Remediation from a Ransomware Attack; deploying Zero Trust from the top down

I was requested to provide guidance regarding a customer network that had recently experienced a Ransomware attack, specifically targeting BOTH Windows Server and VMware Virtual Infrastructure. It is important to note that this incident does not directly involve our organization, but rather pertains to a customer of a former associate from my past professional engagements.

Considering the gravity of the situation, I would like to share a set of general recommendations derived from both public and private agencies. However, I must emphasize that these suggestions should be interpreted as general guidelines, and specific circumstances may require tailored solutions. It is also crucial to consult with an attorney that specializes in cybersecurity and adhere to any legal and regulatory obligations in your jurisdiction.

Before proceeding, please take into account the following disclaimers:

1.     The recommendations provided are intended to serve as a starting point for your organization's response to a Ransomware attack. Each situation may differ, and a comprehensive assessment is essential to develop an appropriate strategy.

2.     The suggestions outlined here do not guarantee complete protection against future attacks, as the threat landscape continues to evolve rapidly. Continuous vigilance, regular assessments, and updates to security measures are imperative.

3.     While these recommendations aim to assist in mitigating risks and strengthening security posture, their implementation may vary based on the specific network infrastructure, organizational needs, and available resources. Professional advice should be sought to tailor the approach to your unique circumstances.

When addressing security concerns, it is important to recognize that achieving a state of Zero Trust cannot be solely accomplished by implementing a single product or solution. Rather, it requires a holistic approach and a dedicated team with the right expertise. Zero Trust demands a fundamental shift in thinking across various aspects, including network architecture, user identity and access management, data storage and backup mechanisms, and, most importantly, the response to potential breaches. It encompasses all areas of an organization's operations.

Core Recommendation: Adopt the principal of least privilege, also known as “Zero Trust Architecture”

In 2021, the National Institute of Standards and Technology (NIST) finalized a zero-trust architecture, which serves as a recommended starting point for enterprises venturing into this domain. This architectural approach emphasizes the importance of deploying four distinct types of security tools within each security domain, encompassing infrastructure, applications, data, and devices. The fundamental principle underlying this framework is the establishment of security boundaries, ensuring that every entity maintains its individual "perimeter of 1" between itself and the desired resource. Additionally, it is crucial to consistently verify the identity and authorization for each action, such as authentication and authorization when requesting or modifying a resource. Moreover, the environment continuously evaluates behavioral patterns to identify potential threats and can remove permissions when deemed necessary.

Key Components of Zero Trust: 

• Policy Engine: Think of it as a rulebook that defines and stores access policies, identity providers, and entitlements for provisioning. It helps determine who can access what. 

• Identity Management for User Accounts: This involves managing user accounts and ensuring their identities through measures like Multi-Factor Authentication (MFA), adding an extra layer of security to user logins. 

• Identity Management for Devices: This component focuses on enforcing policies and confirming the identity of devices. It ensures that only trusted devices can access resources. 

• Contextually Aware Permissions: Access is determined based on the security posture of the user, device, and context. In other words, the system evaluates various factors before granting access to resources. 

• Zero Attack Surface: Devices that provide access are tightly secured or hidden from end users, minimizing the risk of external threats. 

• Real-Time Access Control: This component constantly monitors network traffic, reacts swiftly to potential vulnerabilities, and can revoke access if necessary to maintain a secure environment

Zero Trust principles can be extended beyond the network itself and applied to various aspects of data handling, user account management, and determining end-user training requirements. Here's a breakdown:

1.     Data Handling: Zero Trust emphasizes a comprehensive approach to data security. It encourages organizations to implement measures such as data encryption, data loss prevention (DLP) systems, and data classification to protect sensitive information. By applying the principles of Zero Trust, data can be safeguarded through continuous monitoring, strict access controls, and authentication mechanisms to prevent unauthorized access or data breaches.

2.     User Account Creation and Maintenance: Zero Trust principles also apply to user account management. When creating user accounts, organizations should follow a least privilege approach, granting users only the permissions necessary for their roles. Additionally, strong authentication methods, including multi-factor authentication (MFA), should be enforced to verify the identity of users. Regular audits and reviews of user accounts can help identify and remove any unnecessary privileges, reducing the attack surface.

