Checking the box for your organization’s cybersecurity training annually doesn’t quite cut it anymore. Cyberattacks are rising yearly, and one of the top reasons is human error. Taft dives into the best approach to managing privacy and cybersecurity and how to create a more innovative, more attentive security culture.
You might think your run-of-the-mill privacy and cybersecurity training is sufficient. You might think that by “checking the box” on generic training you have fulfilled your duty and obligation to mitigate data privacy and cybersecurity attacks. You might think that general malware protection adequately secures your company’s data and you can move on with your everyday business efforts without concern. Think again. Human error continues to be the number one driver of data breaches. Over 85% of all data breaches are caused by an employee mistake. (Source: Psychology of Human Error by Stanford University Professor Jeff Hancock and Tessian, a cybersecurity firm.) “Human error” can take many forms from the use of stolen credentials and misuse of company information to phishing or malware links. Cybercriminals and hackers have developed advanced and creative tactics in efforts to access and steal confidential information. Malware attacks, for example, are attacks where hackers attempt to infiltrate networks, individual computers, and mobile devices with malicious software. An unassuming click to open a link or download software is all it takes to enable a malware attack. Social engineering tactics are often used to get employees to send bank account information, provide usernames and passwords, among other confidential information. Psychological manipulation is the bread and butter of social engineering. Such efforts intentionally target human interactions by tricking persons into thinking they are receiving an email from a trusted source, perhaps a friend or a business partner. Email content may consist of an urgent request, portray legitimate branding to make the email appear trustworthy, request your “verification” of information, or pose as a boss or coworker. Employees need to be trained and continuously reminded to be mindful when conducting business. Technology can only take us so far in protecting businesses and securing information from cybersecurity attacks, especially with respect to social engineering. In the hustle and bustle of everyday business, it is easy to flit from email to email, shooting off quick responses without even glancing at the subject line, or the name or email address of the sender. Some of the simplest requests from a seemingly innocuous email can lead to the leak of very valuable information. Do you recognize the sender’s email address? Are there spelling mistakes in the content of the email? Is the company or individual name familiar to you? Cybersecurity attacks can be incredibly costly, causing financial, mental, and emotional heartache from the click of a button. Aside from financial ramifications, data breaches and cybersecurity attacks may reflect negatively on your business’s reputation, cause you to lose clients or customers, and may even lead to significant litigation proceedings and hefty government fines from breach of regulatory violations. The best approach in managing privacy and cybersecurity training is a proactive one. A primary goal should be to create a smarter, more attentive security culture within your business.
Adlumin Inc. is a patented, managed security services platform built for corporate organizations that demand innovative cybersecurity solutions and easy-to-use, comprehensive reporting tools.
Targets for cybercriminals are chosen based on two conditions: impact and profit. Financial institutions meet both requirements while offering various profit paths through theft, fraud, multi-channel extortion, and ideological impact. Malware and data breaches lead the charge, and incident costs continue to rise. Security Magazine reports that 75% of data breaches in 2019 were all within the financial services industry. While other industries are in the criminal crosshairs, the Willie Sutton idiom holds firm stating that people rob banks because that’s where the money is. Security Magazine also highlighted the magnitude of financial institutions not being equipped to protect their adapting IT environments: migration to cloud-based services, mobile and bring your own device (BYOD), and remote workers. For example, Capital One and Discover each experienced their fourth significant data breach in 2019.
To avoid becoming another victimized financial institution, below are a few suggested cybersecurity best practices to safeguard your business:
Mitigate Risk Associated with Third-Party Vendors
Financial institutions rely heavily on third-party vendors to facilitate operations and extend new service offerings and ways of engaging new customers. While customer-facing services appear seamless under a united banking brand, operations are comprised of multiple organizations of varying security capabilities. A failure or compromise in one of the links of the vendor chain leads to reputational damage to the bank’s brand rather than the invisible vendor behind the curtain. In other words, the cyber risk resides with the bank.
Cashless and frictionless financial services are in high demand. Consumers access funds and payments through mobile apps they assume are secure. The organization that owns the consumer relationship must audit its vendors, mitigate associated exposure and build a plan to respond to incidents before they affect consumers.
The ever-evolving threat landscape, daily publication of vendor vulnerabilities, and growing compliance demands make vendor management challenging. Here are a few key guidelines:
Minimize third-party risk by:
Conduct a risk assessment and establish minimum security guidelines with each partner.
Limit vendor access to crucial assets. For example, marketing services should access customer contact information, not core banking data.
Communicate your compliance requirements and align security programs to protect your customers.
Establish security event and incident protocols and notification requirements.
Monitoring your network using threat detection and automated solutions.
The New York Department of Financial Services (NYDFS) published the Cybersecurity Rules and Regulations (NYCRR500), which includes practical guidelines to secure third-party risk (section 11).
