As the ransomware marketplace matures, certain specialized skills have grown in demand, such as those that allow criminals to compromise systems and gain a foothold within the network. With that in mind, this article dives into effective ways to prevent threat actors from gaining initial access and minimize the destruction carried out in later stages of a ransomware attack.
Common methods for initial access
There are several tactics, techniques and procedures (TTPs) often used by threat actors to gain initial access to a victim’s network. These TTPs include:
- Identifying networks with vulnerable applications or devices, including virtual private network (VPN) appliances, perimeter devices (e.g., firewall devices) or other internet-facing devices (e.g., web servers, mail servers). During the last year, several critical vulnerabilities, including zero-day vulnerabilities, have been exploited by attackers to access sensitive data and/or execute code remotely.
- Locating systems or applications with remote-facing services, such as open Remote Desktop Protocol (RDP) or Outlook on the Web (OWA), which can potentially be leveraged for access by threat actors. We have seen threat actors access such services by testing credentials via brute-force attacks (e.g., password spraying), as well as by testing credentials related to the target network that were publicly exposed in credential dumps on the dark web.
- Sending phishing messages, typically via email but sometimes via live chat, to obtain access to victim systems. We have identified cases where threat actors sent one or more emails to victims containing malicious attachments or links that, when clicked upon or opened by the victim, allowed threat actors to obtain credentials and/or deploy malware that established access to the victim system.
Mitigation strategies to address common methods of initial access
To help mitigate the risk of threat actors leveraging these initial access methods, a layered approach can minimize an organization’s attack surface and subsequently enhance its protection by managing vulnerabilities.
Attack surface management
One of the first steps in effectively managing attack surface is identifying an organization’s IT assets and diagraming its network. Once assets are inventoried and the network is understood, an organization can understand its attack surface more accurately. Systems located on the network perimeter should be secured behind a firewall and/or VPN where possible. Hosts and applications that must remain web-facing — often email, cloud environments or hosts requiring external remote services — should be secured with two- or multi-factor authentication (2FA/MFA). MFA pairs a username and password with a unique additional factor, such as a PIN, and limits the ability of an attacker who has obtained a user’s username and password to successfully log in as the compromised user. MFA should be required for all remote access, cloud services and privileged access accounts.
Overall, understanding an organization’s attack surface, reducing this surface where possible and properly securing the remaining systems and services greatly reduces the risk of initial access. For example, attackers routinely target systems with open RDP services. By moving such remote access services behind a corporate remote access VPN connection and requiring MFA, an organization can defend against unauthorized access.
Vulnerability management
Once an organization has developed an IT asset inventory as discussed above, this also allows the organization to increase the comprehensiveness with which it can manage and secure its full scope of assets, not just those on the perimeter. Vulnerability management is critical to securing an organization’s IT assets. A mature vulnerability management program should include regular patching to mitigate the risk of vulnerabilities being exploited, as well as routine scanning of all external and internal systems, devices and applications for vulnerable software. Many perimeter and internet-connected devices (e.g., firewalls, VPNs and mail servers) currently in use by companies have critical published vulnerabilities that, if unpatched, open an organization to exploitation.
It is important to understand the assets used within your organization so applicable vendors can be monitored for security releases and patches can be performed in a timely manner. Additionally, there may be instances where patches are not yet available and/or additional actions must be performed to secure an asset from a new vulnerability.
For example, the recent vulnerabilities impacting Microsoft Exchange servers collectively referred to as ProxyShell and ProxyLogon organizations to the risk of malicious webshells being deployed to their Exchange servers. In some cases, even if the organization patched the Exchange server, any webshells successfully deployed to the server before the patch was applied had to be manually remediated to close the security gap. Understanding the required supplementary actions by performing activities such as monitoring threat intelligence sources, researching applicable vulnerabilities, or engaging a knowledgeable third party to assist in recovery is important to fully secure assets.
While the above recommendations may not address every method of initial access, nor mitigate certain activities that typically occur after initial access, implementing these practices will likely provide significant protection against common threats that companies face and allow an organization to limit an actor’s ability to gain initial access to its network. In addition to the vulnerability and attack surface management, we strongly recommend 10 cybersecurity controls essential for increased resilience.
If your organization does not have the internal capabilities to perform these strategies in-house, consider reaching out to a reputable third party to help provide any or all of the above services and improve your organization’s security posture.