Applying Security in-Depth and Best practices against Ransomware attacks (2/2)
Yassine Zeroual — CyberSecurity Architect- Expleo Group
8- Ransomware Defense №7: Securing DNS
The Domain Name System (DNS) is a key component of the internet’s resilience. It makes navigating a website, sending an email, or making a secure shell connection easier by translating domain names into Internet Protocol addresses.
One of the key defense is protecting users’ DNS queries because cyber threat actors use domain names across the network exploitation lifecycle: users frequently mistype domain names while attempting to navigate to a known-good website and unintentionally go to a malicious one instead (T1583.001); Threat actors lace phishing emails with malicious links (T1566.002); a compromised device may seek commands from a remote command and control server (TA0011); a threat actor exfiltrate data from a compromised device to a remote host (TA0010). Preventing the resolution of malicious domain names is one of the best practice to protect individual users and enterprise. [30]
8–1 Selecting a Protective DNS Service
As many Internet protocols, DNS was built to withstand abuse from bad actors intent on causing harm. “Protective DNS” (PDNS) is different from earlier security-related changes to DNS in that it is envisioned as a security service — not protocol — that analyses DNS queries and takes action to mitigate threats, leveraging the existing DNS protocol and architecture. [30]
Widely implemented DNS security enhancements — that address the integrity and authenticity of DNS records (e.g., DNS Security Extensions, or DNSSEC) or that support the privacy and integrity of client DNS queries and responses (e.g., DNS over Transport Layer Security [DoT], and DNS over HTTPS [DoH]) — do not address the trustworthiness of upstream DNS infrastructure that may be compromised or DNS registrations that may be maliciously provisioned.
To address this shortcoming, PDNS uses a policy-implementing DNS resolver that returns answers based on policy criteria. This is often called Response Policy Zone (RPZ) functionality in DNS documentation. The resolver usually checks both the domain name queries and the returned IP addresses against threat intelligence, and then prevents connections to known or suspected malicious sites. PDNS can also protect a user by redirecting the requesting application to a non-malicious site or returning a response that indicates no IP address was found for the domain queried. In addition, many enterprise DNS resolvers still do not validate DNSSEC or support DoH/DoT, but many PDNS providers add these DNS security enhancements as well. [30]
It should be noted that one inherent constraint of PDNS is that it is bypassed by any traffic using IP addresses directly without doing DNS lookups. For this reason, customers should not rely on it alone to detect and prevent malicious traffic. Some PDNS services may provide additional non-DNS related capabilities or integration with other security capabilities. Some network device equipment, such as firewalls, may have DNS protection capabilities as well. These devices and their functions or integrations with other capabilities are not covered in this guidance. [30]
8–1–1 Service setup
The setup costs for a new security service is an important decision point for many organizations. A key benefit of PDNS is that it can be set up in a simple deployment just by changing an organization’s recursive resolver to use the PDNS provider’s DNS server. More complex and secure deployments of PDNS may involve software changes on hosts. This may include lightweight DNS clients or virtualized applications that can keep the protections working in a variety of environments and enable a faster response to incidents. Additionally, enterprises should take measures to limit the use of alternative DNS resolvers, e.g., by configuring firewalls to block unauthorized DNS ports or DoH servers. PDNS systems may also support multiple policies for different groups, users, and/or devices. [30]
8–1–2 Domain classification
A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following: [30]
· Phishing: Sites known to host applications that maliciously collect personal or organizational information, including credential harvesting scams. These domains may include typosquats — or close lookalikes of common domains. PDNS can protect users from accidentally connecting to a potentially malicious link.
· Malware distribution and command-and-control: Sites known to serve malicious content or used by threat actors to command-and-control malware. For example, these may include sites hosting malicious JavaScript® files or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts.
· Domain generation algorithms: Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware — including some botnets — depend on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking — either by domain name or IP — through programmatically generating domain names according to a pre-set seed. PDNS can offer protection from malware DGAs by analyzing every domain’s textual attributes and tagging those associated with known DGA attributes, such as high entropy.
· Content filtering: Sites whose content is in certain categories that are against an organization’s access policies. Although an ancillary benefit to malware protection, PDNS can use a categorization of various domains’ use cases (e.g., “gambling”) and warn or block on those that are deemed a risk for a given environment.