Stay Up to Date with Compliance Regulations
As we have touched on in a previous blog post, compliance is constantly evolving in response to emerging threats. The financial sector is not immune to this change. Keeping up with the latest regulations is essential to ensure credibility and avoid costly investigations and penalties. The goal is to be compliant, regardless of the industry’s ever-changing landscape. Shifting this burden from your internal team to a third-party vendor can help ensure your financial institution achieves compliance.
In addition to existing regulations in the last two years, the financial sector has implemented a few new ones. Any financial institution is at risk of a cyberattack. Regardless of company size, data breaches snowball into complicated situations. They can cripple an organization and end in legal proceedings or disputes that take years to resolve. Meeting cybersecurity compliance standards mitigates risk and the havoc that comes with it.
Make Your Employees Part of Your Defenses
The majority of data breaches or massive ransomware outages start with social engineering and clever phishing campaigns. Frequent cybersecurity testing awareness training provides context and the skills to identify suspicious communications and emails before your employees become unwitting accomplices by clicking dangerous or downloading infected documents.
Like cyber threats, awareness training must evolve. Training is about empowering, not punishing. It does not identify the “Ten Commandments of IT” but to understand how criminals target them and how to identify their calling cards. Covering multiple forms of campaigns like texting and fake IT calls is important, but phishing remains the primary vector.
“In 2021, 83% of organizations reported experiencing phishing attacks. In 2022, an additional six billion attacks are expected to occur,” according to Cyber Talk. Phishing attacks are a top concern for IT decision-makers, so training employees should be at the top of the priority list.
Your employees are the first line of defense against most threats, including phishing scams. Employees across all departments within your company need to be equipped with the proper knowledge of spotting a phishing scam and reporting it.
Implement Continuous Threat Monitoring
In 2016, a cybercriminal wired themselves $81 million in a Bangladesh Bank heist, using the SWIFT banking network in only a couple of hours. This is a perfect example of how imperative it is to have 24/7 surveillance across your entire IT landscape. The quicker you can identify and eliminate a potential threat, the better off you will be in the long run—early detection is essential.
Financial institutions typically use a 24/7 Security Operations Center (SOC) service to enhance threat detection and response times by continuously scanning your network and host for vulnerabilities. Hiring third-party experts is the most cost-effective solution for securing customers and their transactions. When financial institutions carry the heavy burden of protecting their clients, it is best to proactively work with managed security services built to discover threats and command action.
The Center for Internet Security (CIS) describes Continuous Vulnerability Management as “a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.”
Cyber defenders must have timely threat information about software updates, patches, security advisories, threat bulletins, etc. They should consistently review their IT environment to look for these vulnerabilities before cybercriminals do.
Managing and understanding vulnerabilities is a continuous activity, requiring the focus of time, attention, and dedicated resources.
Organizations face challenges in scaling remediation across an entire enterprise, and prioritizing actions with conflicting priorities, while not impacting the enterprise’s business or mission.
Often, remediating vulnerabilities requires expertise beyond the deployment of a simple patch.
For example, a configuration change and deploying a patch to remediate the Spectre/Meltdown vulnerability are required. Also, vulnerabilities need different types of patches- for example, some need an update to a customer software or a registry key change without a patch.
Researching, understanding, and mapping the vulnerabilities to the remediation actions are complex and time-consuming tasks. Many organizations fail to complete this process quickly and efficiently because they don’t have an expert and dedicated team that can map the vulnerabilities to the proper remediation and, at the same time, evaluate the potential operational risk introduced by changes to the environment.
Organizations can minimize operational risk by moving towards a proactive remediation approach. This approach demands selecting the right vulnerability management solution that will deliver the capability to streamline the remediation process by automatically mapping the vulnerability to the correct patch(es) required in your specific environment.
Additionally, the solution should also streamline the application of patches for compliance by creating a zero-touch patch job to automate vulnerability remediation based on criteria that apply uniquely to your organization. This should reduce operational risk and remediation time, helping security teams align with regulatory and internal security policies.
Finally, the solution must make sure that endpoints are quickly and consistently patched, via the cloud, regardless of their location or connection to an organization’s network, which reduces the cost of securing a primary vector of attack. Eliminating the need to go over VPN for patching can save time and significantly reduce costs.
In today’s cyber world, full of uncertainty and constantly evolving threats and data obligations, have you ever wondered, “how can my organization protect itself against the unknown?” The quick answer to that question is threat intelligence, the human element that leverages cyber intuition and honed investigation skills to pre-empt attacks. Threat intelligence is actionable, timely, and provides context to threats. Let’s delve into the details and better understand all that threat intelligence has to offer the industry.
What is Threat Intelligence?
