file restoration. However, a simple one liner using vssadmin can easily remove all shadow copies without a trace, now making this a rare option for recovery.

Permissions and Access Controls
The principle of least privilege means giving a user account only those privileges which are essential to that user's work. It's a principal that should be fundamentally incorporated into every facet of your systems designs.
  • Configure Access Control by assigning local/RDP login and share access appropriately. Segment networks based on user roles and access requirements. Ransomeware cannot encrypt a file that the user does not have write access to. 
  • Manage Privileged Accounts by creating secondary administrative accounts for those users that need administrative access. Ideally, take this a step further and block these admin accounts from any access to the Internet (via a web proxy for example). All daily work and web access uses only the standard user account.

Applying critical and security patches for your client and server operating systems, applications and device firmware is a fundamental part of IT operations. It is highly administrative and often impacting to users (when things go wrong). However, it is an important part of reducing your vulnerability to malware. Make the process as automated as possible (eg  Ninite, PDQ Deploy, WSUS) and reduce your disruption by deploying initially to test groups and devices before mass production deployment.

Further Reading
There is a lot of information around to help reduce your risk of being infected by ransomware and malware. Do your research and find effective solutions that align with your IT resources, users and business profile.
         (oo)  ok
   /------\/  /
  / |    ||
 *  /\---/\
    ^^   ^^