The Russian cyberattacks on Ukrainian organizations reminds us that the attacker isn’t always looking to steal data or extort money. Sometimes they just want to cause as much damage as possible. Both Microsoft and Mandiant recently released information about these destructive attacks and how to better protect against them.
Regardless of geographic location, all of us can learn from how these attacks occur and are mitigated. The attacks were extreme in their destruction. As Microsoft noted in its blog, “The malware in this case overwrites the MBR [master boot record] with no mechanism for recovery.” This leads the system to be unbootable and unrepairable without a full reinstall or recovery from a full backup of the system. Thus, the first lesson is to ensure that you have the tools and resources to either fully redeploy your workstation images or have a full ability to recover your platforms.
The Mandiant document provides actionable information about the best ways to protect yourself from harm and destruction from similar attacks. As you go through the document, consider if you have these protections in place.
Protect external-facing devices and systems with multi-factor authentication
Mandiant recommends starting with the externals. We have long had a squishy internal network and a hardened shell. Once the outside is penetrated, it’s relatively easy to launch lateral attacks inside your office resources. So, first review whether your external facing devices and anything else that allows remote access requires multi-factor authentication.
No one or no thing should be able to log in with a mere username and password. Review every edge device to determine if natively the device supports the use of an authenticator application rather than a mere password. It’s not always necessary to be absolutely secure, just a bit more secure than the network next to yours.
Identify high-value targets on your network
Review your network for high-value targets that may be targeted for destructive attacks. The key resource you have is not sexy or revolutionary. It’s been with us for years: backup. You want to have a rotation of backups to ensure that you have offsite and off-domain backup media. If all your backup locations are domain joined and the attacker can access that location, your backups themselves can be impacted. Access to virtualization infrastructure should be through limited accounts that are designed and protected to have such access. Again, consider two factor authentication and other privilege access processes when it comes to protecting HyperV and other virtualization platforms.
Protect against lateral movement
Review what protections you have for lateral movement. In my office, I have deployed Local Administrator Password Solution (LAPS) to ensure that lateral movement can’t occur due to a shared local administrative password. Review your use of the typical firewall ports that attackers will target for lateral access, ports 445, 135 and 139. Determine which workstations and servers are listening on these ports and the best way to isolate and limit the firewall ports in your network.
Review the use and exposure of remote protocols
Ensure that you do not have Remote Desktop Protocol (RDP) exposed to the outside first and foremost. If you do have it exposed, limit RDP to just those devices that require it.
As Mandiant points out, remote protocols that you should block on your sensitive devices includes File and Print Sharing, Remote Desktop, Windows Management Instrumentation (WMI), and Windows Remote Management. This means that you’ll need to review how your IT staff manages and maintains systems. The old way of merely remoting into servers and desktop no longer is secure. Ensure that your own management processes aren’t introducing insecurity in the process.
Check for exposed or legacy passwords
Usernames and passwords are a key access point and thus a key attack point. Humans often reuse passwords, and applications often place credentials onto systems and introduce weaknesses as a result. Mandiant points out that we often have hidden passwords left behind in our networks and that we are not aware of the risk.
Many of us have Active Directory (AD) networks that have been upgraded over time from older, less secure AD infrastructure. We may still have many of these legacy settings still in place on our network. Case in point is the setting WDigest. While WDigest authentication is now disabled by default in Windows 8.1 and Windows Server 2012 R2 and later, you may still have clear-text passwords stored in LSASS memory to support authentication. Mandiant recommends that you push out the registry key below to block the saving of passwords:
HKLMSYSTEMCurrentControlSetControlSecurityProvidersWDigestUseLogonCredential
REG_DWORD = “0”
I’ve also seen where legacy systems have the WDigest password saved and left behind, making it easy for attackers to harvest this information.
Implement Windows Defender Credential Guard
As Steve on Security noted, Credential Guard is “a Windows service that protects credentials from being lifted from a machine. It protects the secrets used by Windows for single sign-on from being stolen and used on other machines.” Windows has documented APIs that allow software to access to credentials and secrets that are running in memory. Microsoft can’t disable these APIs because we all have built line-of-business software to rely on them. Running Credential guard makes it harder for attackers to access these credentials.
Most of Mandiant’s recommendations can be done on the networks we currently have. We don’t need a new server operating system deployment or workstations on Windows 11 to implement many of these recommendations. All we need is testing and time to make the necessary adjustments in how our networks are implemented. Take the time now to make your network harder to attacks. Ensure that the attackers move to the less secure network down the road rather than attacking you.
Copyright © 2022 IDG Communications, Inc.
