In 1997, the NSA conducted an organized attack on the Department of Defense’s critical information systems, an exercise named Operation Eligible Receiver 97 (ER 97). Throughout the exercise, the NSA gained super user access to high-priority devices and compromised almost all of their primary targets.
During the exercise, one of the only recorded instances of breach prevention occurred when an anonymous marine noticed suspicious activity on the network and immediately made configuration changes to only allow essential connections. This visibility into anomalous activity, partnered with proper configuration management, proved to be essential and was ultimately implemented into today’s security frameworks.
Operation Eligible Receiver 97 provided the blueprint for a strong cybersecurity posture and preventing breaches; however, many organizations still struggle to comply with these frameworks today, which ultimately leads to Ransomware attacks. Although there are countless unique instances of Ransomware, the attack vectors used today remain the same as those used in ER 97 by the NSA.
Ransomware will commonly use emails, downloads, compromised software, or malicious websites in an attempt to gain access to administrative rights. This is done by exploiting misconfigurations, vulnerabilities, or socially engineering users with elevated rights assignments.
The ability to debug programs, seen as “SE_DEBUG”, is one of the rights assignments that Ransomware programs use to hash the Security Account Manager database and capture login credentials. Typically, SE_DEBUG is set either by mistake or as a result of a vendor with broken services on install. This setting requires continuous monitoring, as it often changes unintentionally.
Similarly, Local Admin privileges also change unintentionally. These privileges are designed to only be distributed to users in accordance with organizational missions and business functions. NIST 800-53 defines this principle as “least privilege” seen in control AC-6; however, misconfigurations and configuration drift will cause Local Admin privileges to be granted unnecessarily. These unnecessary Local Admin privileges increase the likelihood of Ransomware entering via social engineering.
Social engineering occurs when individuals hoping to introduce Ransomware into organizations attempt to manipulate a large group of users into revealing confidential information. Though a large body of users is targeted, it only takes one user with unnecessarily elevated privileges and the belief of “why would anyone attack me” to click on a malicious link and introduce a Ransomware attack.
Frameworks as a Guideline
Numerous security frameworks have outlined specific controls to guard against these attack vectors:
AT-2 (Awareness Training) – Practical exercise may include, for example, no-notice social engineering attempts to collect information, gain unauthorized access, or simulate the adverse impact of opening malicious email attachments or invoking, via spear phishing attacks or malicious web links.
AT-3 (Role-Based Training) – A well-trained workforce provides another organizational safeguard that can be employed as part of a defense-in-depth strategy, in which organizations would be protected against incoming malicious code via email or web applications.
IR-6 (Incident Reporting) – Incident reporting addresses both specific incident reporting requirements for an organization and within the organization itself. For instance, suspected security incidents may include the receipt of suspicious email communications that can potentially contain malicious code.
CM-1 (Configuration Management Policy and Procedures) – An additional method of guarding against attack vectors is establishing and distributing a configuration management policy in order to address purpose, scope, roles, responsibility, and coordination among organizational entities and compliance.
CM-3 (Configuration Change Control) – Configuration Change Control determines which types of changes to the system that are configuration-controlled and reviews these proposed system changes. In turn, the proposed changes are approved or disapproved with explicit consideration for security impact analysis.
CM-7 (Least Functionality) – The Least Functionality Control configures the system to provide only essential capabilities and to prohibit or restrict the use of the following functions: ports, protocols, and/or services.
(4) Controlled Use of Administrative Privileges – Users with administrative account access are required to use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities. Systems must be configured to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.
(5) Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers – All authorized systems and software have documented, standard security configuration standards. Additionally, a Security Content Automation Protocol (SCAP) compliant configuration monitoring system is utilized to verify all security configuration elements, catalog approved exceptions, and alert when unauthorized changes occur.
(7) Email and Web Browser Protections – Protections that ensure that only fully supported web browsers and email clients are allowed to execute in the organizations, ideally only using the latest version of the browsers and email clients provided by the vendor. In order to reduce the likelihood of spoofed or modified emails from valid domains, implement Domain-based Message Authentication and Reporting and Conformance (DMARC) policy and verification, beginning with the Sender Policy Framework (SPF) and the Domain Keys Identified Mail (DKIM) standards.
(9) Boundary Defense – Boundary defenses deny communications with known malicious or unused Internet IP addresses and limit access only to trusted and necessary IP address ranges at each of the organization’s network boundaries. These defenses also deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack mechanisms and detect compromise of these systems at each of the organization’s network boundaries.
(17) Implement a Security Awareness and Training Program – A Security Awareness and Training Program first begins with a skills gap analysis to understand the skill and behaviors workforce members are not adhering to. Then, using this information, the program builds a baseline education roadmap and trains the workforce on how to identify different forms of social engineering attacks, such as phishing, phone scams, and impersonation calls.
