These attacks thrive on overprovisioned administrator access. Understanding where data resides, and adopting zero standing privilege is key.
By Jeff Warren, General Manager, Products, Stealthbits Technologies, Inc.
When most people think of a ransomware attack, they probably imagine their company coming to a screeching halt as the infection spreads across the network, encrypting everything in its path and leaving a trail of ransom notes in its wake. This type of devastating event can take an organization down for hours, days, or indefinitely. Regardless of whether the ransom is paid, however, the cost of these attacks can be astronomical.
These days, companies are better prepared for catastrophic events, with detailed incident response and disaster recovery plans in place. Increased cloud adoption also makes this more achievable and helps avoid ransomware-related downtime. There is a growing community drive to help infected organizations, with initiatives like The No More Ransom Project, which exists to help companies avoid ransom payments and decrypt their data for free. Additionally, law enforcement agencies, including the FBI, are advising victims not to pay these ransoms as the proceeds help fund further cybercrime.
Ransomware groups are aware of these trends and are responding with a renewed focus on the added exfiltration of sensitive data, which they can use to extort companies into paying an even more exorbitant ransom.
Ransomware’s New Tricks Are After Your Sensitive Data
The goal of ransomware has never been crypto-locking an organization’s IT network – that’s just a means to an end. Ransomware is about extorting a ransom payment, by any means necessary. As organizations become more prepared to recover from a crypto-ransomware event, attackers are pivoting into new ways of putting the pressure on organizations to pay up.
The threat of a data breach is enough to get any organization’s attention. This has become a weapon of choice for the Maze Ransomware Group, which has been involved in several high-profile ransomware-attacks-turned-data-breach this year. At first, they will crypto-lock your systems, and then if the ransom is not paid, they will leak compromised sensitive data to force their victim’s hand. They have even gone as far as hosting a “Name and Shame” site where they will expose a company’s private data to the world to prove they have it.
This behavior is a logical extension of the more advanced, human-operated tactics that have been used in targeted ransomware attacks. Once an adversary lands within a victim’s network, they perform reconnaissance, learn the lay of the land, and gradually expand their foothold, acquiring more privileges as they go. We’ve seen common malware variants leveraged by multiple attack groups like the Emotet malware, which comes with an evolving bag of tricks to commoditize this infection and lateral movement.
This process typically ends with Domain Administrator access within an Active Directory domain and provides the attacker’s carte blanche ability to move within the organization and access any and all data, including sensitive personnel and customer records. It’s a simple behavior change for these adversaries to gather and exfiltrate this data prior to dropping a crypto-ransomware payload.
The Maze Ransomware Group isn’t alone in this approach. We’ve seen other recent examples of attacks resulting in data breaches affecting students in the Clarke County school district and children and parents participating in Child Protective Services. Each of these attacks leaked information including Social Security Numbers, showing attackers have no remorse when it comes to putting the identities of innocent bystanders in their wake – even children.
This seemingly subtle, yet highly substantial evolution in ransomware is catching companies off guard. The focus has been on recovering from a ransomware attack, not mitigating a data breach. Whether a ransomware attack constituted a data breach had once been a debated topic that was taken on a case-by-case basis, but that is quickly becoming a thing of the past as the data is undoubtedly stolen and, in many cases, exposed.
This shift in behavior by ransomware groups should not be taken lightly. The message is loud and clear. Attackers will go to whatever lengths necessary to extort a ransom payment, and the identities of millions of unsuspecting victims are at risk.
An Attack on Data Privacy
This behavioral shift is concerning in more ways than one. It’s hard enough to protect your network from crypto-ransomware. Now, with each ransomware attack equating to a potential data breach, new challenges arise.
Recently, companies have been more focused on data privacy with the rise in regulations such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). These regulations place greater responsibility on organizations to protect their customer and employee data and improve data breach notification policies. Failure to comply can result in fines and even class-action lawsuits by affected individuals.
