Before the Payload: Why Focusing on the Staging of Ransomware Will Help Prevent Widespread Damage or Prevent It Completely

We read in the news every day of different ransomware attacks against many different verticals and all sizes of companies. Unfortunately, attackers are targeting even the most impacted industries like healthcare and hospitals at the worst time. In the news articles about the different ransomware campaigns, you mostly hear about the payload and what ransomware was used along with other malware to infect the systems or get a foothold in the environment but you don’t always know about the details. In many cases, you will probably read that RDP, credentials, or a missed vulnerability had a big role in allowing the attacker to get in and also to move around the environment silently while staging the entire attack before pushing enter on the payload. In this article, we will review what companies can do as prevention measures instead of waiting for detection events and chasing an attacker while in their network.
Prevention is not only being able to detect and prevent behaviors and signatures of attackers and payloads but also focusing on what can be done before they are in your network. IT hygiene, vulnerabilities, network configurations, user behaviors, and credentials play a big part in what the attackers can do in your network and attackers search to find those issues in environments. When attention is focused only on detection controls and IT Hygiene is neglected, attackers capitalize on it and know they have an easy target on their hands. As an example of mitigation to ransomware, on one of the first mitigations is vulnerability scanning and least privilege model.

But there are challenges in understanding what permissions you have put in place across thousands of systems, which vulnerability on which device can be used, where changes have been made to circumvent security policies for convenience, and what role that would play in an attack. At any given moment, changes in your environment can have a domino effect that puts your critical business assets if not your entire network at risk of a ransomware attack.

Even as you rely on your backups on separate systems or in your separated or segmented cloud or datacenter, are you certain there is no path for the attacker to get there?

Ransomware Staging: How Did They Get In and How Are They Moving Around?

In this example from a Microsoft article, it shows how an attacker gets in and eventually pushes out the payload of their choosing. Many ransomware attacks are done in the same way and understanding what they can obtain or use to move through your network and devices is crucial in stopping them.

In the example above you have RDP, misconfigurations, and vulnerabilities as initial access that allow for the next step of credential theft. Focusing on how the credentials can be harvested is only one part of the equation though, more importantly, you should also look for which credentials can be harvested and from where to protect them. After all, the attacker is not after testing your security control but to obtain the credential that gives them access, that is the root cause that makes the next steps possible.

Let us also look at the Verizon Breach Report for 2020, one of the metrics that was tracked was How Short is the Attack path today?

As the document explains, attackers are after easy wins that take 5 steps or less and if you can make it more difficult for them to get to what allows them to move with ease in your network, you will have a better chance in deterring them. So, the question is, how do you find those attack paths? How can you measure and see how an attack could get from your HR device to your critical backups? How do you find how an attacker in your network can stage a ransomware attack before pushing the payload out?

Are you able to prioritize which vulnerabilities to fix and where? Do you have visibility on where your administrators are using their credentials and where they can be harvested? How about the service accounts that were set years ago without a password expiration and using interactive logon? Is your network segmentation intact and is there a way that it can be circumvented? And the biggest question is: how are monitoring this daily as your network and cloud are constantly changing?

XM Cyber – Prevent ransomware attacks through continuous security posture improvement

XM Cyber has helped many customers across industries to find answers to those questions and specifically for this article, how would an attacker stage a ransomware attack in my environment and how far would they get?

In a few recent examples, customers have had automated assessments performed by XM Cyber and its partners during times of distress where they were extremely concerned about the news and not knowing how vulnerable they were. In other cases, customers had already been breached but did not know where their problems were and if they were still vulnerable. And for existing customers, keeping an eye on their security posture gave them peace of mind as attackers have launched millions of attacks against companies around the world.

So how does XM Cyber help companies? By showing them what the attacker can do and how to prioritize remediations.

In this example recreated from a customer environment with fake data, we helped a customer identify how their missed vulnerability could create a two-step attack to compromise all their files on a file server.

The customer was also concerned about their data in their AWS S3 bucket and one of the questions they had, are we safe there? The challenge is they were not looking in the right place and missed how a hybrid attack from their on-premises devices can lead to an attacker accessing their S3 finance data.

During the investigation in this example, issues were found where service accounts, built-in local accounts, vulnerabilities, and access keys were allowing for lateral movement and exploitation. Although the customer had many devices patched, there were issues that had gone unnoticed such as a service account for backup software that was using interactive logon that had domain admin rights. Further, local accounts had the same passwords with UAC disabled and would allow an attacker to easily traverse the network.

How did the customer prioritize what their teams needed to do next was also provided automatically by finding the key remediations and chokepoints in their environment?

The findings provided exact remediations

Within each of the findings, the exact parameters to help close the gaps in the quickest way possible are provided.

Along with the remediations, they also quickly identified which devices were causing the biggest risk in their environments. When looking at an environment holistically, finding the pivot points that attackers will be able to execute many of their attacks from is crucial as it will help reduce the overall risk in the environment with the quickest wins for security teams.

We can quickly identify which devices those are by looking at the overall devices and identifying how they are attacked and what they can affect thereafter.

When they put the focus on those 7 devices across the 2,000 plus devices they had, they were able to accomplish a very large risk reduction to their environment by patching those systems as well as disabling interactive logon for a service account that was sitting on them.

In summary, it is important to periodically review your environment and identify service accounts, domain accounts, vulnerabilities that can be exploited, local configurations, and other key configurations that would allow attackers to move with ease. The challenge many have is how to put these pieces together and this is the core of XM Cybers solution, helping security teams continuously find changes that can impact their environments and correcting them before they can be exploited.

Gus Evangelakos is Director of North American Field Engineering at XM Cyber

Related Topics


Find and fix the exposures that put your critical assets at risk with ultra-efficient remediation.

See what attackers see, so you can stop them from doing what attackers do.