Recently I spoke with Ryan Chapman of the SANS Institute, author of the upcoming SANS course FOR528: Ransomware for Incident Responders, on how to better prepare for ransomware. That preparation comes in two forms: planning how you would respond to a successful ransomware attack and overcoming barriers to hardening your network against them.
Planning for a ransomware attack
Ransomware recovery should be nothing more than restoring a backup, but the reality is that you often have no idea what is needed to restore until faced with the restoration process.
A SANS roundtable recently discussed whether to pay a ransom. In a perfect world we would not pay the attackers. Paying feeds the ransomware industry, but it’s not that cut and dried. Recovery from back-ups take time.
You may realise in the heat of the moment that you are missing the driver for a key machine, or a product key you thought was stored in a location is not there. The best practice is to perform restoration tests and follow planned processes, but with IT departments stretched thin, these best practices often slip out of focus.
So, firms must decide whether to take the hard line and not pay or to pay the ransom and possibly get back in business faster. Chapman notes that decryption tools are often not coded well and decrypting a network might be just as slow as recovering it from a back-up.
Prioritise assets to bring back first after a ransomware attack
Ransomware victims often bring back just key assets and decide later what digital assets are no longer important. It’s wise to identify ahead of time which digital assets are critical to ensure business continuity. Inventory critical assets and determine what processes you need to fully recover them without your normal recovery processes. Chapman advises to mentally prepare yourself that you won’t get all your data back. You need to prioritise.
Create fall-back plans if normal processes and tools are not available
Too often in Active Directory, we do not back up key systems; we replicate and deploy. Imagine a situation where replication is not an appropriate recovery method. It comes down to understanding what it will take to recover potentially the entire network. You will not have processes or personnel to tackle this. You may not have a healthy Active Directory in place to recover normally. You may not have scripts or Group Policy or any of the tools that you take for granted. You may not have your normal email system to communicate within your organisation.
Plan how to manage and supplement staff
Identify external consultants and resources to bring in to help in the process. Identify alternative communication methodologies that you may need to have in place that doesn’t include personal email accounts. Plan how you will rest IT and security staff during the crisis so they make better decisions.
Harden your Windows network against ransomware
Overcoming internal and external patching blocks
Most of the organisations Chapman interacts with are more hurt by ransom attacks because they are blocked from patching quickly and from updating to supported and more secure platforms. He sees two types of blocks: internal and external.
The internal block is often due to the firm’s reliance on self-coded solutions that have been built over time and may not be externally code reviewed or understood well enough to know the impact when changes are made. Especially with deployments in large-scale environments, you don’t know the impact of a new security setting or an Active Directory forest functionality level until the actual deployment occurs.
Firms can test, but often it’s not until the solution is rolled out across the network that more realistic impact is seen. Thus, there is a natural and unfortunate tendency for the status quo because ensuring that the business has continuity especially now during the pandemic is job one for many IT divisions.
The external block arises when the firm’s vendors will not certify a platform for a new security setting or platform and keeps you from deploying a setting that may provide you with more security. Often in medical settings, the equipment is purpose built and may not even be on an extended support platform.
You face the decision to deploy a needed update that will help keep attackers at bay or breaking the support provided by the vendor. Often in that situation, there is no decision to make. You must keep the vendor support intact.
What can you do to overcome these blocks? First, identify those key assets you need to recover quickly and ensure that you understand how to recover using alternative means. Fully test this process. Next, narrow down which software inside your organisation is causing the blocks and why.
If the vendor is the block to your deployment needs, review if you can add requirements and contractual adjustments and push your vendors to do better. If internal software deployments are causing the block, review if the paralysis is real. Has the firm had actual software failures due to rolling out new settings and software, or is the paralysis caused by a lack of resources in testing? Urge the various teams in the business to work together.
Raise your Windows Server forest level to 2016
Too many of us are still reliant on older server platforms that make it harder to roll out security solutions through Active Directory. We may have Server 2016 and Server 2019 servers in our network, but we’re not taking advantage of the security features of that domain functional level. Too many of us are still on older forest and domain functional levels because we have older servers or applications and a lack of testing that keep us from rolling out these newer features. Or we have vendors that won’t certify newer platforms and Active Directory features.
Raising your forest level to 2016 provides many features that better protect the network such as privileged access management and automatic rolling of NTLM secrets on a user account. If your functional level is still 2008 R2, you don’t have a UI for the Active Directory recycle bin, which makes it easier for recovery. It also doesn’t allow you to get rid of an old security hole of unchanging passwords on your service accounts if you are still running 2008 R2 functional level.
Raising your domain level means you can roll out features such as Windows Defender Credential Guard, which protects NTLM and Kerberos credentials in Active Directory from being harvested by attackers. You will need Windows 10 Enterprise licenses or the appropriate Microsoft 365 to roll out this feature to your workstations.
The large cost in ransomware is the disruption to the business. We need to get protection and detection higher up on our priority lists along with transparency and sharing of information. We need to do better, because right now the attackers are better than we are.