8–1–3 Response to identified domain names
A PDNS service may take several actions to respond to a malicious or suspicious domain name query. Of the protective actions, PDNS may restrict communication with a domain by returning an NXDOMAIN response, which means that there is no IP address answer for the domain name query. PDNS may also prevent the connection by redirecting to a block page, possibly offering a reason for the block to the user. It may also “sinkhole” the domain and provide a custom response. These responses delay or prevent further malicious actions — such as cryptolocking by ransomware or the use of command-and-control protocols — enabling an organization to conduct an investigation into a domain’s provenance or initiate follow-on infection hunting. [30]
8–1–4 Interactions with the PDNS platform
Typical administrative interactions with PDNS systems are through a web interface, an application programming interface (API), or a Security Information and Event Management (SIEM) integration. Cybersecurity leaders and administrators will need to consider the increased workload of responding to PDNS alerts and integrating evolving network knowledge into their PDNS deployment plans. Additionally, PDNS providers should collect and store the logs of DNS queries or provide them to the organization for it to keep. In either scenario, historical DNS logs can prove useful for retroactively searching for indications of earlier intrusions using indicators that only become known later on. [30]
8–2 Cybersecurity best practices and PDNS
The following best practices address only the use of DNS resolver services. They do not address the management of an organization’s own authoritative DNS zone(s) and related attributes — including availability, reliability, security, and performance. [30]
8–2–1 Use a PDNS provider
Select and use a PDNS system as part of a layered defense-in-depth strategy. See below for some options for enterprise PDNS services. Other reputable PDNS services that are available and free for public use may be appropriate for personal use cases, but enterprise PDNS services that provide malicious activity alerts, enterprise dashboard views, historical logging and analysis, and other enterprise-focused features are recommended for enterprise networks. Additionally, due to DNS being foundational to most online activity, ensure that PDNS is provided as a high availability service.
Because an organization’s PDNS provider can view their DNS queries, selecting a provider has privacy and security impacts. Obtain an understanding of how the service provider may use the organization’s generated PDNS data — especially whether the provider will use the data for any non-security purposes. [30]
8–2–2 Block unauthorized DNS queries
Unless required for operations, take measures to harden internal DNS resolution to prevent bypass. These measures should include blocking outbound port 53 (DNS) and port 853 (DoT) to thwart malware’s potential use of DNS services, circumventing PDNS. In addition, block traffic to unauthorized DoH servers. Also, configure client applications — especially web browsers — with enterprise policies that configure DoH solely for designated resolvers, or disable DoH entirely. [30]
8–2–3 Account for hybrid enterprise architectures
Classes of users may require different PDNS policies depending on their environments, and the prevalence of mobile and home network use can create additional challenges to PDNS implementations. One PDNS policy will not often fit the entire enterprise. Ensure that the chosen PDNS solution is flexible enough to adapt to your architectural and mission requirements. Deployment flexibility is typically achieved through the provider’s implementation of a lightweight or “roaming” DNS client. [30]
9- Ransomware Defense №8: Sandbox
Turn the unknown into the known for prevention:
A sandbox is designed to detect and analyze advanced attacks designed to bypass traditional security defenses like zero-day attacks. It is an environment created to deceive malware into trusting that it is interrogating external servers even though it is just communicating with a group of fake sandbox IP addresses. All content is scrupulously scanned comprising files: in network file share locations, on-demand and attached URLs. Since testing of these attachments and URLs are done in an environment completely separate of the real network, no harm is done on the real network and only clean data is transferred from the sandbox onto the actual network.
Sandboxing technology protects our network against advanced email threats (Email phishing) which is the leading source of malware infiltration, Windows threats, Office threats, zip threats, pdf threats, mobile threats and more. It inspects across all Operating Environments: Code emulation examines and runs instruction sets to assess intended activity independent of operating environment for broader security coverage.
