Wednesday, July 14, 2021

Ransomware: Quis custodiet ipsos custodes

Many claim that "ransomware" is due to cybersecurity failures. It's not really true. We are adequately protecting users and computers. The failure is in the inability of cybersecurity guardians to protect themselves. Ransomware doesn't make the news when it only accesses the files normal users have access to. The big ransomware news events happened because ransomware elevated itself to that of an "administrator" over the network, giving it access to all files, including online backups.

Generic improvements in cybersecurity will help only a little, because they don't specifically address this problem. Likewise, blaming ransomware on how it breached perimeter defenses (phishing, patches, password reuse) will only produce marginal improvements. Ransomware solutions need to instead focus on looking at the typical human-operated ransomware killchain, identify how they typically achieve "administrator" credentials, and fix those problems. In particular, large organizations need to redesign how they handle Windows "domains" and "segment" networks.

I read a lot of lazy op-eds on ransomware. Most of them claim that the problem is due to some sort of moral weakness (laziness, stupidity, greed, slovenliness, lust). They suggest things like "taking cybersecurity more seriously" or "do better at basic cyber hygiene". These are "unfalsifiable" -- things that nobody would disagree with, meaning they are things the speaker doesn't really have to defend. They don't rest upon technical authority but moral authority: anybody, regardless of technical qualifications, can have an opinion on ransomware as long as they phrase it in such terms.

Another flaw of these "unfalsifiable" solutions is that they are not measurable. There's no standard definition for "best practices" or "basic cyber hygiene", so there no way to tell if you aren't already doing such things, or the gap you need to overcome to reach this standard. Worse, some people point to the "NIST Cybersecurity Framework" as the "basics" -- but that's a framework for all cybersecurity practices. In other words, anything short of doing everything possible is considered a failure to follow the basics.

In this post, I try to focus on specifics, while at the same time, making sure things are broadly applicable. It's detailed enough that people will disagree with my solutions.


The thesis of this blogpost is that we are failing to protect "administrative" accounts. The big ransomware attacks happen because the hackers got administrative control over the network, usually the Windows domain admin. It's with administrative control that they are able to cause such devastation, able to reach all the files in the network, while also being able to delete backups.

The Kaseya attacks highlight this particularly well. The company produces a product that is in turn used by "Managed Security Providers" (MSPs) to administer the security of small and medium sized businesses. Hackers found and exploited a vulnerability in the product, which gave them administrative control of over 1000 small and medium sized businesses around the world.

The underlying problems start with the way their software gives indiscriminate administrative access over computers. Then, this software was written using standard software techniques, meaning, with the standard vulnerabilities that most software has (such as "SQL injection"). It wasn't written in a paranoid, careful way that you'd hope for software that poses this much danger.

A good analogy is airplanes. A common joke refers to the "black box" flight-recorders that survive airplane crashes, that maybe we should make the entire airplane out of that material. The reason we can't do this is that airplanes would be too heavy to fly. The same is true of software: airplane software is written with extreme paranoia knowing that bugs can lead to airplanes falling out of the sky. You wouldn't want to write all software to that standard, because it'd be too costly.

This analogy tells us we can't write all software to the highest possible standard. However, we should write administrative software (like Kaseya) to this sort of standard. Anything less invites something like the massive attack we saw in the last couple weeks.


Another illustrative example is the "PrinterNightmare" bug. The federal government issued a directive telling everyone under it's authority (executive branch, military) to disable the Printer Spooler on "domain controllers". The issue here is that this service should never have been enabled on "domain controllers" in the first place.

Windows security works by putting all the security eggs into a single basket known as "Active Directory", which is managed by several "Domain Controller" (AD DC) servers. Hacking a key DC gives the ransomware hacker full control over the network. Thus, we should be paranoid about protecting DCs. They should not be running any service other than those needed to fulfill their mission. The more additional services they provide, like "printing", the larger the attack surface, the more likely they can get hacked, allowing hackers full control over the network. 

Yet, I rarely see Domain Controllers with this level of paranoid security. Instead, when an organization has a server, they load it up with lots of services, including those for managing domains. Microsoft's advice securing domain controllers "recommends" a more paranoid attitude, but only as one of the many other things it "recommends".


When you look at detailed analysis of ransomware killchains, you'll find the most frequently used technique is "domain admin account hijacking". Once a hacker controls a desktop computer, they wait for an administrator to login, then steal the administrators credentials. There are various ways this happens, the most famous being "pass-the-hash" (which itself is outdated, but good analogy for still-current techniques). Hijacking even restricted administrator accounts can lead to elevation to unrestricted administrator privileges over the entire network.

If you had to fix only one thing in your network, it would be this specific problem.

