crowmoor.se

Following my last post a few clients started asking me about the future of ransomware. I brought up this picture showing a number of predictions I have done during the years and when they were found in the wild.

One prediction is that more failures will happened, either intentionally or unintentionally, and that will start to cost a lot more money, not from the ransom in it self but due to that there will be longer downtime.

Today many companies have invested in online-backups with online meaning that the backups are accessible from a network share or similar just to make it easy for to restore the files. This will be costly in the future as ransomware will target those systems to make sure that companies pay the ransom or just to create havoc.

Ransomware makes you wanna cry and the name of the latest outbreak is fitting. You have most probably read 100ths of post regarding how to protect yourself moving forward and I will not repeat those tips and tricks but instead focus on some real-life experiences that actually prevented the ransomware in the first place:

1. Office 365 with ATP
2. SentinelOne
3. Sogeti SOC with QRadar

Following up discussions with our partners and internal delivery we identified three independent ways to contain the outbreak.
Office 365 have an addon called ATP, Advanced Threat Protection. Already in the beginning of the outbreak the detonation chamber in ATP identified the ransomware behavior and blocked it. So all mails containing the ransomware was blocked if the client used ATP.

SentinelOne is a new type of threat protection that identifies ransomware behavior, blocks it, takes a signature and updates the central server that sends out this signature to all clients. But most importantly: it roles back the changes the ransomware did putting you files back in order as nothing had happened.

Our SOC reported quite early on suspect mails and QRadar was very quickly updated to block the malicious traffic effectively stopping the ransomware dead in its tracks.

Learning from this is the same things that security experts like me say over and over:
Upgrade and Update. They days when security threats were a simple and fun game for 15-year old kids are long gone. Today it´s organized crime and state hacking. By having low security and pay out ransom you have become an involuntary financer of crime and terrorism.

Following on the administrator is the DBA, a person that is almost mythical as it´s a very scarce resource. During my years as a DBA I always had full access to everything within the database and as many databases was run under domain admin accounts I could do anything in the environment that I wanted. That´s a lot of trust to put in one person´s hands.

During one assignment I was asked to update the structure of a table as a new version of an application was to be installed. I asked for the name of the application so that I could find any expected problems during the upgrade. Strangely enough I was told that this was a secret because if I new the name of the application I could find a way to break into it.

As it turned out it was the system manages our salaries and when I told them that I had full access to the database that was not a problem because it was only possible to see any data using the application. I told them that wasn´t the case and even offered to show them that I could read the database but no, I was only the DBA not the developer so I could possibly not have access.

This was in the early 2000 but still to this day the DBA quite often has a lot more access to data than they need. Encrypting the database is still quite seldom used, even if it´s a very simple process today. GDPR is coming!

Many years back I was always saying: There are two people that has full control over all the information in your organisation: The CEO and the administrator…and I´m not sure about the CEO.

During my time as an investigator I have found numerous instances of Microsoft Office installed on file servers where there was very visible evidence that files containing very sensitive information, like organisational changes, business plans salary figures etc, was opened on the server. To make things even worse the administrator often had full access to all information in the databases as well, often with no logging. Sadly this was seldom viewed upon as a problem as the administrator was said to be trustworthy. The so-called insider threat was something frown upon as something security consultants used to scare their clients with. Malware during that time was mainly mass mailing worms or ‘fun’ viruses and occasionally a bit nastier malware that took some time to remove with a lot of porn adds popping up.

Today we are harvesting the seeds the clients didn´t want to grow with credentials attacks using lateral movements to get to the domain admin.
I was exposed to a Microsoft concept called PAW recently that want to manage that problem. If you got the time do look into how the PAW concept works.

A client of mine was hit by a simple ransomware this morning and it costed her one workstation and a few hours in reinstallation. She has listened to me and implemented a good way to manage reinstallation of clients and take backups. This specific company has removed file shares and are using SharePoint instead so they weren’t hit that hard this time bit what about the future?

There is way too much money to make in ransomware and there will be more people to enter the market. Some will be sloppy and will not be able to decrypt or just ignore it all together. Others will be building on the success of others and create more complex ransomware that will exploit vulnerabilities etc.

I suspect that the standard malware will include a ransomware component moving forward. In case you cannot steal the credentials of a user you can always initiate a ransomware to at least make a small amount of money.