10- Ransomware Defense №9: Data Backup
Once ransomware takes hold of your systems, the best course of action is to delete everything and reload from scratch. Attackers know this and will corrupt backup systems as part of the ransomware attack. This means you not only need to have complete and up-to-date backups, but you also need to protect them. Let’s look at how. [2]
10–1 Use the 3–2–1 Backup Method
Any veteran system administrator knows the 3–2–1 backup strategy, which means having three copies of your data, two of them on different media and one offsite. Basically, you assume breach on your backups and have a backup of your backup.
Figure: The 1–2–3 rule helps you get the most out of a backup solution (source: CISCO)
Remember, you need to back up everything, not just the data. This means also backing up system images, application software, and configurations. This way you can rebuild servers and workstations, preferably using automation for speed and ease. [2]
10–2 Test Your Complete Restore Process
The director of IT at one of my early tech jobs used to say that a backup wasn’t complete until you did a test restore. Restore testing should include tests for completeness and speed. It’s one thing to perform a test restore for a few files but another thing to restore hundreds of terabytes. In many cases, a complete restore process can take days to complete. Also, if you are backing up online, such as saving data to the cloud, check your bandwidth speed requirements and costs. Some cloud providers charge much more in transfer fees to download data from their cloud than to upload to it. [2]
10–3 Use Immutable Backups
A useful thought experiment is to assume that ransomware attackers have access to your administrative credentials as well as your backup server. Can they delete or alter your files? Look into “immutable backups”, which can’t be altered or deleted. The manual version of this is “air-gapped” tapes, which you take offline and look in a cabinet. But virtual air gaps exist as well. Most major cloud providers now offer immutable storage options, such as placing a software lock on a file when it’s created. The lock can remain in place for few weeks or months to ensure stored files cannot be altered. These locks can both protect against ransomware and meet compliance and legal. [2]
11- INTERNET OF THINGS SECURITY
The IoT has almost infinite capacity to enrich our lives and add value. In IoT infrastructure, physical devices possess the ability of organizing and management that make them smart devices and these smart devices are becoming a vital part of human life ranging from home to big industrial and institutional sectors.
$ The economic impact of the Internet of Things will be measured in $trillions.
∑ The number of connected devices will be measured in billions.
∞ The resultant benefits of a connected society are significant, disruptive, and transforming. [31]
At the recent Def Con hacking conference in Las Vegas, two researchers from cybersecurity firm Pen Test Partners showed that they could inflict your smart thermostat with ransomware from hundreds of miles away, and force you to fork over cash (usually bitcoins) before you could regain control of the appliance. [32]
Many IoT devices will require the collection, analysis, and transmission of potentially sensitive data. It is essential that this data is adequately protected at all times, by offering appropriate protection for all potential attack surfaces (e.g. device, network, server, cloud etc.)
11–1 Consumer IoT Security Guidance
To better understand and comply with new international standards, regulations, and national guidance on consumer IoT security. Organizations need to apply the three Consumer IoT Security Quick Guides of iotsecurityfoundation.org:
· NO UNIVERSAL DEFAULT PASSWORDS: [34]
Standard ETSI EN 303 645 requires that products do not use “universal default passwords”. because default passwords that are easily guessable or derivable weaken security. If a universal default password is used (i.e. one password used across multiple devices) once one device is compromised, all devices using the same default password can be compromised. Poor password practices have the potential to put users’ and businesses’ personal data, devices, and networks at risk.
· Keeping Software Updated: [35]
Since IoT devices contain their own OS (operating system) and applications, implementing security patches both at the OS/firmware and application levels is extremely important.
Software security updates are important because every IoT product is susceptible to vulnerabilities and will need to adapt to new security threats, vulnerabilities, or best practices. If security updates are not provided, the security of the product will diminish over time. The ability to update software is the major mechanism to resolve vulnerabilities or fix bugs in the product.
· Manage Vulnerability Reports: [36]
87% of consumer IoT companies do not have a vulnerability disclosure policy. However, new standards and regulations require IoT manufacturers, and some importers, to publish a vulnerability disclosure policy, to act on disclosures in a timely manner and promote coordinated vulnerability disclosure. Standard ETSI EN 303 645 promotes management of vulnerabilities and requires publication of a vulnerability disclosure policy.