3.     End User Training Requirements: Zero Trust extends to end-user training by emphasizing the importance of cybersecurity awareness and best practices. Users should receive training on topics such as phishing attacks, secure password practices, social engineering awareness, and the risks associated with sharing sensitive information. By integrating Zero Trust principles into training programs, organizations can educate users about their role in maintaining a secure environment and help mitigate potential security risks caused by user behavior.

Recommendations for the <CUSTOMER> computer network:

1.      Implement a Next Generation Firewall (NGFW) at the perimeter of the network. This helps protect against external threats and provides advanced security features.

2.      Deploy either a Next Generation Firewall or a Zero Trust Network Access (ZTNA) Gateway in the middle of the network. This adds an additional layer of security and helps control access to internal resources.

3.      Restrict inbound traffic to only allow encrypted communication or explicitly authorized protocols and services. This helps prevent unauthorized access and enhances data privacy.

4.      Minimize the attack surface by implementing robust security measures on the external/ISP connection. Remove all outside attack vectors, including VPN and inbound services.

5.      Segment internal networks to separate different types of workstations, such as <CUSTOMER> and OT onto separate networks. This improves security and prevents lateral movement in case of a breach.

6.      Segment resource networks, such as security, operational technology, and access control, to ensure proper isolation and prevent unauthorized access or interference.

7.      Separate the server VLAN to create a dedicated network for servers and service-based appliances. This enhances security, performance, and management of server resources.

8.      Create a secure network specifically for VMware infrastructure, isolating all consoles and management interfaces. This helps protect critical virtualization infrastructure and minimizes potential attack vectors.

9.      Configure all network connections to allow only the necessary access required for individuals to perform their job functions. Deny all other unnecessary connections to minimize potential vulnerabilities.

Recommendations for Microsoft 365 (formally known as Office 365)

1.      Implement Role-Based Access Control (RBAC): Define and enforce granular access control policies based on user roles and responsibilities. This ensures that only authorized individuals have appropriate access to mailboxes and related resources.

2.      Enable Conditional Access: Implement conditional access policies that assess various factors (e.g., user location, device health, and authentication strength) to determine access to mailboxes. This helps prevent unauthorized access and strengthens security.

3.      Implement Data Loss Prevention (DLP): Utilize DLP policies to identify and protect sensitive information within emails, such as personal identifiable information (PII) or confidential data. Apply rules and actions to prevent accidental or intentional data leakage.

4.      Enable Threat Intelligence and Advanced Threat Protection (ATP): Leverage the security capabilities of Microsoft 365, such as ATP, to detect and mitigate advanced email threats like phishing, malware, or suspicious attachments. This provides enhanced protection against evolving threats.

5.      Enable Email Encryption: Utilize email encryption technologies to secure sensitive or confidential communications. Implement solutions like Office 365 Message Encryption or S/MIME to protect email content from unauthorized access.

6.      Continuous Monitoring and Logging: Implement logging and monitoring mechanisms to detect and respond to suspicious activities or potential security incidents within mailboxes. Analyze logs and generate alerts to identify and mitigate potential threats promptly.

7.      Regular Security Assessments and Audits: Conduct periodic security assessments to identify vulnerabilities and assess the overall security posture of mailbox environments. Perform audits to ensure compliance with security policies and industry standards.

8.      User Awareness and Training: Educate users about email security best practices, including identifying phishing attempts, avoiding suspicious links or attachments, and practicing good email hygiene. Regular training helps foster a security-conscious culture.

Apply Zero Trust principles to secure Active Directory & Azure AD:

1.      Multi-Factor Authentication (MFA): Implement MFA for all user accounts accessing Azure AD. Require additional verification factors, such as SMS codes, authenticator apps, or hardware tokens, to enhance the security of user authentication.

2.      Conditional Access Policies: Define and enforce conditional access policies based on various factors like user location, device health, or risk level. Grant access only after evaluating contextual information and ensuring compliance with security requirements.

3.      Privileged Identity Management (PIM): Utilize Azure AD PIM to manage and control privileged access. Assign just-in-time (JIT) privileges, enforce time-limited access, and monitor and audit privileged activities to minimize the attack surface and prevent unauthorized access.

4.      Least Privilege Access: Follow the principle of least privilege by granting users only the permissions required to perform their specific tasks. Regularly review and revoke excessive privileges to reduce the risk of privilege misuse.

5.      Identity Protection: Enable Azure AD Identity Protection to detect and respond to potential identity-based risks. Utilize risk-based policies, anomaly detection, and automated remediation to protect against account compromises and suspicious activities.

