Tales from the Trenches – S01E03
Falling victim to Ransomware
Hello again! In our last episode, we talked about some cybersecurity fundamentals, particularly knowing what is connected to your organization. In these tales, we’re going to continue with this thread which should stress the importance of this topic.
This is the tale of a relatively recent ransomware incident. If you aren’t familiar with ransomware, it is a type of malware that encrypts your data or system and promises the decryption keys once a ransom is paid. The value of the ransom is typically proportional to the amount of data held hostage and usually paid by bitcoin. Sometimes the keys are not given or don’t work after a ransom has been paid and sometimes, organizations held hostage have been able to negotiate the amount to be paid.
I don’t know all the inside details of this incident but was informed of the issue by another organization who likely heard of it because the cybersecurity world is quite small. Likely, they might have been warned by a conscientious peer. A check of the victim organization’s web site did confirm an issue with their systems and business interruptions. Again I called my peers to learn more and found out that there was indeed a ransomware incident. The victim organization had the basic tools in place but were lacking in a critical area; if you guessed knowing how many computers were running in their organization, you would be right. Somehow the various IT and security teams only ever expected a certain number of computers in the organization yet the reality was that they had many, many more. And due to the way their security management tools and policies were configured, their systems were left unprotected and highly vulnerable. After what was undoubtedly a costly incident response effort, the organization did recover and resume normal operations.
In a perfect world, HR, IT, security, inventory, license and change management process are all in sync with birds singing and unicorns jumping over rainbows. But that’s a perfect world. Life happens. If you can’t rely upon a centralized or coordinated process, there are still ways to address the topic and minimize your risk. Let’s start with your typical AV security management system. Most modern security management systems can poll or sync with Active Directory (does anyone use Novell Netware or Banyan Vines anymore?!) Simply polling AD twice a day is a good start. Assuming your AD is kept tidy, this technique probably covers 2/3 of your organization with a reasonably small gap between initial management and security coverage. In CPU cycles waiting 12 hours to have protection deployed is an eternity! A good way to complement it with a system that can listen to live network traffic and take automated action. In my favorite security management application, McAfee ePolicy Orchestrator, this is accomplished using the Rogue System Detection system. As the name implies, the modules detect rogue systems (those that are unknown or unmanaged) and take appropriate action i.e., deploy the McAfee Agent. To illustrate how effective this double-layered approach works, let’s look at one organization that had around 2000 Windows endpoints consisting of laptops, desktops, and servers. Through our diligent monitoring and checking of dashboards (recall the lessons from S01E01 of these tales) we found that AV signatures were not as up to date as they should be across the organization. It was found that we only had active management of less than 40% of the systems. They were using daily sync with AD but because they had over 4000 stale computer objects in AD, the daily sync could never run against more than 40% of the system in 24 hours! We implemented RSD and within an hour achieved over 80% coverage and over 90% by the next day. It turns out that the desktop teams where never deleting the old AD computer accounts when reimaging/redeploying the systems resulting in a gradual stockpile of legacy computer objects.
There are other options. You could use AD to deploy the necessary agents and apps for you. You could also use a 3rd party tool to monitor and alert you to rogue systems. The Spiceworks app is a great, free tool that has this capability. Your mileage will vary of course depending upon your organization’s particulars but it is well worth the effort.Until next time, be safe out there!
Trackback from your site.