Unfortunately, I only know how to attack this problem as a pentester, I don't know how to defend against it. I feel that separating desktop admins and server/domain admins into separate, non-overlapping groups is the answer, but I don't know how to achieve this in practice. I don't have enough experience as a defender to know how to make reasonable tradeoffs.


In addition to attacking servers and accounts, ransomware attackers also target networks. Organizations focus on "perimeter security", where the major security controls are between the public Internet and the internal organization. They also need an internal perimeter, between the organization's network and the core servers.

There are lots of tools for doing this: VLANs, port-isolation, network segmentation, read-only Domain Controllers, and the like.

As an attacker, I see the lack of these techniques. I don't know why defenders doin't use them more. There might be good reasons. I suspect the biggest problem is inertia: networks were designed back when these solutions were hard, and change would break things.


In summary, I see the major problem exploited by ransomware is that we don't protect "administrators" enough. We don't do enough to protect administrative software, servers, accounts, or network segments. When we look at ransomware, the big cases that get splashed across the news, its not because they compromised a single desktop, but because they got administrative control over the entire network and thus were able to encrypt everything.

Sadly, as a person experience in attack (red-team) and exploiting these problems, I can see the problem. However, I have little experience as a defender (blue-team), and while solutions look easy in theory, I'm not sure what can be done in practice to mitigate these threats.

I do know that general hand-waving, exhorting people to "take security seriously" and perform "cyber hygiene" is the least helpful answer to the problem.


8 comments:

Stéphane Bortzmeyer said...

"The reason we can't do this is that airplanes would be too heavy to fly" Isn't it rather because we won't want to protect the plane (although it's expensive), we want to protect the people inside? A very sturdy plane would be useless: all the passengers would be killed by the sudden deceleration, even if the plane itself would be intact. (A problem that the black box does not have.)

Guillaume said...

On the blue team side, many factors impair IT Sec team’s efforts.

The security team is often heavily understaffed, because they don't produce anything and are seen to be a blocker, even when they are completely lax and actually never block anything (except for the worst, like the front dev encoding the complete contract database in json to publish it online for use by his client-side app). They won't have adequate time to spend on the early phases of projects. They won't be able to keep pace with new services, new providers, etc. They won't have enough time to train on incident response for rare major incident scenarios. Providing training and awareness is too time-consuming for them, they’ll only procure some online course, for a mandatory 45mins yearly. Also, statutory auditors will consume a lot a IT Sec resources by forcing the focus on remediation for existing legacy apps, while IT Sec team’s rare resources should be fully focused on advising the design of the new systems that will replace this abandonware.

The IT team has many people who absolutely don't care about security.
"We aren't a target: we are too small/we don't handle state secrets/etc."
"What we already do is good enough"
"If I have to use different accounts for email/proxy and for admin stuff, my productivity will be suffer and there is no point in securing if business disappears"
"This system will be decommissionned in 2 years, there is no BUSINESS VALUE in spending money to move it off SMBv1, we tried and it broke the application so we obtained a risk-acceptance from our CxO instead". Of course, the target date isn’t a hard deadline… "We didn’t get funding", "there were other unexpected priorities".

The IT team also has many people who care about security to some degree, overall more than the other category of IT people, but when a business task is in competition with a security task, guess who can pressure them more? Hint: those who make money.

Business teams and Board of Management will say that they care about IT Sec, but then will disagree with anything that slows down the release of a new feature. "What? You couldn't ship in time because you were busy upgrading your code dependencies !?!". Then, your main competitor will suffer a massive cryptolocker attack, your BoM is extremely anxious, you'll be asked to produce status reports/slides. Most of its conclusions will nonetheless be ignored. Only a few of your recommendations will be put in motion. Business has more pressing matters, money is tight.

Business will always want wider access to data. Then an employee leaves to competition, they'll suspect that they stole data, they'll deploy huge efforts to assess whether this is the case or not, sucking much time from IT and IT Sec teams. No matter how much you explain, they'll refuse see any link between the two, and still ask for wider access.

All of this gets adequately summed up as "people don’t take security seriously".

Guillaume said...

Then within the IT Sec field itself, the red team takes all the light. Look at conferences’ agendas. The blue team can’t have the same striking successes as the red team: you usually never know when your security controls avoided a complete disaster: those failed phishing attempts, this first-stage which has been blocked, you never know that they were the initial steps of a ransomware attack and that the criminals moved to easier targets. Blue teasers structurally can’t get credits for their successful efforts. Red team bet all the fame with an RCE, a logo and a catchy name.