As if ransomware wasn’t costly enough, modern privacy regulations up the ante. As a result, new strategies are needed to shift focus from recovering from a ransomware attack to mitigating the risks associated with credential and data theft and protecting your critical data from the prying hands of attackers.
You Can’t Protect What You Don’t Know
Traditional ransomware strategy would dictate you just need to be able to blow away compromised devices and restore them from backup. While this is still a costly endeavor, it is becoming more and more reasonable, and admittedly still worthwhile. With ransomware focusing on exfiltration before encryption, data security now lands squarely in the middle of ransomware prevention.
The first step to mitigating a data breach is to gain an understanding of where your data resides. This is also typically required for companies undertaking Data Privacy Impact Assessment (DPIA) or a Data Risk Assessment (DRA).
While many organizations can point to where customer and employee data enters their organization, its typically difficult to track where it goes from there. Examples of activities that can lead to data sprawl for sensitive customer data can include:
- Extracting information from applications into spreadsheets and saving them to network file shares, collaboration sites, or sending as email attachments
- Pasting or discussing sensitive information within chat applications like Microsoft Teams or Slack
- Creating copies of production data for development or integration testing
- Employees saving local copies of customer data to their laptops to work with, and then leaving them behind
If you don’t take the time to locate this data within your network, you can trust that your attackers will. Once you can identify and corral your sensitive data, you can now focus on protecting it.
Zero Trust is Not Enough, It’s Time for Zero Standing Privilege
Most ransomware attacks follow similar patterns. After the initial infection occurs within the network, they will go through a pattern of credential compromise, lateral movement, and privilege escalation. These attacks thrive on overprovisioned administrator access, and in many cases can compromise an entire Active Directory domain within hours of initial compromise.
Many cybersecurity initiatives have focused on implementing the tenets of a Zero Trust Model, with the mantra of “never trust, always verify” and a focus on implementing a least privilege model and adopting strong authentication. All of this is a great step towards improved security and mitigation of data breach activity.
However, attackers have proven they can still patiently learn the ins and outs of any network, masquerading as legitimate users, bypassing multi-factor authentication (MFA), and other obstacles put in their way. One of the primary contributors to this being possible is an overabundance of privileged accounts that maintain persistent access to an organization’s IT infrastructure. Regardless of whether privileged account credentials have been rotated, attackers can still compromise these accounts and leverage the artifacts they leave behind to move laterally on their way to privileged escalation, and ultimately domain dominance.
A new focus needs to be on evolving the Zero Trust methodology to one of Zero Standing Privilege, where persistent privileged access is removed altogether, specifically for privileged accounts. This doesn’t mean only Domain Administrator and root accounts with full administrative access; this includes any users with highly privileged access to your critical systems and private data.
When these individuals need access, they must go through special procedures to be granted just enough access, only when they need that access, and then the privileges should be entirely removed when their privileged activity is done.
The removal of the vast majority of privileged accounts is what will ultimately reduce the attack surface every organization is struggling to defend. It raises the drawbridge around your sensitive data, keeping attackers out. This not only helps companies protect themselves from ransomware attacks but keep the data and identities safe for the individuals who they rely on the most – their customers and employees.
About the Author
Jeff Warren is Stealthbits’ General Manager of Products. Jeff and his teams are responsible for designing and delivering Stealthbits’ high quality, innovative solutions. He has held multiple roles within the Technical Product Management group since joining the organization a decade ago, initially building Stealthbits’ SharePoint management offerings before shifting focus to the organization’s Data Access Governance solution portfolio as a whole. Before joining Stealthbits, Jeff was a Software Engineer at Wall Street Network, a solutions provider specializing in GIS software and custom SharePoint development. Jeff holds a Bachelor of Science degree in Information Systems from the University of Delaware.
Jeff can be reached on Twitter at @SbitsJeff and at our company website https://www.stealthbits.com/