Hack Thyself- Pre-emptive Strikes in Cyber Security

Welcome back to my weekly cyber security blog and I hope you all had a wonderful week. We live in the information age, data drive modern business, and never in our history have we created, stored, and needed to manage so much of it. Up until the last decade, small and medium businesses kept their data on-premises in dedicated server rooms, or sometimes on a server under someone’s desk, (I remember in one organisation seeing their server on a table surrounded by clutter and old papers in the basement). Data tended to grow organically, shared network drives with files and folders being created by different people with different permissions (or no permissions). People knew where their files were and that was the main thing. As organisations increasingly migrate their on-premises data to cloud environments, to avoid disruption and for ease, data and processes stay largely the same. This is an often-overlooked area. Threat actors are aware of cloud environments and the weaknesses of default configurations, and constantly enhancing their tactics to take advantage of them. Modern threat actors are financially driven businesses. Threat groups buy services and outsource parts of their operations for efficiency. When a cyber incident occurs, we tend to think about it as a single event by a single person. However, cyber-attacks are a chain of events. From initial compromise through to exploitation, with different aspects carried out by different groups (or outsourced vendors). My friends, let’s imagine this from an attacker’s mindset, beginning with the deceptive simplicity of Business Email Compromise (BEC) before moving on to Ransomware-as-a-Service (RaaS) and how it can impact our cloud environments.

Hello Me

Statistics show that email remains the initial entry point in over 90% of cyber-attacks. Attackers will often start compromising our systems by gaining access to a mailbox. It gives access to any confidential information it contains, a way to communicate from a trusted source, as well as a foothold from which to move around. Threat actors may use login credentials stolen previously and purchased from the dark web (especially if a victim has re-used a password), password attacks such as brute force, or dictionary attack, they may begin with sending a phishing email, like a link to a malicious login page, password reset, HR information, LinkedIn message, etc, to trick the owner into revealing their credentials. If the owner does not have multifactor authentication enabled, then only their password is needed. Once inside, the threat actor now has access to any confidential email, maybe the owner has internal passwords or security keys in their sent items, or in their notes. They can request a password reset for any accounts linked to that email, and they can impersonate the victim, communicating with their colleagues and contacts, sending them malicious emails (now from a trusted contacts real mailbox) to extract more confidential information. If the victim is senior, we might be able to request financial transfers or send fake invoices.

No programming experience required

Once the attacker has breached the victim’s mailbox or gained access to their device (let’s assume for now it’s an Office 365 mailbox), they also now have access to the victims OneDrive account and SharePoint sites. Now we move on to the next stage of the attack, deploying ransomware to encrypt and/or steal their files.

Taking a step back for a moment, the process of phishing a victim, compromising their system, distributing ransomware, and getting paid takes a variety of skills to achieve. Welcome to the world of the ransomware affiliate. This type of threat actor attacks victims by buying access to advanced attack platforms. This is now a fully-fledged multimillion dollar professionally run business.

Let’s look at some of the key players, ransomware developers create ransomware cloud services (ransomware-as-a-service or RaaS) which handles the encryption, file exfiltration, communication, and payment, and sell access to it to other cyber criminals, these are the ransomware affiliates, who use the RaaS platforms to carry out attacks. ?They pay for platform access per month, which comes with full technical support and a variety of services or can pay with a percentage of the ransoms they generate. Meanwhile, other specialist threat actors, known as Initial Access Brokers (IAB’s) are dedicated to compromising accounts in bulk, and then selling those compromised accounts to the same affiliates. Finally, the affiliates will employ specialist money launders to launder their ransom funds. This can also be provided by the RaaS service for an additional fee.

My data is safe in the cloud, right?

With most organisations now storing data in the cloud using systems like OneDrive, Dropbox, and SharePoint. There is a reduced focus on backup, with some companies no longer running dedicated backups at all, instead relying on the cloud provider. However, specialist ransomware designed to exploit and attack these platforms is now common. If files are being synced locally then encrypting them will cause the encrypted files to be sent to the cloud store. Some malwares will delete the original files in the cloud store before copying new encrypted files (to remove the option to recover previous versions). Attacking data stored in cloud platforms is now a standard part of the attack chain, and we as defenders must consider how we will recover when our cloud platforms are compromised.

Easy for us means easy for them

As the number of cloud-based systems increases, more people use tools like Single Sign-On (SSO) to avoid having separate passwords for every account and to provide an immediate login to all systems. Whilst these tools are best practice and do make things easy for us. If we consider them from the attacker perspective, if they compromise a device or account, they can use our SSO to gain access to everything, without needing to break into each system individually. If IT staff accounts are compromised, this can include SSO access to administrative consoles.

Making our systems more resilient from attackers is vital to our protection. To make it easy (and fun) to remember the six key controls, think COMICS.

Credential Control – The easiest way for a threat actor to compromise our systems is by stealing valid credentials. This not only means having complex passwords and access keys but also storing and using them securely.

1. Do not send passwords or access keys by email.
2. Do not reveal passwords or access keys in scripts or source code.
3. Do not store password in files (even password protected spreadsheets)
4. Use Privileged Access Management (PAM) solutions like CyberArk, BeyondTrust or Delinea to control the use of these credentials.
5. Use Privileged Identity Management (PIM) which allow you to assign high level rights to account only when it is needed to do a job.

Outside help – Being an attacker (and thinking like one) is a specific, valuable skill. A regular penetration test/vulnerability assessment is not enough. To understand, we need to run dedicated red team exercises, engaging with specialist consultants, who will break into our systems, move laterally, and simulate the harm they could do.

Multifactor authentication – Access to all platforms, and especially administrative consoles must be protected by multi-factor authentication. No admin console, or system containing confidential data should be accessible by SSO alone.

Immutable backup – In cloud environments backups are often overlooked with many businesses assuming that the vendor takes care of this. However, whilst this may be true, it is not always the case. For example, in Microsoft 365, data is replicated within the cloud but not backed up. We must implement dedicated data backups. This could mean a backup platform directly with the vendor such as Azure Backup, or third-party solutions like Barracuda, Rubrik or Veeam, our backups must also be immutable, meaning that they cannot be destroyed by ransomware.

Constant monitoring – We can’t prevent all cyber-attacks (we should try anyway), but we can’t. What we can focus on though is quickly identifying an attack. New trends in ransomware such as only partially encrypting files, (or stealing files rather than encrypting them at all), using native cloud tools, or using stolen credentials, mean that we need to identify unusual behaviour. Public cloud platforms such as Azure, AWS, and GCP, include detailed logging capability, however this is not always turned on, or included in base licenses. Having this log information along with dedicated monitoring services is a vital defence to identifying and stopping the attackers.

Secure device – It is convenient to access data from any device. However, we must carefully consider which devices we allow to connect and ensure they are secured. Each device (especially personal devices) synchronising business data increases the risk of a compromised device being used to breach the data.

Increased use of cloud platforms allows all of us to store, transfer, and access data from more places and on more devices than ever before. Threat actors (who are basically malicious hacking businesses) evolve even faster than legitimate businesses to take advantage of this. Traditional defensive measures like strong passwords and user awareness training remain vital lines of defence. However, as systems become more complex and cross multiple clouds, taking on an attacker mindset becomes the only way we can stay safe. After all, what is the worst that could happen?

I believe in our cyber security community and that by sharing and helping each other that we can all be safer. So, everything above is just my opinion, what’s yours? Please share in the comments below and stay safe.