Editor's note: This article is by Sudarshan Pisupati, Principal Security Research Engineer, Zscaler
Some of the decisions that CXOs face during a ransomware event are rooted in a high-level technical understanding of how ransomware operates. By having an understanding of the basic technical principles of how ransomware spreads, those responsible can make faster and better decisions that can contain the fallout of such incidents. At the root of this tutorial is Active Directory, which is virtually present across all enterprises.
Understand Active Directory accounts, rights, and privileges
If you run Active Directory, here’s what you need to know.
- A set of accounts are all-powerful. Attackers can log in to your system and you wouldn’t even know it. These are called “Domain Admin” accounts. The compromise of the domain administrator account means attackers can log in anywhere as an administrator and deploy ransomware.
- A set of accounts aren’t all-powerful but they have significant access. As an example, think about an account that sole purpose is to log in and back up all data from all servers in one of your data centers. The compromise of this account would likely mean all servers in that data center could be impacted by ransomware.
- Some accounts have the right to distribute software. Typically, these are Microsoft Endpoint Configuration Manager, formerly known as System Center Configuration Manager (SCCM), or accounts with rights to create Active Directory Group Policy. The compromise of these accounts will allow an attacker to carry out large-scale distribution of ransomware.
- The KRBTGT account holds the skeleton key. This account is integral to authentication in an Active Directory environment. If this account is compromised, an adversary can forge accounts, give existing accounts “Domain Admin” access and you wouldn’t even know it happened. And it’s a right an adversary can hold for years because the password to this account rarely ever changes.
- Credential theft is a tactic used to gather credentials from compromised systems. All windows passwords have a copy of the password stored in the memory. It’s likely people store passwords in other locations as well such as files, browsers, and software. An attacker’s MO is to steal as many credentials as possible. You may hear the use of the word “Mimikatz” in an investigation. This is a tool designed to steal passwords from Windows machines.
Understand how ransomware spreads
Ransomware spreads in two ways: compromised power accounts and the domino effect of stolen credentials.
Spread via compromised powerful accounts
- If the all-powerful “Domain Administrator” is compromised, attackers can target machines individually to log in and deploy ransomware
- If accounts that control distribution software are compromised, they can be leveraged to distribute ransomware using tools like Microsoft Endpoint Configuration Manager, Group Policy, or other similar software distribution tools
The domino effect of credential theft
The domino effect allows ransomware operators to gather more credentials with more systems they infect, thus increasing their footprint of systems where they can deploy ransomware.
Let’s say a server in your Houston data center was compromised. Through credential theft, the attacker gets access to an account that is used to back up all servers. This account is an administrator on all Houston servers. The attacker can use this account to expand credential theft to all Houston servers. On one other Houston server, an account that is an administrator on all New York data center servers is compromised via credential theft. Now the ransomware can spread to all servers in New York. This rinse and repeat process continues till all servers are compromised or the desired access level is obtained.
Understanding the KRBTGT reset and its impact
If Active Directory is compromised, you will likely be faced with a decision of green lighting the KRBTGT account password reset process.
We already know now that the KRBTGT is the skeleton key. So what should you expect?
- This password has to be reset twice.
- All accounts will have to re-authenticate. Usually, this should be handled seamlessly.
- Depending on how they are configured, some special accounts called “Service Accounts” might need additional intervention to get them working again.
The expectation vs. reality problem with network segmentation
Network segmentation using firewalls has been the common approach for enforcing access controls to the infrastructure. Yet, ransomware spreads. Why does this happen?
The reality is that even with network segmentation, some access is always allowed. And ransomware leverages this access to spread.
Let's take the example of remote desktop. This is required for certain users to be able to remotely access servers even in segmented networks. Ransomware operators will then leverage remote desktop to hop network segmentation controls and achieve their objectives.
What you can do to prepare today
To defend against ransomware consider the following.
Transform your network with zero trust
The unfortunate reality is that legacy networks are architected in a manner that is increasingly difficult and operationally cumbersome to secure. The zero trust approach to security essentially removes the biggest tool in the arsenal of a motivated ransomware operator: unfettered network access.
Adopt cloud-native security operations
A ransomware outbreak in your on-premise network will result in the loss of access to all on-premise infrastructure and applications, depending on the scale of impact. The loss of access to security infrastructure materially affects the ability to recover from an attack. A cloud-native security stack does not just simplify management and operational overhead for security teams, it also enables:
- Access to your data when you need it the most.
- Vendors to analyze and share data amid ransomware response activities
Implement tactical controls like deception against ransomware
One reason why ransomware is so successful is that security controls are predictable. A motivated adversary has access to tooling and capabilities to bypass predictable controls like AVs and firewalls. Active defense disrupts the tactics of the human operating the ransomware. By placing traps on your network, you can transform your threat detection program to enable your security team to outsmart the adversary tactically, not just technically.
Make Active Directory security a top business priority
Even today, businesses are reluctant to allow the deployment of security controls that directly affect Active Directory. Operational difficulties in coordinating between Security and Active Directory teams result in the Active Directory being exposed and vulnerable. This must change. Active Directory security should be a top priority and your security team, vendors and partners should be empowered to influence Active Directory security posture.
Budget fire drill hours for all IT and operations and security folks
While you may have done everything right in terms of enabling the right security tools and controls for your organization, the pitfall is usually the lack of testing security protocols end-to-end. Many organizations test their network to the extent of finding new issues or testing the efficacy of their detection capabilities but do not engage in a full-scale fire drill to respond to a security threat. A fire drill is often seen as a burden or a waste of productive time. Budget fire drill hours for all key personnel in the yearly calendar.
What to read next
A CISO's perspective on ransomware payments
An Attacker’s View of a Work-from-Home World
ThreatLabZ update: Pipeline ransomware blues and a new ransomware report