Sometimes I have time to sit down and reflect on the world and try to look a bit further than the following meetings of the week. Having had a number of discussion with my clients it is very obvious that different cloud services is the future, be it IAAS, PAAS or SAAS. During those discussions I´m often asked how security will change.

This is not a simple answer to give as there is not a simple answer. Looking at IAAS there is no large changes, the standard mechanisms are still valid. However… taking GDPR into account different encryption systems will be important to develop. The same goes for PAAS and possibly SAAS.

But the most important thing will be the identity. We must start to use strong identities all over. We must start to use 2FA and verify all our users. The attacks that we see will focus more and more on the identity and with louse security surrounding the identity my clients will lose the battle.

In my previous posts, I wrote a bit about security architecture. Looking at how to implement this in real life you need to start looking at your security posture. But what is your security posture exactly?

When you start implementing your security you will have a number of hardware and software based protections. You will have processes, guidelines, policies. There will be mandated training and awareness sessions etc. All of this will create your security posture. The security posture is in essence the way your organisations stands ready for an attack. Just imagine you are training judo (as my kids are doing) and you are ready for a match. Look at the judokas way of standing ready to catch the opponent at their first attack, how they respond, counter and in the end hopefully get the opponent down on the mat. Your security posture is the way you are standing ready for an attack, how you manage the balance and change depending on the different possible attacks.

So what does this gives you beside a lof of words? Security is complex but when you describe it with an image you understand that putting all your resources in weightlifting heavy hardware you will be off balance and a simple leg swipe with a social engineering attack will bring you out of balance and make you lose the match. Same goes if you are very agile but lacks the stamina to keep moving. The security posture is a way of measuring how well you will withstand an attack.

Now that you understand where a security architecture start it is time to look at the full cycle of security architecture.

When you have a risk register with risk for different assets you need to start working on how to mitigate those. The first task is to define the security mechanisms that are needed to solve your problems. A security mechanism is a description of a security solution to a defined security problem.

For example: Encrypted communication solves eavesdropping on network traffic and is solved by using an encryption technology to change a payload to an unreadable format except for the intended reader.

By mapping your risks to security mechanism, you can start defining your solutions. After you have defined the possible mechanisms you need to check if they are applicable in a specific implementation scenario. One example is a requirement to encrypt information stored on a fileserver in such a way that data is encrypted when not used. A quick glance would make it possible to use Microsoft RMS or a disk-based encryption. When we look a bit further we understand that a disk-based encryption that encrypts the whole disk is not working as a fileserver is online 24/7, hence the data is always accessible.

When you know the mechanisms, you need you map out the possible patterns that you need to solve the problems. In some cases, they will contain more mechanisms or usage of mechanisms in another way than you thought of. The patterns are accelerators but not always the correct way to solve a problem. They seldom adhere to your specific business processes.

With all this information readily available you will create a few artefacts: Changes to different parts of the architecture and suggestions how to implement different security mechanisms technically or using processes.
With this you have managed to run a full circle and could update your risk analysis and the whole circle starts again.

It´s not that easy to start creating a security architecture when it’s hard to define in the first place. A security architecture has a few starting points. The first one is the realisation that you have something to protect. That may sound as a simple thing but without your assets defined you cannot define a security architecture.

Following that you need to start building the list of requirements you need to adhere to.

This list consists of your risk analysis, applicable laws you need to adhere to and compliance schemes you need to follow. Of course, you could have others that are on a voluntary basis and those should be included in the list as well as long as you don´t regard them as strict mandatory.

The list you provide will be your risk register that you will start working with.

I had a client meeting recently where we started to discuss their view on security architecture and quite interesting I got several views of what security architecture actually is. As a result of that I created a set of slides that describes how I work with security architecture. Of course, there are many ways to do security architecture but a common consensus of the how you view the topic is quite important to define.

As you see in the above picture I use IAF (Integrated Architecture Framework) as a model to build my architecture. IAF is part of TOGAF since TOGAF 9. An architecture consists of four large parts: Business, Information, Information System and Technical Infrastructure. Security architecture is not a specific architecture within this framework. In some cases, you model an IAM-system and call it a security architecture but that is not correct. That´s a Technical Infrastructure architecture of a security system. A security architecture is actually something completely but it ends up in changing the current architecture you have to make sure that its secure. The red dots show examples where an architecture could be changed to make it secure.

So basically, security architecture is the process of making an architecture secure.