(19) Incident Response and Management – Written incident response plans define roles of personnel and phases of incident handling/management, as well as detail information on third-party contact information. These third-parties include Law Enforcement, relevant government departments, vendors, and ISAC partners.
Ransomware exploiting misconfigurations in order to target user accounts with elevated privileges represents a huge potential risk for organizations and security teams. User privileges are essential for organizations to manage, but when done manually, they are nearly impossible to manage efficiently.
The current practices for managing account privileges are extremely time-consuming and lack the details that a next-generation security solution can offer.
One current method for privileged account management is to use group policy to examine user rights. This requires security teams to spend countless hours individually examining rights assigned to each user on each machine. On top of not being time-effective, using group policy will not show the history of changes made or validate if planned changes were applied properly.
Using a SIEM to analyze logs creates similar problems. For example, the task of finding users with Debug Privileges would require a security team to first write a PowerShell script and then convert the results into a text file. This process shows results for only a static point in time and will not be able to show any changes unless the script is run regularly and the results are compared each time. Tools like SIEMs have great uses for IT, but when repurposed for security, these become overly time-consuming and fail to achieve the same results as a next-generation security solution.
The Next Generation: Cyber Diagnostics
The current cybersecurity software landscape is filled with bold claims and similar messages, making it difficult for security teams to sort through the “fog of more” and find a true security solution. The award-winning Cyber Diagnostics Platform, AristotleInsight®, is a security solution that contrasts these run-of-the-mill claims and is based on the results of Operation Eligible Receiver 97.
For instance, consider the previous example of accounts with the unnecessary ability to “Debug a program.” Differing from alternative platforms, organizations using AristotleInsight are able to continuously track user privileges and receive alerts of changes immediately.
- Monitoring User Privileges
|Track history of privileges assigned to various users.
|View which users have a specified User Assignment Right.
The User Privileges Report in AristotleInsight lists all user privileges across all domains or only specified domains. The report may be filtered by a specific user and/or computer.
AristotleInsight includes the unique and revolutionary ability to track ransomware back to ground zero. The system provides advanced cybersecurity professionals with the metrics to determine exactly when Ransomware first entered the network and what threat vector it entered through.
1.) Tracking the Executable
|Enter the name of the executable impacting the network.
|View the details to find first activity.
Visiting the L1 Threats by Program page will allow security teams to search for the exact executable used by whatever ransomware is impacting the environment.
- Finding the Source
|Sort activity by First Active to see when an executable first ran.
|Use More Info to view the specific user and device impacted.
Sorting the details by First Active will show the first instance of activity from whatever executable is being used by the Ransomware. Clicking the ‘More Info’ button will show the username and device the executable impacted.
- Finding the Cause
|View what was clicked on to initiate executable activity.
The L1 Drilldown Report will show timestamped activity that can be matched to the initial executable activity seen in the Threats by Program Report. Finally, the Daily Bandwidth Report (shown below) is used to validate what connections were made as a result of the activity.
|What connections were made as a result of the activity.
Throughout the duration of Operation Eligible Receiver 97, the ability to spot anomalous activity proved to be one of the only successful defense measures against breaches. Today, based on the results of this exercise, Aristotle Insight brings anomalous activity detection to a new level and gives organizations the ability to immediately identify threats and respond accordingly.
Aristotle Insight continuously identifies risk, directs remediation, and documents results from security functions such as Configurations, Vulnerabilities, Privileged User Management, Asset Inventory, and Threat Analytics.
Utilizing the revolutionary UDAPE® technology, Aristotle Insight collects reliable data from the process level from users, devices, applications, and endpoints. A unique Bayesian Inference Engine sorts through the kernel level data highlighting actionable items to help organizations save time and better manage cybersecurity posture.
Aristotle Insight is based on Operation Eligible Receiver 97 and is the solution for cybersecurity teams attempting to implement their security process. Whether completing an audit or addressing internal policies, mature cybersecurity professionals find that Aristotle Insight is a next-generation Cyber Diagnostics solution.
About the Author
Josh Paape is an Online Marketing Specialist at Sergeant Laboratories, a leader in security and compliance solutions that allow businesses, governments, and healthcare institutions to comply with regulations and stay a step ahead of criminals. As a graduate of the University of Wisconsin – La Crosse, Josh has experience marketing products from a variety of industries. As a contributor to CDM, he hopes to spark new thought and discussion topics in the information security community.
Connect with Sergeant Laboratories: https://www.sgtlabs.com
Sergeant Laboratories Blog: https://www.aristotleinsight.com