Using a 'defense in depth' strategy to thwart ransomware attacks
Several recent ransomware and malware attacks have focused attention on the hacker group known as The Shadow Brokers and tricks they use to penetrate systems and compromise data. Among their recent deeds are the Petya, WannaCry, Adylkuzz Botnet and EternalRocks malware campaigns.
These attacks all highlight a dirty little secret. It’s something many IT administrators are aware of – and it’s not pretty. There are a ton of unsupported, past end-of-life, or unpatchable servers running in many organizations’ environments.
With the promise of future leaks by The Shadow Brokers, it is likely that advanced opportunistic attacks will continue. In fact, Microsoft released a slew of critical updates in recent weeks in anticipation of potential recurrences. Automatic updates were made available for Windows 7, 8.1 and 10, and Windows Server versions between 2008 and 2016. They even took the extra step of offering patches for older version such as Windows XP, Vista, 8 and Server 2003 that will need to be manually downloaded.
While it’s understood that keeping software up to date and patched is unquestionably a best security practice, there are times when the resources to buy new software or perform patch integration testing may not be available or feasible. In these cases, the use of “defense in depth” principles can at least decrease the likelihood that these insecure systems will fall prey to looming dangers.
To maintain the integrity of a network, despite these limitations, when the chips are down, consider a defensive approach that will help minimize the effects of WannaCry-like attacks on vulnerable systems.
Firewall rules can restrict access from the internet to internal resources by only allowing inbound traffic to a minimum number of servers/services. This, in turn, reduces the attack surface for an organization. Since the primary infection vector of WannaCry was remote exploitation of SMBv1 via port 445, a firewall rule on the edge of a company’s network blocking inbound traffic destined for port 445 would have prevented external infection. A similar rule prohibiting connecting to random machines on the internet on 445 would have also prevented any internal compromises from spreading outside an organization’s environment.
By dividing network resources into segments (either through the use of additional firewalls or utilization of virtual local area networks (VLANs)) and restricting communications between these segments the spread of worms, such as WannaCry, could have been mitigated or prevented. Furthermore, this segmentation also limits an adversary’s movement within an organization should a compromise occur. By creating ‘network choke points’ monitoring of the internal environment can be more easily conducted and internal threats more easily identified.
Even if you can't have the latest patch, you can disable unneeded services. Doing so reduces the number of potential attack points and limit an adversary's options for movement should a compromise occur. In the case of WannaCry, a single line of code could be used by a system administrator to disable SMBv1 preventing a machine from being compromised.
To do this, simply run the following from a PowerShell:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 –Force
For large enterprises, Windows Group Policy could also be used to disable SMBv1 for all domain attached systems.
Firewalls on endpoints can also be used to reduce the number of exploitable services within an organization. If you can’t segregate the network utilizing VLANs or internal firewalls, host-based firewalls can provide a means to prevent compromised systems from being used to spread laterally.
No anti-virus software will catch everything, however including one on each system that can support it serves as an additional hurdle to be overcome. Even if an attacker successfully exploits a system, the A/V can serve as a last line of defense and detect known payloads that might be sent.
While the act of diligent patching and system upgrades are the best way to keep networks up to date and secure, there can be internal and external limitations which might go beyond the control of those in the IT trenches. Following these steps can at least help lower risk in lieu of a full court press. Plus, each is relatively easy to execute with little effort and should be conducted by any responsible organization when the most favorable options might not be realistic.