Ethical red teams spends so much time polishing their open source attack tools that criminals don’t bother writing their own. Compare that to the blue team side. You are told to shift left, to include SAST, DAST, IAST, SCA, etc, in your pipeline. Many open source tools for that, fine. But how do you manage the results of these tools? Ho do you aggregate identical SAST and DAST findings or other duplicates? How do you automatically triage all this? All these tools have different output formats and standards. Not a single open source tool on the market exists to deduplicate, and make automated decisions based on severity, age, or other factors. Where are the workflows for exception management, emergency approvals, etc? You might get some of that by buying the full suite of tools from a single provider. But as soon as you mix and match tools, as soon as your tech stack gets out of that provider’s support, everything breaks apart.

To day, there is way too much effort and communication on the offensive side, and way too little on defense.

Unknown said...


My name is Rhonda.

“When my Husband of eight years walked out of my life for the third time I had a bad feeling that he was not going to come back to me. We were separated for about three months when I contacted Chief Razaq. My mom told me that Chief Razaq helped her lose a ton of weight and that they had love spells that could help me get my Husband back. I contacted him to help me bring back my Husband and i am happy now because my Husband ended up calling me 4 days later after Chief Razaq have cast the spell, telling me that he needed me back in his life and asking if it was okay for me to come home. I have never seen this side of my husband before and I loved it! Our relationship is much stronger than it was before and I can’t thank Chief Razaq enough for what he has done for me! i know there are allot of people going through same problem but i will do you a favor by drooping his contact details because i know how it pains when you loss someone you ever love You can contact him via email; chiefrazaq12345@gmail.com and you can also whatsapp his phone number +2348086737466.

I URGENTLY NEED A SPELL CASTER TO HELP ME GET MY EX BACK CONTACT LORD ZULU ON WHATSAPP +1(909)781-4612 said...

BEST URGENT EFFECTIVE LOVE SPELL TO GET YOUR EX/HUSBAND/WIFE BACK FAST AND TO SAVE YOUR MARRIAGE NOW CONTACT LORD ZULU ON WHATSAPP DIRECTLY +1 (424) 361‑7554.
Hi everyone I’m here to testify of a great and powerful spell caster called Lord Zulu. I was so confused and devastated when my husband left me without a word, I needed him back desperately because I loved him so much. So a friend of mine introduced me to this powerful spell caster who had helped her in getting her lover back, so I contacted him and he promised that in less than 72 hours he will come back to me. After I did all he asked, to my greatest surprise my husband who had refused to speak with me came to my house and asked for forgiveness for all he had made me go through and now we are living happily together, if you have any relationship problem I will advise you contact him for your testimonies. Below are his contact details. Contact him on WhatsApp  @ +1(424)361‑7554.

BLOGSPOT: allsupremepowersolutionhome.blogspot.com

EMAIL: Allsupremepowersolutionhome@gmail.com

WEBSITE; http://allsupremepowersolutionhom.website2.me

I URGENTLY NEED A SPELL CASTER TO HELP ME GET MY EX BACK CONTACT LORD ZULU ON WHATSAPP +1(909)781-4612 said...

BEST URGENT EFFECTIVE LOVE SPELL TO GET YOUR EX/HUSBAND/WIFE BACK FAST AND TO SAVE YOUR MARRIAGE NOW CONTACT LORD ZULU ON WHATSAPP DIRECTLY +1 (424) 361‑7554.
Hi everyone I’m here to testify of a great and powerful spell caster called Lord Zulu. I was so confused and devastated when my husband left me without a word, I needed him back desperately because I loved him so much. So a friend of mine introduced me to this powerful spell caster who had helped her in getting her lover back, so I contacted him and he promised that in less than 72 hours he will come back to me. After I did all he asked, to my greatest surprise my husband who had refused to speak with me came to my house and asked for forgiveness for all he had made me go through and now we are living happily together, if you have any relationship problem I will advise you contact him for your testimonies. Below are his contact details. Contact him on WhatsApp @ +1(424)361‑7554.

BLOGSPOT: allsupremepowersolutionhome.blogspot.com

EMAIL: Allsupremepowersolutionhome@gmail.com

WEBSITE; http://allsupremepowersolutionhom.website2.me

Unknown said...

H I'm very excited to inform everyone that I'm completely cured from my HERPES 1&2 recently. I have used Oregano oil, Coconut oil, Acyclovir, Valacyclovir, Famciclovir, and some other products and it's really help during my outbreaks but I totally got cured! from my herpes simplex viruses with a strong and active herbal medicine ordered from a powerful herbalist and it completely fought the virus from my nervous system and I was tested negative after 14 days of using the herbal medicine. I'm here to let y'all know that herpes virus has a complete cure, I got rid of mine with the help of Dr ekpen and his herbal exploit. Contact him via Email: doctorekpen222@gmail.com call or whatsApp him on  +2348102454875 also have cure to kinds of diseases 

Iris Enterprises Awning and Canopy in Pune said...

canopy manufacturers in pune
canopy in pune
canopy in pune
awning and canopy in pune
awning pune