crowmoor.se

And ransomware has been weaponised.

If you remember my post a few months back regarding the future of ransomware we now see the emerging Wiperware, malware that´s sole target is to create mass destruction rather than take files for ransom. The article mentions Maersk loss of more than $200 million to NotPetya and that ransomware will land somewhere around $5 billion this year in costs. That’s a lot of money that could be better invested in simple security functions instead. We are still looking at way to many companies having a very unsecure setup.

One of the best things with working at Microsoft is all the things you get to know and one of the worst things is all the things you are not allowed to tell (yet).

Still I took a look at Credential Guard today to understand how it works and I found this document that describes it on a bit more technical level.

Looking at it from a more architectural point of view it enables us to put a bit more trust into the clients. The viewpoint until now is that the client devices are unsecure by default and sensitive information should not be allowed to be stored on the clients. Not even with encryption software installed. Now there is a possibility that we could revisit that as Credential Guard protects the user credentials from being access by malware hence blocking possible lateral movement.

Today I start my first day at Microsoft! Wish me luck!

An architect asked me yesterday how you use a reference architecture when it comes to security architecture. ‘How can I be sure that it is applicable for me?’ was the simple and yet interesting question.

The answer is not that obvious. First of all, we need to position your own security to the reference architecture. We do this with the risk analysis. Without the risk analysis you cannot know what risks you actually have. A risk analysis needs to have both an administrative part and a technical part to be valid. When you know your first batch of risks you´ll start to map them towards the risks that the reference architecture mitigates. A skilled security architects does that in a few minutes.

When you done that you know if the reference architecture is applicable for you. In some cases (like Microsoft’s SPA concept) the risks are valid for everyone having an Active Directory making it very easy to tell if it fits you.

This is sadly not the end of your peril. When you know the reference architecture to use you now have to map the cost of implementing it with the values you are trying to protect. First when that is done you know if the reference architecture is the right thing for you.

I don´t know how many of you that spend your time reading about security issues during your vacation but you have probably heard about the struggles at the Swedish Transport Agency.

There are quite a few things not right in the current rounds of the news but that will be sorted eventually. All in all, the problem is that the one responsible have decided that a few laws governing security of information was possible to opt out from (they aren´t) and allowed a number of systems to be outsourced to IBM giving a few foreign administrators that was not approved by SÄPO (Swedish Security Police) full access to all information.

The news currently say that information has leaked but that is to mistrust IBM quite a bit but the real problem is that information security is not regarded as an important topic when outsourcing. Using a cloud service is not the problem, not managing your security is a problem.

If you are a pentester you a perfectly aware of lateral movement but if you are a bit more far away from technology you probably won’t read any more right now but I would advice you to continue reading.

What is lateral movement? It’s the process of getting access to a computer, capture the credentials and use those to move to the next computer in the network, get the next set of credentials and continue until you find a workstation that a domain admin has logged into.
And that’s where the attacker strikes gold for with those credentials it is possible to take control of the Active Directory and with that take full control of everything in the organization.

So, is lateral movement a problem? Yes, it is a problem if you have not implemented a Tier model because sooner or later (often sooner) they will find that workstation where the domain administrator logs in. It is still a problem if you have implemented the Tier model and PAWs but at least the keys to the kingdom is safe (for now). If you have followed best practice how clients access applications and use domain accounts then lateral movement becomes a lesser problem but still it could be blocked rather easily if you implement a few group policies that blocks ‘Local account and member of Administrators group’ from logging on to this computer from the network.

Read more here.

I´m not to fond of not manage to help my clients recover but sometimes shit happens and you´ll have to just stand there looking at a disaster evolving in front of your eyes.

This particular case was in April. I was recovering from a surgery so I wasn´t working. My phone rang and a friend of mine told me that he has a friend that has been hit by a ransomware. It´s not a big company so they can´t afford a specialist helping them but he promised me a good discount if I manage to do something. Being bored in bed I decided to give them a call and was quickly informed that they didn´t have time for my advice as they had some production problems.

About two hours later they called me back and told me that they could use my help as they had no access to their files. They bluntly asked me if I could crack the password and I said no. “Aren’t you supposed to be a security expert?”. I decided that they most probably are in a lot of stress so I swallowed the insult and continued with saying that the tools they use are standard encryption modules with very ling complex passwords so cracking those is possible but it will take a number of years and cost millions so it is not the way you attack this problem.

I asked what has happened and they told me that several users had clicked on a link and activated a ransomware that had encrypted their file server several times. The cost to get the key was about 0.5 Bitcoins. I was sent a file and saw that it was encrypted four times hence impossible to decrypt. This ransomware apparently encrypted everything and added .CRY so the file I was sent was named Financial 2017.xlsx.CRY.CRY.CRY.CRY.

I told them that it was virtually impossible to decrypt and that the only way to recover the files was to pay for the decryption key and have the files decrypted in the right order. The other way was to restore from a backup and lose a few days’ worth of work. That’s when they told me that they haven’t taken any backup ever.

I told them to create an instant backup of the encrypted files so that they could restore them to an encrypted state in case they ran the decryption in the wrong order.

They didn´t take my advice and I later found out that they lost 100% of their data on the fileservers including designs that’s taken them years to finalise.

Cybersecurity has been a thing for quite some time now but the real change here in the Nordics came this year with a lot of ransomware attacks with WannaCry as the current leader of the pack closely followed by GDPR that is every security consultants wet dream. Almost every company have put cybersecurity on the top three things they need to do the following years.

The saddest thing is that most of them actually could have done it a lot easier a few years back. Today the have very complex environments and are integrating everything creating a security disaster waiting to happen. The chances of a company not being hit by a ransomware or an attack is slim to nil. The only hope is that the users don´t click on links or that the antivirus was updated.

I think that we will see a number of devastating attacks this year and also a few companies that will fail due to policy problems or administrative routines that are not followed.

As you read in my previous message I´m joining Microsoft. One thing you have to do at MS is to return to the school bench as there is so much to learn. As for now I´m only allowed access to external material so let me share with you a few views on the PAW PAW concept.

One of the core principles with the PAW concept is the Tier-model. The Tier-model in itself is quite simple as it builds on the zone concept that we are quite used to today. The big difference is that the zones are enforced using group policies instead but network zoning could be used as well for added security.

The PAWs are restricted to their Tier only making it impossible for a Domain Administrator to logon to a normal workstation or any other place so that the only way to access the Domain Controller is through a PAW for Tier 0.

I just want to inform you all that I have resigned from Sogeti to join Microsoft as a Cybersecurity Architect. This blog will continue to operate independently and still just reflect my views on different topics, assignments that I could share and so forth. Just continue to let the mails come and I´ll try to answer as soon as I can. 🙂