Tag Archives: Australien Cyber Security Centre

Your Ransomware Strategy 2021: Prevention or Bow to the Inevitable?

1 January 2021

This morning I read the transcript of the Threatpost webinar ” What’s Next for Ransomware”.[1] Becky Bracken hosted the webinar some weeks ago, panelists were Limor Kessem (IBM Security), Allie Mellen (Cyberreason) and Austin Merritt (Digital Shadows). The discussion focused on incident response:

“While IT departments will undoubtedly lead efforts to shore up defenses against attacks, including backups, patching, updating and employee-awareness training, our panel of experts agree that preparing a critical-response plan which includes the entire organization — from the executives on down the org chart — is the best way to minimize cost, damage and downtime.”

Having a well-crafted and trained incident response plan in place is, from my point of view, an indispensable means to recover from all kind of cyber-attacks. But is it “the best way to minimize cost, damage and downtime” in the case of Ransomware?

Response plans come into play when a ransomware attack is detected. But during the time until detection, the ransomware may cause damage to the network and the data. Once detected, incident response kicks in by taking appropriate actions to

  • containing the attack,
  • investigating the network for yet undetected instances of the ransomware,
  • repairing the already done damage, etc.

This is close to Gartner’s[2] approach to defend ransomware, so industry standard. But is this reactive approach the best way to minimize the economic impact of an attack?

The Cyber Security and Infrastructure Security Agency (CISA) describes in its Ransomware Guide[3] a more preventive approach. Backup, patching, cyber-hygiene, awareness training and cyber incident response plan are the building blocks. In addition, CISA recommends to “Use application directory allowlisting on all assets to ensure that only authorized software can run, and all unauthorized software is blocked from executing”.[3] This is a clear step towards prevention of attacks. Since ransomware comes from external sources e.g., through internet, e-mail, usb-devices, it commonly is not part of the allow-list, thus blocked.

The Department of Homeland Security (DHS) goes one step further in its 2016 published paper “Seven Strategies to Defende ICS”.[4] The first strategy is “Implement Application Whitelisting” because it “can detect and prevent attempted execution of malware uploaded by adversaries”.

Finally, the Australian Cyber Security Centre (ACSC) recommends Application Whitelisting as Number One of Essential Eight[5][6] strategies to prevent malware delivery and execution.

Neither Gartner nor the experts in the Threatpost webinar mentioned preventive controls to deal with ransomware. DHS and ACSC recommend them as central part of a cyber-security strategy.

From my point of view, application whitelisting is a must have to minimize the economic impact of an attack. If execution of malware is prevented, the costs to cleanup and recover from a ransomware attack are minimized.

The baseline security costs are for certain increased because application whitelisting solutions must be managed like any other application. This holds even if the Windows built-in tools AppLocker or Software Restriction Policies are used. But this will be balanced by the fact that application whitelisting will prevent also zero-day malware or PUA from execution.

CISA and ACSC provide useful hints on dealing with ransomware without big invest in new tools. It makes sense to take them into account when revising your security roadmap for 2021.

Happy New Year!

And have a great weekend.


[1] Bracken B. What’s Next for Ransomware in 2021? [Internet]. threatpost. 2020 [zitiert 1. Januar 2021]. Verfügbar unter: https://threatpost.com/ransomware-getting-ahead-inevitable-attack/162655/

[2] Sakpal M, Webber P. 6 Ways to Defend Against a Ransomware Attack [Internet]. Smarter with Gartner. 2020 [zitiert 1. Januar 2021]. Verfügbar unter: https://www.gartner.com/smarterwithgartner/6-ways-to-defend-against-a-ransomware-attack/

[3] Cyber Security and Infrastructure Security Agency. Ransomware Guide [Internet]. CISA Publications Library. 2020 [zitiert 8. Oktober 2020]. Verfügbar unter: https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C.pdf

[4] U.S. Department of Homeland Security. Seven Strategies to Defend ICSs [Internet]. DoD’s Environmental Research Programs. 2016 [zitiert 13. Oktober 2020]. Verfügbar unter: https://www.serdp-estcp.org/serdp-estcp/Tools-and-Training/Installation-Energy-and-Water/Cybersecurity/Resources-Tools-and-Publications/Resources-and-Tools-Files/DHS-ICS-CERT-FBI-and-NSA-Seven-Steps-to-Effectively-Defend-Industrial-Control-Systems

[5] Australian Cyber Security Center. Strategies to Mitigate Cyber Security Incidents [Internet]. 2017 [zitiert 1. Dezember 2020]. Verfügbar unter: https://www.cyber.gov.au/acsc/view-all-content/publications/strategies-mitigate-cyber-security-incidents

[6] Australian Cyber Security Center. Essential Eight Explained [Internet]. [zitiert 1. Dezember 2020]. Verfügbar unter: https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-explained

Australia Fights Sophisticated State-Backed Copy-Paste Attack with The Essential Eight!

20 June 2020

Reports on a wave of sophisticated nation state sponsored cyber-attacks against Australian government agencies and critical infrastructure operators spread like wild-fire through international media the day before yesterday.

From an IT security point of view, the access vector is really interesting. In Advisory 2020-008 (1) , the Australian Cyber Security Centre (ACSC) states that the actor leverages mainly a remote code execution vulnerability in unpatched versions of Telerik UI, a deserialization vulnerability in Microsoft Internet Information Services (IIS), a 2019 SharePoint vulnerability, and the 2019 Citrix vulnerability.

The name Copy-Paste for the attacks comes from the actor’s “capability to quickly leverage public exploit proof-of-concepts to target networks of interest and regularly conducts reconnaissance of target networks looking for vulnerable services, potentially maintaining a list of public-facing services to quickly target following future vulnerability releases. The actor has also shown an aptitude for identifying development, test and orphaned services that are not well known or maintained by victim organizations.” (1)

The Essential Eight

The Essential Eight (Click to enlarge)

In the advisory the ACSC recommends some really basic preventive measures like patching or multi-factor authentication. These are two controls of “The Essential Eight”(2). I like the name “The Essential Eight”. It reminds me on the 1960 Western-film “The Magnificent Seven”, reinforced by Chuck Norris 😉

The Essential Eight focus on very basic strategies to reduce the likelihood and the impact of an attack. Without them, UEBA, SIEM, Threat Intelligence, Deep Packet Inspection, PAM, etc. make few sense.

Except of multi-factor authentication, The Essential Eight are part of the feature-rich Windows and Linux OS or already (backup solution) in place. So, only some internal effort and leadership is required to dramatically increase the resilience against cyber-attacks.

The Essential Eight are a prefect weekend reading. Have fun.


References

  1. Advisory 2020-008: Copy-paste compromises – tactics, techniques and procedures used to target multiple Australian networks | Cyber.gov.au [Internet]. [cited 2020 Jun 19]. Available from: https://www.cyber.gov.au/threats/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks
  2. Australian Cyber Security Center. Essential Eight Explained | Cyber.gov.au [Internet]. Australian Signals Directorate. 2020 [cited 2020 Jun 19]. Available from: https://www.cyber.gov.au/publications/essential-eight-explained