This article comes from a Digital Forensics and Incident Response (DFIR) thread conversation during SBS CyberSecurity’s CyberRiskNow Virtual Conference event. Two questions were asked during the conference:
- “What is your single biggest suggestion for everyone to better prepare for a cybersecurity issue/incident?”
- "What's your stance on traditional A/V vs. next-gen, behavioral-based A/V like Cylance or Carbon Black?”
Those two questions sparked a conversation about controls that we’ve seen over the last three years of being an active participant in many organizations’ incident response activities to live hacking incidents.
The conversation revolved around how modern ransomware, business email compromise, and network takeover can be stopped before an attack reaches a full compromise condition. To be clear about “modern" ransomware, we’re talking about a full network takeover incident before the attacker launches ransomware to cover their tracks. Attackers are typically inside a network masquerading as users and admins for an average of 40 days. Ransomware scripts are launched as a last kick in the teeth to help clean up their tracks by destroying forensic evidence stores such as logs, registries, and file systems. There’s also the side-benefit of getting some instant monetization for their work in the form of a ransom payment.
These incidents highlight the need for central logging, detection using key risk indicators, and finding indicators of compromise before the attacks get too far. This article is not about those things as we’ve covered those topics in previous articles, including our Indicators of Compromise article and 50+ Incident Response Preparedness Checklist Items download. This article focuses on the controls that will stop the attack at some point during the incident and dramatically reduce cyber risk across the enterprise for the most common and most destructive attacks currently seen today.
1. Implement MFA
The one single control that would have prevented every incident we’ve worked on over the last three years, at some point in the attackers' process, is Multi-factor Authentication (MFA). MFA is the single greatest risk-decreasing control you can implement in your enterprise.
Modern ransomware is all about capturing credentials and using them to create scheduled tasks and to steal data before the ransom encryption ever happens. Business email compromise (BEC) is another example. BEC is a huge issue for companies that put PII and regulated data in email, which you may and not even know it is happening until you suffer this type of attack. MFA stops ransomware and BEC attacks cold at the entry-point.
The rule of thumb is this: if an application can be accessed outside of your network (i.e. VPN, email, or web portal access) get MFA on those things ASAP. Rolling MFA out for all other credentialing applications should be next on your schedule once that is done. Hackers can’t use your employees' stolen credentials without an MFA key once it’s turned on, which only your specific employee will possess via a token application or code sent to their cell phone through text message or call. SBS recommends the most secure implementation of MFA is via a “soft” token in an application, due to SIM Swapping attacks covered in our {Threat Advisory} SIM Swapping post.
Although SIM Swapping is difficult for attackers to perform, it is still possible. Think about all the attacks that are popular right now with hackers: business email compromise, ransomware, RDP brute force, etc. Deploying MFA mitigates the result of all those attacks. Hackers have always been able to trick users into giving up their passwords; that will likely never change. Mandating a third-factor for logon is the only protection that consistently works.
2. Implement Host-based Intrusion Prevention with Scripting Control
Traditional AVs and endpoint protections just don't work on modern Advanced Persistent Threats (APTs). Even second-gen and next-gen providers say they do, but if they don't have scripting control as part of their endpoint control, they fail against modern attacks. Scripting control is a mechanism to detect scripting via Command Shell, PowerShell, WScript, etc.; and shut the script down unless it is whitelisted.
There are only two second-gen providers that perform scripting control properly in our tests. Yes, only two, currently: Cylance and Carbon Black. Our testing has come from deploying these technologies for our clients to contain and eradicate network takeover and modern ransomware.
Deploying scripting control on your endpoints is the second-best control when it comes to stopping a modern cyber attack from taking over your network. If your organization falls victim to network takeover or modern ransomware, scripting control will need to be deployed as part of the containment and eradication process to ensure there isn’t a re-incursion by the attackers into your systems.
3. Implement Whitelisting for Egress Firewall Filtering
The third best control to contain and eradicate an incident is egress filtering on your firewall. First, be sure to whitelist all verified outbound connections leaving your network. Second, deploy a second-gen firewall that has safe-lists available – this will make your deployment of egress firewall filtering much easier and decrease IT overhead surrounding the whitelisting process. Nothing should leave your network that you don't deem safe.
Whitelisting and egress firewall filtering cripples the attackers’ capabilities to have their malware call out to their command and control systems on the Internet and listen for connections. It also keeps your users out of the darker places on the Internet. To implement this control, you will need second-generation firewalls that support these methods. Not all of them do.
4. Implement Email Sandboxing
Email sandboxing is the fourth-best control to protect your network from an incident. Email sandboxing filters all HTML and dynamic content in emails and only delivers messages with content deemed “safe” by the provider. When implemented with DKIM, SPF, and DMARC technologies, email sandboxing eliminates nearly 99% of all attacker phishing capabilities.
We’ve seen recent attack techniques that are able to bypass email sandboxing due to the phishing emails directing users to a document hosted on a legitimate platform like OneDrive, SharePoint ShareFile, or Evernote, which we’ve described in our {Threat Advisory} New Phishing Technique post. In those cases, you will still need to train your employees well and test them with similarly crafted phishing exercises.
5. Implement Country Code Blocking on Firewalls and Cloud Resources
Country code blocking is the fifth-best control to protect your network from an incident. The good news here is that country code blocking is very simple. If you don’t do business with anyone living in a certain foreign country, simply block that country’s IP address range(s) in your firewalls, cloud deployments, and WAFs. Your IT staff can then make specific exceptions to IP addresses where workers are traveling to or are temporarily stationed.
Country code blocking will mitigate most hacking attempts from any countries that have no need to access your Internet-facing applications or systems. While some threat actors are using VPNs to get around country code blocking, it is a simple and easy to implement control that will save you from having to deal with the majority of threat actors.
6. Implement a Framework that Drives Security Culture
The 6th and final best control to protect your network from an incident would be to create a culture of cybersecurity and implement a corresponding cybersecurity framework. Awareness of cybersecurity threats and attacks among all employees is critical, and testing employee’s awareness with phishing campaigns is the key to making training stick.
Additionally, implementing a cybersecurity framework that mandates a top-level cybersecurity security position and drives security processes, such as risk assessment and risk management, auditing and remediation, security awareness, and testing, is essential to the long-term success of your organization in today’s threat environment. Without a cybersecurity framework and a champion leading those efforts, your company will fail. It’s just a matter of time. Your organization needs a security nerd, a CISO, in your C-level cabinet, whether that individual is in-house or outsourced to an organization that focuses on cybersecurity.
This is a WAR, and your employees are the front line! Winning the war should be a primary focus for any organization dealing in intellectual property or providing services to customers. You are a technology company first.
Don’t Wait Until It’s Too Late!
Implementing the controls discussed in this article will push your overall cybersecurity risk mitigation into the stratosphere. Can you really afford not to control unauthorized access to your valuable data? If you can’t take the appropriate steps to secure your organization now, will you be able to take action later as the threat landscape continues to escalate? Now is the time to act by deploying the controls listed in this article. Take it from us and all the companies we have helped with active hacking incidents; it is much cheaper to start implementing these controls today than it will be to wait until you’re experiencing an incident and are faced with the costly decision of implementing these controls in an emergency-situation or closing your doors forever.
