The question from the headline is probably asked by every IT today. There are simple answers: “not at all”, “de-network / reduce dependency on IT” and “buy new tools”. Unfortunately, the same is true here as with many other complex issues: There is no quick easy solution (“silver bullet”). But there is a proven, three-step approach to crisis management that can be easily transferred.
Before you start thinking in terms of technical solutions, it is important to know your own risk situation. In the case of cybercrime, this means knowing the perpetrators and the approaches currently in use. Terms like “initial compromise”, “lateral movement”, “rights elevation”, “data exfiltration” should be as familiar to IT as “patient zero” or “double extortion scheme”. At the upcoming ISX conference, you will have the opportunity to familiarize yourself with these terms and the perpetrators’ methods in several presentations.
The most important learning points here are certainly:
- A “total loss” in IT is now a conceivable scenario (as evidenced by the many reports from affected companies that you and your board members are familiar with).
- It can hit any organization that has money since the attacks are untargeted (a brief analysis of the “Hall of Shame” pages on the Darknet shows this very impressively)
- The attackers roam the net undetected for between 3 days and 3 months before the encryption takes place
- The attack is not fully automated, but a manual attack by a hacker group (which definitely works with highly specialized and good tools)
- If you restore from a recent backup, you also restore the hackers’ access.
Establish defense strategy
Most IT departments have a good strategy for defending the perimeter of the Internet (“defend the perimeter”). Firewalls, anti-spam, anti-phishing and other protections help ward off threats from the network. Unfortunately, due to increasing cloud usage and IT networking in the business sector, this protection is no longer as effective as it used to be. A defense-in-depth strategy must therefore implement a new, additional security paradigm: “Assume Breach.” Suppose an attacker was already on your network. Would you be able to detect him? Could you prevent the greatest damage?
Prevention 1 – Alarm level management
The most important organizational measure in the implementation of an “Assume Breach” strategy is the definition of alarm levels in IT. If you start looking for hackers on the inside, it is inevitable that you will find something. In addition to the crisis case (red alert level), measures must also be defined for the orange and yellow alert levels. Likewise, criteria for returning to normal working mode (“green”) must be defined.
Our recommendation for “alert level yellow” would be: After all currently known facts (log entries, warnings, etc.) have been gathered, it cannot be ruled out that this is a real attack based on an already known pattern. Your security consultant or SOC service provider should be familiar with the known patterns, otherwise, a study of the well-known “Tactics, Techniques and Procedures” (TTP) will help.
As a general rule, in an “amber” case, the measures must not cause more damage than absolutely necessary. In other words, for “amber” cases, only requirements may be imposed that have a little business impact in an average IT infrastructure with average IT administrators. The aim of the measures must be either to be able to rule out an attack or to find a provable indication of malicious or at least unauthorized activity by an attacker. We like to title the yellow alert “100 percent vigilance”.
Additionally, we recommend defining an “orange alert” like this: There is provable evidence of malicious or at least unauthorized activity by an attacker in the currently known facts. No real damage has yet been done to the company’s core processes, but an attack is definitely in progress. The situation can be compared to camera surveillance showing a newly cut hole in the company’s fence. The security measures to be taken now may have a business impact, but they must be suitable for achieving the clear goal of preventing damage – which is now certain to occur – from the company.
You must define measures for both alert levels and prepare them in advance. Your crisis management can be a model for this. Some examples of possible measures:
- Definition of a management sponsor and his deputy.
- Definition of a response team of IT specialists covering all disciplines of your IT
- Alerting the SOC
- Stopping log rotation and backing up relevant logs across systems
- Monitoring typical alert conditions such as new admin user creation, changes in GPO, Scheduled Tasks or Sysvol, execution of PSExec or hacker tools (Mimikatz, Cobaltstrike, Bloodhound), or increased WMI activity.
- Activating an Internet whitelist already established in advance.
- Performing forensic analysis of compromised computers.
- System-wide search for Indicators of Compromise (IoCs). These can be IP addresses, URLs, or file hashes.
- Immediate patching of all systems that are not up to date with the latest patches, especially all computers that can be accessed externally.
- Legacy systems that are still running in the domain and without segmentation must now be temporarily shut down.
- Setup of two new, up-to-date DCs with a new installation file from Microsoft (“clean source”). Activation of all current security features on these DCs. After the new DCs are in sync, demote all previous DCs and shut them down temporarily.
- Immediately activate MFA for all external access to the corporate network,
- Disable remote dial-ins,
- Reset all passwords that can be used from the outside.
- Prepare immediate measures for network disconnection (if necessary, also temporarily overnight).
- Appropriate communication of the alarm level to employees, ideally in such a way that no alarm leaks to the daily press.
- Creation of “cold standby” systems by cloning critical IT structures
Prevention 2 – Hardening
In addition to alert level management, Corporate Trust recommends to its clients a (constantly revised) 22-point list of “non-negotiable minimum requirements” to defend against ransomware. These include detailed requirements on the following topic blocks:
- Spam and phishing protection and blocking of dangerous attachments, especially legacy office formats
- Client hardening, especially the use of LAPS and working through Microsoft Security Baselines
- Control access from outside, especially activate MFA or risk-based logins
- Secure backup
- Protect the domain, especially know the results of a pingcastle.com scan of your domain
- Optimize logging inside, especially Defender for Identity, 3-tier administration with alerting, etc.
- Monitor the logs with a SOC, especially with the connection of the firewall logs
- Control endpoints with an EDR or XDR system
- Merciless and comprehensive patch management
- Isolation of insecure systems
In the end, however, you may always fail to detect an attacker despite your best efforts. Then your most important element of protection is your backup. So if you want to take care of just one item, secure your backup:
- There exists a complete backup of your IT that is at no time older than 7 days.
- The backup contains all servers and databases as well as a copy of the Active Directory (or the system state of a DC).
- This backup cannot be deleted by an attacker with domain admin rights and access to the passwords of all domain accounts.
- The execution of the backup jobs is monitored. If suddenly less data than expected is backed up or no data is backed up at all, this is noticed on the next business day and is treated as a Security Incident
Prevention 3 – Define and practice crisis response.
“Not practiced is not done” – Practice your processes regularly. An exercise where you gather your IT administrators as a starting point has proven particularly effective. Then present this group with the challenge: it’s Saturday at 09:00. An employee discovers a ransom note on his computer and can no longer use a server system. What would you do now?
This will bring up many new questions for you: What are the most important IT systems to restart? And this is decided first by the business: where does the company earn the most money? Which IT systems are urgently needed for this? For which processes are there still non-IT workarounds? And what is the minimum IT infrastructure you need? How quickly could you pull up replacement systems in the cloud?
Defending against ransomware is possible, but it is costly. Even more costly, however, is rebuilding after an attack. Unfortunately, you’re not done with that yet. Because not every IT attack is ransomware. Industrial espionage and state-sponsored actors (keyword “cyberwar”) require other defense strategies.