11–2 The issue of trust in IoT devices and systems
Data may need to be protected from tampering and modification in transit. This may be a malicious attacker, or simply poorly configured devices mishandling data. Appropriate security considerations may include: [37]
· Integrity of software is verified (e.g. secure boot)
o This helps to ensure that only known software is allowed to run on the device.
· The device or system uses a hardware-rooted trust chain
o This allows the user to protect against sophisticated low-level software attacks and ensure that all software allowed to run on the device is appropriately authorized.
· Authentication and integrity protection are applied to data
o Such protections allow users to be confident that received data is correct and from the claimed source.
· Compromised or malfunctioning devices can be identified and revoked
o Erroneous data from such devices may affect other functionality of the system. Providing a way to identify these devices and then block, filter, and revoke them in a secure fashion provides mitigation in this scenario.
· Data is isolated from other systems or services where applicable
o IoT networks may handle many different types of data. To minimize the risk of data leakage, it should be clear which systems and services have access to which types of data.
· System testing and calibration ensures data is handled correctly
o Ensuring that the system handles data as designed is crucial in providing security assurance.
· Device metadata is trusted and verifiable
o Trusted metadata will allow users and devices to have confidence that the device is functioning as intended and help to identify malfunctioning or compromised devices.
11–3 IoT Security Best practice
The following are the best-practice mitigation strategies against ransomware attacks in IoT device:
· Implementing security patches both at the OS/firmware and application levels.
· Use a strong different password on each IoT device. (do not use universal default passwords).
· Use MFA when possible
· Restrict administrative privileges (Least privileges)
· Restrict access to or control of the IoT device
· Conduct a mini risk assessment.
· Read the privacy statement.
· Introduce the IoT device and have a recovery plan.
· Encrypt Your Connection When You Have to Go Online.
· Secure Internet Connection.
12- Conclusion
Ransomware doesn’t require an executable file to run. An infected software or phishing emails simply needs to be opened and ransomware can directly access the computer memory. What’s important is that we keep our vigil and not download malicious software or open phishing emails.
The most effective strategy for stopping a ransomware attack relies on preventing the attack from ever entering your organization. With the nine ransomware defenses in place mentioned in this article we can guarantee the security in-depth as well as some best practices against all known and unknown ransomware attacks.
- REFERENCES
[1] Ransomware top 5 vulnerabilities
Available: https://techmonitor.ai/techonology/cybersecurity/ransomware-top-5-vulnerabilities
[Accessed 15 September, 2021]
[2] Cybersecurity controls to stop ransomware
Available: https://www.f5.com/labs/articles/cisotociso/cybersecurity-controls-to-stop-ransomware
[Accessed 15 September, 2021]
[3] ss7 hack dark web tap phone texts cyber crim
Available: https://www.theverge.com/2017/6/13/15794292/ss7-hack-dark-web-tap-phone-texts-cyber-crime
[Accessed 15 September, 2021]
[4] New tool automates phishing attacks that bypass 2FA
Available: https://www.zdnet.com/article/new-tool-automates-phishing-attacks-that-bypass-2fa/
[Accessed 15 September, 2021]
[5] FIDO based
Available: https://fidoalliance.org/what-is-fido/
[Accessed 15 September, 2021]
[6] Security keys
Available: https://guide.duo.com/security-keys/
[Accessed 15 September, 2021]
[7] Segment Networks and Deploy Application Aware Defenses — Copy
[Accessed 15 September, 2021]
[8] McAfee “XDR Is Your Organization Ready Webinar FR” (Etes-vous prêts pour le XDR ?)