6.      Continuous Monitoring and Logging: Implement logging and monitoring solutions in Azure AD to detect and respond to security events and suspicious activities. Leverage Azure Monitor and Azure Sentinel to collect and analyze logs for proactive threat detection.

7.      Regular Auditing and Compliance: Conduct regular audits and reviews of Azure AD configurations, user accounts, and permissions. Monitor compliance with industry standards and regulations like GDPR or HIPAA, and promptly address any deviations.

Move websites to Microsoft Azure:

1.      Hybrid Cloud Strategy: Hosting the website servers in Azure allows <CUSTOMER> to adopt a hybrid cloud strategy. It provides the flexibility to leverage the benefits of both on-premises and cloud environments. You can keep critical databases on-premises while utilizing Azure for specific web server needs, such as scalability, global reach, or disaster recovery.

2.      Regulatory Compliance: By leveraging Azure, you can extend your on-premises infrastructure while meeting compliance requirements. Azure offers compliance certifications and robust security controls, enabling <CUSTOMER> to maintain regulatory compliance.

3.      Legacy System Integration: <CUSTOMER> has legacy systems like older Webservers that are not easily migrated to the cloud due to dependencies, complexities, or specific requirements. Moving the on-premises web servers to Azure allows seamless integration with these legacy systems, enabling modernization initiatives without disrupting critical operations.  Note This would be the last component of a Zero Attack Surface strategy for <Customer Location>.

4.      Latency and Data Sovereignty: By collocating the Web Watch web servers in an Azure data center, <CUSTOMER> can minimize latency for local users or applications that require data residency within a specific geographic location.

WorkStation and devices following Zero Trust Network Architecture

1.      Zero Trust Authentication: Implement strong authentication measures such as multi-factor authentication (MFA) for all desktop logins. 

2.      Least Privilege Access: Enforce the principle of least privilege by granting users the minimum permissions required to perform their specific tasks. 

3.      Device Trust and Identity Verification: Implement device trust policies to ensure that only trusted devices are allowed to access desktop resources. 

4.      Continuous Monitoring and Threat Detection: Deploy endpoint protection and detection solutions to monitor desktops for suspicious activities and potential threats. 

5.      Data Encryption and Protection: Enable full disk encryption on desktops to protect data at rest. 

6.      Application Control and Whitelisting: Implement application control policies to restrict the execution of unauthorized applications on desktops.

7.      Patch Management and Vulnerability Remediation: Establish a robust patch management process to ensure that desktops are regularly updated with the latest security patches and software updates. 

8.      User Awareness and Training: Educate users about desktop security best practices, the importance of strong passwords, social engineering awareness, and phishing prevention. Conduct regular security awareness training to empower users to make informed security decisions and report suspicious activities.

9.      Remote Desktop Security: Implement secure remote desktop protocols, such as Remote Desktop Gateway (RD Gateway), and enforce strong authentication for remote access to desktops.

10.   Logging and Auditing: Enable desktop logging and audit trails to capture and analyze security-related events. Implement centralized log management and SIEM solutions to detect anomalies, track user activities, and investigate security incidents.

Implement an Air-Gapped Backup Feature

1.      Physical Isolation: Air-gapped backups physically separate the backup storage from the primary network, creating an offline or disconnected environment. This isolation ensures that ransomware cannot spread to the backup data, providing a secure and reliable copy of critical information.

2.      Immunity to Online Threats: By keeping the backup storage offline, air-gapped backups remain immune to online threats like ransomware. Even if the primary network is compromised, the isolated backups remain unaffected, preserving data integrity and availability.

3.      Data Recovery: In the event of a ransomware attack, organizations can rely on air-gapped backups for data recovery. Since the backups are stored separately, unaffected by ransomware encryption, they serve as a clean and reliable source for restoring compromised data without paying ransom demands.

4.      Protection against Data Loss: Air-gapped backups act as a safeguard against data loss caused by ransomware attacks. If the primary network's data is encrypted or deleted by ransomware, the offline backups serve as a secure repository, allowing organizations to recover and restore their data without succumbing to the attacker's demands.

5.      Compliance and Regulatory Requirements: Air-gapped backup solutions often align with compliance and regulatory requirements for data protection. Many industry standards and regulations recommend or mandate the use of air-gapped backups as an effective measure against ransomware attacks, ensuring the safety and security of critical information.