Threat intelligence gathers multi-source, raw, curated data about existing threat actors and their tactics, techniques, and procedures (TTPs). This cyber modus operandi helps analysts understand the tactics used by adversaries and identify signs or signals of their unauthorized presence in a target environment. In fact, it helps cyber analysts identify likely future targets by understanding their motivation, transferrable phishing campaigns, and other tools that could be applied from one target to another. For example, a campaign that uses stolen lawsuit information to target law firms could be modified to target healthcare organizations by using stolen malpractice litigation documents.
This knowledge and understanding of the adversary can prevent future attacks by helping organizations to develop defenses based on likely attack scenarios. In essence, threat intelligence is a way to proactively defend your organization and remain a few steps ahead of cybercriminals. It’s not a crystal ball, but it could be a money ball approach to cybersecurity.
Threat intelligence professionals threat hunt by proactively searching for suspicious activity indicating malicious or network compromise. It is often a manual process backed by automated searches and existing collected network data correlation. Other prevention and detection methods can only detect known and categorized threats. Below are some requirements for a threat hunting tool:
Practical Threat Hunting Tool Requirements:
Proactive threat hunting quickly establishes itself as a critical pillar in security strategies and ensures situational awareness that other methods do not offer. This approach requires the expertise of cybersecurity professionals who can draw from the knowledge of a system’s specific functionality and connectivity. In addition, they understand the attacker’s tactics, techniques, and procedures (TTPs) and capabilities to expose potential attacks and compromises. For additional context, below are a few threat intelligence challenges and benefits:
Threat Intelligence Challenges
Threat Intelligence Benefits
Who Should Invest in Threat Intelligence?
Threat intelligence adds value across security functions for companies of all sizes. When threat intelligence is integrated into an organization’s IT team, it can assist with adequately prioritizing and helping with incoming threats. Threat intelligence provides external insights and context when accurately prioritizing essential vulnerabilities. It also provides context around threat actors’ TTPs. Fraud protection, risk analysis, and high-level security processes become enriched by understanding threat intelligence’s high-level security knowledge.
Proactive threat intelligence and hunting require 24/7 continuous scanning, which is typically a challenge for organizations that struggle to source the right talent or have a low budget. A standard cost-effective solution can be to outsource the skill and expertise needed.
Move Beyond Automation: Take Charge
In today’s world, adding threat intelligence to your cybersecurity strategy is no longer a luxury; it is a necessity. It’s said to be the way of the future for detecting and responding to advanced threats. Threat intelligence assists with lowering cybercrime and data breach costs. There is a significant cybersecurity transformation, and organizations can’t be waiting around to be attacked anymore. The key is adding elements that strengthen your organization for battle— the human element within threat intelligence. Taking charge is more than a suggestion; it’s a critical move that, if not made correctly, will result in irreversible damages to pay.
At Adlumin, we are constantly monitoring trends in malware and the capabilities used by threat actors to attack customer networks. Ransomware poses a unique threat to customer environments and businesses as attackers’ use of the technique continually evolves and spreads while payouts increase.
The Threat
Ransomware is a popular method of computer network exploitation, extortion, and a potentially big payday for cybercriminals. In a ransomware attack, malware specializes in detecting local and network-shared user files and then encrypting the victims’ data implanted on a device. Once encrypted, unless there are unaffected backups, the user’s documents and data are rendered inaccessible and unreadable. That is until the victim pays up. Ransomware attackers set up payment portals through the clear, dark web and the bridges between them so that victims can ‘conveniently’ make an online payment to decrypt their files and access their data.
Foundations
While the widespread use of ransomware targeting businesses for financial gain is relatively new, modern examples started to trend in the mid-2000s and picked up in 2013– the first examples can trace their roots back to the 80s – decades before modern times, payment methods like cryptocurrencies existed. In 1989 Joseph Popp authored and deployed the “AIDS Trojan”. This first-of-its-kind malware hid the user’s files, encrypted their names, then displayed a message demanding a $189 payment to “PC Cyborg Corporation” to receive a repair tool under an expired software license. It’s worth noting that this early ransomware sample was vulnerable to extracting the decryption keys from the sample as it used symmetric encryption to encrypt the files. This meant that the same key was used to encrypt and decrypt data which had to be handled by the malware to encrypt the files.
By the mid-90s, researchers had introduced the idea of using public-key cryptography to enable ransomware’s encryption of data without the need to store the decryption keys in the malware, leaving it vulnerable to reverse engineering and key-recovery-based remediation. This was a critical step in the attacker’s ability to ensure decryption keys couldn’t be recovered reliably, and ransomware remained a profitable problem.
In 2006, multiple public-key enabled ransomware families caused trouble in networks worldwide. These attacks weren’t typically pointed at individual targets and often spread through file-sharing platforms. By 2009 ransomware variants had shifted to using secure 1024-bit RSA-driven encryption implementations, which essentially prevented the ability to recover decryption keys through static analysis.
In 2013 ransomware began its modern popularity with the explosion of the CryptoLocker malware. CryptoLocker propagated through a botnet or as an attachment to an email message which appeared to be sourced from a legitimate company. The ZIP file attached to the message contained a Window’s executable disguised as a PDF by changing the executable’s icon. CryptoLocker used public-key encryption to ensure the decryption key was only hosted on the malware command and control server. When paired with strong key strength and algorithms, decryption by means other than payment is impossible. The malware would encrypt files across the local and mapped network drives targeting only specific file extensions such as those associated with Microsoft Office Suite, documents, and images.
Since CryptoLocker, hundreds of ransomware families and variants have been introduced to networks worldwide. Locky followed as a spiritual successor to Crypto lockers; WannaCry affected networks globally and leveraged a zero-day to spread relentlessly across a network, bringing organizations like the British NHS to their knees. Ryuk appeared in 2018 and targeted specific organizations and industries for their deep pockets and ability to pay. Ryuk led to Conti, which recently announced its support of Russia and threatened to deploy “retaliatory measures” if cyberattacks were launched against the country in response to the 2022 Russian invasion of Ukraine. As these attacks grow, we’ve seen considerable impacts on business and industry, such as in the 2021 Colonial Pipeline attack, which led to the shutting down of control systems and oil delivery pipelines, leading to increased prices and limited availability, and panic-buying.
Trends
Adlumin’s Threat Research group has identified two primary trends in ransomware that increase the risk associated with ransomware attacks: the continued shift to ransomware-as-a-service (RaaS) and the growth of data-exposure driven double-extorsion models. These trends represent a widening in ransomware capabilities and prevalence and a decrease in an organization’s ability to control a breach.
Ransomware-as-a-Service (RaaS)
Ransomware as an attacker methodology has grown from initial custom development of tools for individual exploitation campaigns to large-scale availability as a commodity product with the sale of ransomware capabilities taking place on clear and darknet markets. Ransomware capabilities are now available for sale or lease, decreasing the technical capability required to conduct these attacks and lowering the barrier to entry for would-be attackers.
These capabilities can range from costing as little as $20 to thousands depending on the ransomware’s; capabilities, the scope of allowed usage, detection mitigations, automation, exclusivity rights, and inclusion of management or victim portals.
Ransomware has moved from a tailored and unique exploitation method to a pay-for-play access model.
Data Breach & Double-Extortion
Globally, ransomware groups and attacks have started to incorporate more direct extorsion methods – shifting from pay-for-decryption to a combination methodology involving the potential release of stolen, often sensitive, data. To ensure payout from victims, attackers have had to mitigate the impact increased defenses and updated cyber best practices have had on ransomware.
A defensive shift in segmenting devices and services to prevent lateral infection and the ability to restore from otherwise unaffected backups on non-critical systems have lessened businesses’ potential need to pay ransom to recover from an attack. To ensure their operations remain profitable, attackers have begun stealing data from companies and ransoming the possible public release of the stolen data. Such data might include customer PII, payment information, or business secrets – and public release of that data may have severe reputational, business, financial, and regulatory impacts on the affected business, further increasing the cost of a single breach.
This data exposure or “Double Extorsion” tactic means the attackers can choose to require two ransoms – one to decrypt the data and another to delete the data stolen before encryption. The potential release of data is an intense pressure to pay for victims who may not even know what information was stolen.
Explosive Growth
Ransomware as an attacker capability and exploitation method has experienced explosive growth since the introduction of cryptocurrency payments and continued profitable attacks. According to the FBI’s Internet Crime Complaint Center (IC3), CISA reported, ransomware incidents continue to rise, with 2,474 incidents reported for all of 2020 and 2,084 complaints between January and July of 2021 alone, a doubling of reported incidents. The cost and ransom amount have also grown with a 225 increase in ransom demands, and victims are on track to hit over $40M in losses.
What You Can Do
Your business or organization isn’t helpless in preventing ransomware attacks and limiting their impact when they make it past defenses. In a joint 2022 release by cybersecurity authorities in the United States, Australia, and the United Kingdom which included the FBI, the Cybersecurity and Infrastructure Agency (CISA), and the National Security Agency (NSA) – authorities recommended multiple best practices for protecting your network:
Keep all operating systems and software up to date If you use RDP or other potentially risky services, secure and monitor them closely. Implement a user training program and phishing exercises Require MFA Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to have strong, unique passwords. Using Linux, use a Linux security module (such as SELinux, AppArmor, or SecComp) for defense in depth. Protect cloud storage by backing up to multiple locations, requiring MFA for access, and encrypting data in the cloud. Segment Networks help prevent the spread of ransomware by controlling traffic flows between – and access to – various subnetworks by restricting adversary lateral movement. Implement end-to-end encryption, which can prevent eavesdropping on communications, which, in turn, can prevent cyber threat actors from gaining insights needed to advance a ransomware attack. A network-monitoring tool identifies, detects, and investigates abnormal activity and potential traversal of the indicated ransomware. Document external remote connections. Enforce the principle of least privilege through authorization policies. Reduce credential exposure. Disable unneeded command-line utilities; constrain scripting activities and permissions, and monitor their usage. Maintain offline (i.e., physically disconnected) backups of data and regularly test backup and restoration Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure Collect telemetry from cloud environments
On Friday, May 27, 2022, a new zero-day remote code execution vulnerability was reported by security researcher “nao_sec” on Twitter. Validated by the community and given the Common Vulnerabilities and Exposure (CVE) designation CVE-2022-30190, the vulnerability dubbed Follina, takes advantage of a flaw in Microsoft Office. It allows attackers to call the Microsoft Support Diagnostics Tool (msdt.exe) to launch malicious executions, including PowerShell commands.
The vulnerability has been confirmed as present and effective against Office Pro Plus, Office 2013, Office 2016, Office 2019, and Office 2021 and affects the following operating systems: Windows 7, Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows Server 2019, and Windows Server 2022. It leaves most combinations of Office and Windows susceptible to exploitation and should be assumed that all versions of Office are vulnerable.
Technical Details
Follina was first observed as active in the wild and took advantage of a flaw in Microsoft Office and Windows, which allows for arbitrary remote code execution giving attackers potential control of the victim’s machine. Unlike traditional Microsoft Office-based attacks, which typically leverage document macro functionality to gain execution—a generally mitigated strategy—Follina takes advantage of Office’s remote template feature to gain initial execution.
The office template feature allows the infected file to retrieve a remote HTML file containing JavaScript code that executes malicious code in the command line using the Microsoft Support Diagnostics Tool (MSDT / msdt.exe). As a result, PowerShell scripts are typically run at the opening user’s privilege level, allowing the attacker to modify, view, or destroy data and install additional programs and malware.
Detection, Defenses, and Mitigations with Adlumin
Adlumin allows security administrators to collect and query security-relevant logs from multiple sources, including network endpoints and process executions. Using this capability, we can develop a query to look for potential instances of exploitation of this vulnerability.
The exploitation of Follina / CVE-2022-30190 should create multiple recorded artifacts, which can be searched to see if the vulnerability has been used in a network. To query for these instances, we can search for endpoint process executions where the parent process is a Microsoft Office product and the child process launched by it is the process msdt.exe or sdiagnhost.exe.
Adlumin stores historical customer data to identify if this vulnerability was leveraged months before the exploit was publicly released. Searching the data set, Adlumin’s Threat Research team could not find any examples of exploitation among our customers.
Defenses
At the time of the vulnerability’s disclosure to the public, there was not, and still is no, official patch from Microsoft to address the vulnerability. Microsoft has come forward recommending disabling the MSDT URL protocol as potential mitigation to the vulnerability.
Disabling the MSDT URL Protocol
Disabling the MSDT URL protocol prevents troubleshooters from being launched as links, including links through the operation system. The following steps will disable the MSDT URL protocol protecting systems from the Follina vulnerability:
Run Command Prompt as Administrator
Backup the registry key:
reg export HKEY_CLASSES_ROOTms-msdt backup
Delete the following registry key:
reg delete HKEY_CLASSES_ROOTms-msdt /f
Additionally, Microsoft recommends customers with Microsoft Defender Antivirus turn on cloud-delivered protection and automatic sample submission to help quickly identify and stop new unknown threats. Microsoft Defender for Endpoint customers can enable attack surface reduction by setting the rule for “Block All Office applications from creating child processes” (GUID: d4f940ab-401b-4efc-aadc-ad5f3c50688a).
Continuous Monitoring
Adlumin recommends using a Continuous Vulnerability Management product to collect the needed data from endpoints to determine if they are running vulnerable versions of Microsoft Windows and Office. The Continuous Vulnerability Management software can also be used to identify those assets which have or do not have the official Microsoft mitigation in place.
Adlumin also recommends leveraging our managed security services product to continually search and alert for suspicious executions, which may result from the exploitation of the vulnerability.
Dive deeper into the Follina vulnerability – read Adlumin’s latest customer use case here.
In the book Charlie and the Chocolate Factory, a young boy receives a “golden ticket” that provides him access to Willy Wonka’s chocolate factory. In a cybersecurity context, a Golden Ticket attack means a cybercriminal has gained access to an organization’s entire Active Directory (AD) domain for up to 10 years. As the name and description suggest, these attacks can be devastatingly invasive and leave a network at the attacker’s mercy for long periods of time.
A core concept in the mechanism of these attacks is the Kerberos Key Distribution Center (KDC). The KDC functions as a trusted third-party authentication service as part of every domain controller within an AD. Kerberos grants a Ticket Granting Ticket (TGT) to prove recent authentication, allowing users to access resources without constantly reauthenticating.
Kerberos
The user requests a TGT from the Authentication Server encrypted with the user’s password to access a resource.
Kerberos checks for user access rights and prepares a TGT and session key, including a timestamp to dictate the duration of a session is valid. Before being sent, the TGT is encrypted with the KRBTGT password hash (this is shared amongst all the domain controllers in the AD).
The user then requests a service granting ticket with the TGT they received.
The Ticket Granting Service (TGS) then verifies this request using the TGT and returns a service ticket and session key for the requested Resource Server.
The user sends a request with this ticket and session key to the Resource Server.
The Resource Server verifies the ticket and session key match and then grants access, thus providing mutual authentication.
The Attack
During a Golden Ticket incident, attackers bypass steps 1 and 2 in the above example and forge the TGTs themselves. Forging TGTs can be done manually but is commonly done using an exploitation software called mimikatz, which needs four information parameters to forge a TGT convincingly:
Domain name
Domain Security Identifier (SID)
An account with ‘Replicating Directory Changes All’ and ‘Replicating Directory Changes’ privileges enabled (typically admins)
The KRBTGT Password hash
Assuming parameter 3 is met, the other parameters can be gathered by simple PowerShell commands and mimikatz. Running the whoami /user command, using the account provides an attacker with the domain name and domain SID. Running a DCSync attack with mimikatz will lead to the KRBTGT password hash. Mimikatz can then use this information to generate a Golden Ticket. An attacker can then access network resources as a domain administrator on any account within the domain.
Adlumin Defense
Golden Ticket Attacks are hard to detect because there are many ways to gather the above parameters beyond the standard technique. Adlumin Data Science takes a practical approach to build a defense – instead of tracking an attacker’s journey to obtaining fake credentials, parsing Windows event logs for end-result signatures of a Golden Ticket attack can be more fruitful. For example, attackers will look to obfuscate their activity by reusing an existing SID with an account that may or may not have an account name similar to that of the original SID owner. Thus, evidence of SID duplication can be a warning sign.
Adlumin Data Science is developing a suite of alerts based on attack signatures like the one mentioned above—being holistically deployed as a comprehensive defense against Windows authentication exploits. Watch our announcement forums for more on this soon.
Adlumin provides a Software-as-a-Service SIEM and managed security services. Our SIEM allows ingestion from multiple and diverse data sources from Office 365 events to Windows Critical Events and Linux Syslog and those from your existing security appliances and solutions.
The legal system, in many ways, is the town hall of the economy, bringing together investors and businesses, filing IP and trademark applications, assessing compliance for regulatory bodies, interpreting statutes for their clients, and navigating complex legal proceedings. Law firms manage unparalleled access to confidential and valuable information. It’s a one-stop shop for lucrative data that attracts cybercriminals to law firms.
According to the American Bar Association (ABA), 25% of law firms were breached last year. Beyond the financial losses, the reputational damage can be fatal, and the trust relationship between client and attorney can be irrevocably harmed. This article will outline why law firms are being targeted and what types of insider threats to look out for going forward.
Why Are Law Firms Targeted?
Law firms are connected to many facets of the economy and are often considered softer targets than their clients. While firms can be small, their clients can be quite large or manage enormous sums of money. In essence, they are viewed as an easy target with an A-list of confidential and potentially damaging data, access to large funds, and a vector into their client’s operations:
DLA Piper suffered a public ransomware attack, resulting in the firm’s IT department putting in more than 15,000 hours of overtime for disaster recovery and shuttering operations across thousands of clients.
Some law firms oversee high-profile cases and names, making them a primary target. In 2020, Grubman Shire Meiselas & Sacks’, a law firm representing Hollywood A-listers and athletes, data was breached and held for a $21 million ransom. And, of course, there was the data breach that crumbled Mossack Fonseca at the heart of the Panama Papers.
Law firms have access to large amounts of money: trust funds, escrow accounts, etc.
Threats Law Firms Should Know About
Law firms don’t only have to mitigate risk from outside intruders, but they also need to ramp up security for protection against insider threats. In a previous blog post, we discussed how employees could be considered the weakest links. Insider threats can be classified into the following categories:
Employees fall victim to phishing or scams from an external source.
Employees use weak passwords or don’t adequately protect their equipment.
Employees exploit information, leak information to cybercriminals, carry information to a new job, or share data with personal systems.
Finding the perfect balance between protecting your firm’s assets or client information and making your employees feel trusted and valued can be challenging. Therefore, it’s essential to educate employees on cyberthreats to empower them while tightening up your security operations.
Law Firm’s Responsibility to Safeguard
While not directly regulated, a law firm’s obligations stem from three sources: ABA guidelines for attorneys, specific regulators that call out law firms as vendors of regulated entities, or the contractual obligations formed with their clients and their client’s compliance requirements.
The American Bar Association Model Rule of Professional Conduct covers attorney obligations to safeguard their clients’ information, uphold contractual agreements and even report specific cybersecurity incidents that could affect the client. These rules obligate managing partners and attorneys to hold themselves responsible for the conduct of the staff and non-licensed employees. When it comes to technology, the ABA requires attorneys to:
Employ competent and reasonable measures to safeguard the confidentiality of information relating to clients.
Communicate with clients about the attorney’s use of technology and obtain informed consent from clients when appropriate.
Supervise subordinate attorneys, law firm staff, and service providers to make sure that they comply with these duties.
Specifically, Formal Opinion 483 Oct 2018: Model Rule 1.4 requires lawyers to keep clients “reasonably informed” about the status of a matter and to explain matters “to the extent reasonably necessary to permit a client to make an informed decision regarding the representation.” And in response to the pandemic, the ABA issued Formal Opinion 498 Mar 10, 2021: The ABA Model Rules of Professional Conduct permit the virtual practice, which is technologically enabled law practice beyond the traditional brick-and-mortar law firm. When practicing virtually, lawyers must consider ethical duties regarding competence, diligence, and communication, especially when using technology.
Beyond the legal community, regulators extend their coverage to include law firms as vendors. In healthcare, HIPAA considers law firms as business associates with their set of rules for managing healthcare records, and the New York Department of Financial Services covers vendors such as law firms in section 11 of the 23 NYCRR 500 cybersecurity regulations.
Law firms need to equip their employees with the proper knowledge not to jeopardize their law firm or clients’ reputations.
The ABA adopted a resolution encouraging law firms to develop, implement, and maintain proper cybersecurity to comply with ethical and legal obligations. Many firms (big or small) look for external help when tightening up their security. They do not rely on one resource to secure their IT landscape. As an example, the ABA reported that 80% of law firms use third-party consultants/experts, IT staff, and a Chief Information Officer for their security needs.
Law firms should consistently evaluate their security posture to avoid insider slip-ups to determine where their gaps lie. The regulations that the ABA issues and compliance regulations provide a minimum standard for the industry. All parties should do their due diligence and strive for more robust protection as a matter of healthy client service.
Learn about the common types of malware, proactive strategies to fight against cyberattacks, the importance of threat hunting, and how to recognize indicators of concern in this comprehensive guide. Equip your organization with the necessary knowledge and tools to protect your IT environment from malware attacks.
An increasingly remote workforce spurred by the COVID-19 pandemic has brought changes to the information security landscape. Users have shifted from working in carefully constructed walled gardens to café hotspots and home networks with no security assurances. Adlumin’s Threat Research group outlines some of the new and rising challenges of increased Remote Work adoption in the security landscape.
Increased Attack Surface
Every additional web application or service introduced to an environment increases businesses’ risk and attack surface. The increased risk and potential threat of any added service should be tied to the service’s permissions and role in the network. Many applications introduced to support remote work requirements would be categorized as high-risk introductions to a typical network. Virtual Desktop Interface (VDI) solutions, Remote Desktops, Virtual Private Networks (VPNs), and other remote access solutions are critical to many Remote Work architectures. Typically, they are associated as high risk due to their attractive accesses, permissions, and location in data’s lifecycle.
Administrators and security staff must ensure that all internet-facing devices are patched promptly. They should regularly monitor the systems logs, accesses, connections, and behavior to ensure its security. Additionally, it is essential to continually monitor the organization’s web exposure to ensure that only documented and secured services, not malicious backdoors, or outdated products, are associated. (Note: Adlumin offers Adlumin Perimeter Defense, which gives you insight into your network from an attacker’s perspective.)
User Origin Tracking
Gone are the days of employees working out of a single central office with a sprinkling of branch offices and remote sites diversifying the network’s architecture. Modern remote work requirements include supporting remote employees on a state, country, or globally diverse level.
The mentioned techniques are the processes of monitoring for suspicious traffic by geolocating access and login requests. Requests are compared to a baseline or set of rules which can alert to potentially malicious access indicated by a remote endpoint connecting or acting from outside the business’s pre-defined operating area. The expansion of the security domain complicates but does not prohibit user origination tracking and access origination monitoring and alerting.