Available: https://www.mcafee.com/enterprise/en-us/about/events/webinars/xdr-is-your-organization-ready.html
[Accessed 15 September, 2021]
[9] SIEM Tools
Available: https://www.softwaretestinghelp.com/siem-tools/
[Accessed 15 September, 2021]
[10] HARDENING SIEM SOLUTIONS
[Accessed 15 September, 2021]
[11] Ransomware Top 5 Vulnerabilities
Available: https://techmonitor.ai/techonology/cybersecurity/ransomware-top-5-vulnerabilities
[Accessed 15 September, 2021]
[12] CISAS top vulnerabilities in 2020 and 2021
Available: https://www.business2community.com/cybersecurity/cisas-top-vulnerabilities-in-2020-and-2021-02423721
[Accessed 15 September, 2021]
[13] Ransomware makes use of common vulnerabilities
Available: https://blog.reasonsecurity.com/2021/01/03/ransomware-makes-use-of-common-vulnerabilities/
[Accessed 15 September, 2021]
[14] New Usecase: Detecting suspicious activities in vulnerable systems to ransomware attacks
[Accessed 15 September, 2021]
[15] This Notpetya ransomware vaccination will stop latest ransomware in its tracks
[Accessed 15 September, 2021]
[16] Ransomware Encrypted Files
Available: https://www.file-extensions.org/filetype/extension/name/ransomware-encrypted-files
[Accessed 15 September, 2021]
[17] Deploying a whitelist Software Restriction Policy to prevent Cryptolocker and more
[Accessed 15 September, 2021]
[18] CIS Microsoft Windows Server 2019 STIG Benchmark v1.0.1 :
Available: https://learn.cisecurity.org/l/799323/2021-05-18/47t32
[Accessed 15 September, 2021]
[19] Use Attack surface reduction rules to prevent malware infection | Microsoft Docs
[Accessed 15 September, 2021]
[20] Customize Attack Surface Reduction
[Accessed 15 September, 2021]
[21] Attack Surface Reduction Rules
[Accessed 15 September, 2021]
[22] Enable Cloud Protection Microsoft Defender Antivirus
[Accessed 15 September, 2021]
[23] Oem Secure Boot
Available: https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot
[Accessed 15 September, 2021]
[24] Application Whitelisting using Microsoft Applocker
[Accessed 15 September, 2021]
[25] Cisecurity.org
Available: https://downloads.cisecurity.org/#/
[Accessed 15 September, 2021]
[26] Top 3 Attack Vectors Ransomware Loves to Exploit
Available: https://www.digitaldefense.com/blog/top-3-attack-vectors-ransomware-loves-to-exploit/
[Accessed 15 September, 2021]
[27] How to Install and Configure File Server Resource Manager (FSRM)
[Accessed 15 September, 2021]
[28] August 2019 Web Server Survey
Available: https://news.netcraft.com/archives/2019/08/15/august-2019-web-server-survey.html
[Accessed 15 September, 2021]
[29] 40 Linux Server Hardening Security Tips [2021 edition]
Available: https://www.cyberciti.biz/tips/linux-security.html [Accessed 15 September, 2021]
[30]CSI Selecting Protective DNS
[Accessed 15 September, 2021]
[31] Welcome to the IoT Security Foundation -THE HOME OF IOT SECURITY
Available: https://www.iotsecurityfoundation.org/
[Accessed 15 September, 2021]
[32] The IoT ransomware threat is more serious than you think
Available: https://www.iotsecurityfoundation.org/the-iot-ransomware-threat-is-more-serious-than-you-think/
[Accessed 15 September, 2021]
[33] Defcon.org
Available: https://www.defcon.org/ [Accessed 15 September, 2021]
[34] Consumer IoT Security Quick Guide: NO UNIVERSAL DEFAULT PASSWORDS
Available: https://www.iotsecurityfoundation.org/wp-content/uploads/2020/08/IoTSF-Passwords-QG_FINAL.pdf
[Accessed 15 September, 2021]
[35] Consumer IoT Security Quick Guide: SOFTWARE UPDATES
Available: https://www.iotsecurityfoundation.org/wp-content/uploads/2020/08/IoTSF-Updates-QG_FINAL.pdf [Accessed 15 September, 2021]
[36] Consumer IoT Security Quick Guide: MANAGE VULNERABILITY REPORTS
Available: https://www.iotsecurityfoundation.org/wp-content/uploads/2020/08/IoTSF-Vulnerability-QG_FINAL.pdf
[Accessed 15 September, 2021]
[37] Internet of Things — Make it safe to connect Security Foundation — ESTABLISHING PRINCIPLES FOR INTERNET OF THINGS SECURITY
[Accessed 15 September, 2021]
[38] List of Ransomware file extensions
Available: https://www.file-extensions.org/filetype/extension/name/ransomware-encrypted-files
[Accessed 15 September, 2021]
