By Raymond Pompon, Director of F5 Labs
F5 Labs’ 2021 Application Protection report shows that ransomware was a factor in about 30% percent of U.S. breaches in 2020. This trend is also playing out to varying degrees globally. When we look at the breach analyses, some of the most important controls were user account management, network segmentation, and data backup. The challenge is how to best implement them.
A significant percentage of attackers log into systems to hack them. They guess, steal and phish passwords. Indeed, historically speaking, passwords provide poor protection. Here’s how we can do better:
Best practices, and some compliance regulations, indicate the use of multifactor authentication (MFA) on all systems holding critical data. If you can’t apply MFA to everything, then prioritize. First, all administrative accounts should use MFA. As a major attack vector for ransomware, remote access is the next priority. Given all the critical data people leave in email and that most major email platforms support MFA, adding it to end-user email is the next priority.
Until you can get to 100% MFA for all access (hint: look for single sign-on tools to help here), we advise looking into the following measures (based on the NIST Digital Identity Guidelines):
Strong account management means applying the principle of least privilege. The key priority is to limit administrative access. Unless you’re an IT shop of one person that works 24/7, divide the responsibilities by region, time zone, or system function. Another powerful technique is to separate the system administrator accounts from their day-to-day user accounts. Admins should use a nonprivileged account for things like reading email, surfing the web, and accessing applications. Then, when they need to perform IT administration, they switch accounts or elevate their privileges. This way, if an admin accidently clicks on a phishing email with ransomware, it won’t wipe out the entire network. Many of these restriction capabilities are configurable within most operating systems.
The same approach applies to service accounts. These are the often invisible accounts that are tied to running applications. These services are ripe for attacker takeover. Associated accounts should restrict rights to only those necessary to run the service. Web servers need rights to their own service and the file directories, not an entire box or the entire network. Using a generic full admin account as a service account is a disaster waiting to happen. Operating systems have some built-in functions to restrict these service accounts, disallowing human interactive logins and tying them only to the servers and services they are supposed to function on.
In some systems, you can restrict service account privilege domains as well. For example, you can set up a backup server to have read-only access to the main domain, so it can copy files for backup. Restores can be done under a different account or manually with a system administrator.
All user accounts should be logged for audit purposes in a way that prevents tampering. Attackers will try to erase their tracks, so your monitoring system should sound the alarm if it detects logs being deleted or they stop coming in. It’s also prudent to have the system automatically raise an alert when a system administrator account is created. This should be a rare enough event that false positives are manageable. It is also important to review general user accounts against personnel records to ensure only the right people continue to have access. Lastly, because of the prevalence of brute force and credential stuffing attacks, create alerts for large numbers of login failures.
Firewalls can limit infections to specific segments of users, systems, or levels of trust. Virtual LANs, which run on managed switches, can also be a useful fallback if internal firewalls are unfeasible. This is essentially least privilege at a network level.
Worried about supply chain compromise of your management tools? Set up default deny policies with firewall rules controlling the management servers. Then configure only the specific connections and ports necessary for remote management capabilities to the specific managed system addresses. Note that a remote management system can have Internet access or internal network access but not both simultaneously. Make it harder for an Internet attacker to remote control a server in your environment. The same rule applies for administrative interfaces: limit their access with network rules.
Network traffic can be filtered wherever subnets of different trustworthiness connect to each other, such as wireless networks, remote access gateways, third-party connections, storage servers, Internet-of-Things devices, backup servers, developer systems, and user networks. Once again, apply least privilege and only allow the defined communication methods to the defined addresses.
The network devices and firewalls that manage network segmentation also need to be patched in a timely manner. Attackers will exploit those bugs and break through, so make sure to keep those devices up to date.
Once ransomware takes hold of your systems, it’s best to delete everything and reload from scratch. Attackers know this and will corrupt backup systems as part of the ransomware attack. So, have complete, up-to-date backups, and protect them.
Use the 3-2-1 backup strategy. This means having three backups of your data, with two copies on different media, and one offsite. Remember to back up everything, including system images, application software, and configurations. You can then rebuild servers and workstations, preferably using automation for speed and ease.
Restore testing should include tests for completeness and speed. It’s one thing to perform a test restore for a few files but another thing to restore hundreds of terabytes. In many cases, a complete restore process can take days to complete. Also, if you are backing up online – such as saving data to the cloud – check your bandwidth speed requirements and costs. Some cloud providers charge much more in transfer fees to download data from their cloud than to upload to it.
Most major cloud providers now offer immutable storage options, such as placing a software lock on a file when it’s created. The lock can remain in place for weeks or months to ensure stored files cannot be altered. These locks can both protect against ransomware and meet compliance and legal requirements for tamperproof logs.
Ransomware is a growing threat to our critical systems. Fortunately, a defense in depth strategy can prevail.
Ultimately, though, there is no cut-and-dried checklist on what controls and defenses to leverage. It will vary based on your organization’s business, technological infrastructure, culture, and relevant threats. The key is analyzing and understanding the threats you face and the assets you care about, and then applying divergent but overlapping controls to remediate as much risk as you can. The good news is that a coordinated collection of useful but imperfect defenses is not only more effective than a single bulletproof control, it’s a lot more attainable.