To overcome the challenge of manually creating alerting mechanisms for logins outside a central office or branch location, more complex machine learning algorithms are required to learn about a user’s access behavior over time. This includes continually analyzing a user’s current and historical access location, behavior, and relationships in the network to draw conclusions beyond an endpoint’s origination. (Note: Adlumin User & Entity Behavior Analytics (UEBA) – Adlumin uses proprietary UEBA data science to identify, detect, analyze, and prioritize anomalous behavior—without any input from your cybersecurity team—that will likely present a risk to your network’s security in real-time)
Crossing Security Domains – Split Tunneling and Introduction of Remote Endpoints
Removing endpoints into your business network can bring additional risk through added surface area and exposure. The usage of split tunneling in Virtual Private Networks (VPNs) and the abstracted idea of letting a device live in two security domains or jump between them is an added risk. Split tunneling is an example concerning just network traffic related to VPN access, whereby some traffic is routed securely to the business network. In contrast, other traffic routes to the local network or internet. This creates a potential vulnerability where a device is bridging a trusted and untrusted network, potentially linking the security domains. This same potential vulnerability can be abstracted to any device or user access to a business application from networks or sources that cannot always be trusted.
Administrators and security staff must ensure that any systems matching this pattern, such as business-owned and issued laptops used in remote work situations by connecting to the business through an employee’s local home intranet, are secured. This involves strong log management and analysis, aggressive patching, endpoint protection products, and security-oriented architectures.
Data in Transit
With a partially or fully remote workforce accessing business assets from locations distant to hosted infrastructure, businesses are forced to send data that was once transiting dedicated ethernet connects and leased fiber MPLS circuits over untrusted infrastructure. From coffee shops or home wireless networks to cellular-based-access and remote data centers, modern remote access requirements are diverse and may change for users regularly.
Nearly all remote services supporting remote work require sending sensitive data across unmonitored, unmanaged, and potentially hostile networks. Rooted in applications requiring high reliability, network routes that traffic takes from the remote user to the business are dynamic, difficult, or impossible to predict or manage. They are often subject to interception by arbitrary service providers and attackers.
In a recent February 2022 attack suspected to be of Chinese origin, the routing protocol used to direct traffic over the internet was abused. As a result, traffic was validly routed to transit locations thought friendly to attacker intercept and inspection1. This technique isn’t new and has been used by multiple nation-state attackers and e-crime organizations alike since at least 2004.2 In addition to threats from APTs and eCrime actors, ISPs along the transit route, which can’t be controlled, also can inspect, or inject network traffic.3
To help mitigate the risks of sending business data over untrusted infrastructure, a business should consider at least one layer of encryption mandatory for all business traffic. This can be provided at the application level, commonly through TLS/SSL, or at the transport layer through IPsec and TLS VPNs. Businesses should also consider layering encryption to provide a double-wrapping of sensitive traffic. Such as requiring remote web applications to only be accessible over an IPsec-backed VPN connection layered with an HTTPS TLS/SSL back connection to the remote resource. When possible, businesses should diversify the encryption algorithms and supporting libraries and implementations to ensure that a single vulnerability or compromise does not expose data. (Note: Adlumin supports ingestion of security logs from VPN appliances and firewalls)
Data At Rest
Even when paying careful attention to implementing secure remote access, some critical business data related to IT or other sensitive operations is left locally stored on the device. Outside of the most stringent thin-client solutions and implementations, users will typically have locally stored data on their business device and, at a minimum, will typically have some sensitive data stored in its internet, application, and memory caches. Data could include sensitive business information, customer, or employee PII, chats, emails, credentials, and accounts.
To ensure data at rest remains protected, organizations should adopt Full Disk Encryption (FDE) policies backed by secure implementations and encryption algorithms. Most operating systems now support native full disk encryption solutions, including Windows through BitLocker, MacOS through FileVault 2, and Linux through dm-crypt with LUKS (Note: Adlumin supports ingestion and alerting of logs related to FDE features)
What happened?
Bob is an employee of Business Bank who recently shifted many of its onsite staff to a work-from-home setup with a company-owned laptop. Bob has a home computer with an out-of-date antivirus and several update cycles behind.
His home computer gets infected with malware, and an attacker leverages his home machine to stage an attack against the Business Bank laptop over an SMB vulnerability. The next time he connects his laptop to Business Bank’s internal network through the VPN connection, a ransomware attack is launched against the domain.
Future Prevention Method
In this case, Business Bank could have saved itself by implementing tighter security controls and monitoring. In addition to modifying its host-based access policies to restrict inbound traffic not required to establish the VPN connection, it should have implemented a monitoring solution and SIEM to identify the abnormal connection from Bob’s home computer.
Adlumin provides a Software-as-a-Service SIEM and managed security services. Our SIEM allows ingestion from multiple and diverse data sources from Office 365 events to Windows Critical Events and Linux Syslog and those from your existing security appliances and solutions.