Microsoft Offers Tips for Addressing Human-Operated Ransomware Threats

Microsoft experts recently outlined what's needed to protect networks against human-operated ransomware.

Microsoft last month offered some general insights on how to secure networks against human-operated ransomware.

Ken Malcolmson and Jim Eckart, who are chief security advisors at Microsoft, described views largely based on Microsoft's Detection and Response Team's (DART's) experiences, and gave their thoughts on the growing ransomware issue. They spoke during a Dec. 14 Web presentation, "Microsoft's playbook on human-operated ransomware -- how to be prepared for attacks," which is available on demand (with sign-up) here.

Human-operated ransomware basically involves having "a human at the keyboard moving around inside of your network, ultimately seeking to lock up your systems of operation and systems of revenue until you actually pay a ransom," Eckart explained.

Cybercrime Is Cheap
The costs for criminals to get involved in cybercrime, such as ransomware, are pretty low, Eckart noted. He offered the following numbers, based on Microsoft's "Digital Defense Report" research:

  • Attackers for hire can cost as low as $250 per job.
  • Spearphishers for hire range from $100 to $1,000.
  • Ransomware kits can cost as little as $66, plus continuing royalties.
  • Access to compromised devices gets priced at under $1 per device.
  • Stolen user names and passwords can cost as little as $1 for 1,000 high-quality pairs, but it can cost just $150 for 450 million users IDs and passwords in bulk.

Enterprises encountered more than 100 million ransomware attempts over a one-year period, per the "Digital Defense Report." Consumers faced around 400 million ransomware attempts in that same time period. Human-operated ransomware actors, though, appear to be "relatively indiscriminate" about whom they attack, Eckart noted.

Attack Kill Chain
Attackers follow a pattern of first gaining initial access, typically through phishing campaigns or identity-based attacks. Another access method is to exploit RDP [Remote Desktop Protocol] misconfigurations or poorly maintained virtual private network (VPN) implementations.

To move around in a network, attackers use privilege escalation or credential theft, which is done to install malware on the network. They typically lay low before launching ransomware to encrypt the network's data. In particular, attackers look to disrupt backup systems, Eckart noted:

We have seen over and over again, the cyberattackers go after your backups as well as your systems of operation and revenue. It's really important that your backups are of an immutable nature so that you can't get to the backups the same way using the same credentials that were used to actually get your systems ransomed in the first place.

Eckart offered a few approaches to address this kill chain:

  • For e-mail and collaboration apps, use a solution that sandboxes URLs and attachments across all channels.
  • Use an industry-leading EDR [endpoint detection and response] solution that has attack-surface reduction capabilities, including macro scanning.
  • Protect endpoints better for remote access by reexamining RDP or port configurations, and keep VPNs properly patched to reduce man-in-the middle attack scenarios.

Implementing multifactor authentication was also a recommended approach, but organizations have struggled to implement it.

"And when we think about accounts, sadly, we see a high number of organizations that still have struggled to pervasively implement multifactor authentication, which we know is extremely effective at helping to stop identity-based attacks," Eckart acknowledged.

Microsoft also recommends a passwordless approach as a way to protect against initial access by attackers. Other recommended protections are the use of privileged identity management and just-in-time access solutions.

Zero-Trust Model
Microsoft recommended following a zero-trust model to prevent initial access by attackers.

The most important aspect of the zero-trust model is to assume compromise, Malcolmson explained. It means being able to detect attackers as they move in the network and protect inner systems from data theft. He suggested that there needs to be some sort of decision engine in the middle to monitor network resource access requests because the monitoring needs to be constant process.

"And that's really hard to do unless you're using some sort of automation-, machine learning-, artificial intelligence-informed systems," Malcolmson added.

People are asked to trust things all of the time when using software, Malcolmson noted. "What we do is we give you the controls you need to be able to verify that those decisions are correct."

Just trusting things within the corporate firewall is the wrong approach, as exemplified by the SolarWinds Orion software supply-chain compromise. Malcolmson said that Microsoft didn't fall victim to that attack because of the controls it had in place:

What attackers tried to do was elevate privilege and get access to sensitive information that they wanted to exfiltrate, but, because we have hardware controls on the ability to request elevated privileges, they didn't have any access to them. We stopped that, so it was a complete success for central defending of the core business.

Microsoft Solutions
Malcolmson recommended using conditional access policies and depending on Azure Active Directory as "your single source of truth for identity provisioning."

There should be strong authentication procedures in place.

"That means having some form of multifactor authentication, and ideally moving towards a passwordless solution, like Windows Hello for Business or now FIDO2 USB keys and so on," Malcolmson said.

He recommended using the Microsoft Defender for Identity service to ensure that identities haven't been compromised. It'll check for evidence of credential theft. He emphasized using managed devices, which gives organizations better control over identity than unmanaged devices.

Organizations can also use Microsoft Information Protection solutions to protect data on devices. Malcolmson also touted the Microsoft Defender for Cloud Apps service, which can be used for "securely providing access to cloud applications."

Microsoft Sentinel was recommended by Eckart as having the "machine learning capabilities that turn low-fidelity signals into high-fidelity alerts."

Microsoft Premier subscriptions were touted. Those customers get access to the expertise of the Microsoft Detection and Response teams, Eckart added.

Have a Backup Plan
Human-operated ransomware aims to lock up systems of operation and revenue, and so it's important to not only have the ability to recover databases, but also "the ability to recover front-end servers and all of the different infrastructure that's in place," Eckart noted. He outlined the scope of a proper backup plan.

And so when we think about a backup plan, it's really a complete restore plan for an entire application or set of applications that needs to be well practiced in the organization. And as I discussed earlier, the need to have immutable backups that … [are] either offline or have offline qualities to them that are not accessible using the same credentials that got escalated to actually ransom these systems.

In addition to the talk, the Microsoft DART team has published Part 1 and Part 2 of its "guide to combating human-operated ransomware." There's also a "best practices" document, which specifically outlines the protections afforded by Microsoft's various software security products.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube