CISA IR Training - Defend Against Ransomware Attacks Cyber Range Training (IR209)

Just attended Defend Against Ransomware Attacks Cyber Range Training (IR209) offered by CISA. I talked about these in a previous post and would encourage those eligible to register. As always, the course was full of information with the added benefit of a virtual environment to play around in. I’m always amazed at how much they can pack into so little time. I only wish it was a full day course.

The course focused on preventative measures that could be taken to protect an organization from ransomware attacks. Due to the short amount of time, the instructors definitely could not go over all the possibilties. They talked about some general best practices at a high level and picked a few to cover specifically:

• Firewall rules to block malicious IPs
• Resetting/rotating a KRBTGT Account Password
• Backing up Active Directory
• Application Allowlisting
• Disabling SMBv1 via Group Policy
• DNS Sinkholing

Each of these were accompanied by a lab where we simulated putting these preventative measures in place.

Thoughts

Firewall rules and DNS sinkholing are definitely options that could be automated to some extent. Being a part of an Information Sharing and Analysis Center (ISAC) would help immensely in determining threats before they hit by providing actionable information to create firewall rules. You can read more about them via the National Council of ISACs. This type of preventative measure is a constant cat and mouse game. You can’t just set it and forget since it requires active updating and management.

Resetting the KRBTGT Account Password is an interesting preventative measure. Microsoft does suggest resetting it every 180 days and depending on the size of your Active Directory infrastructure, the maintenance window could stretch to double digit hours due to change propagation to all the Domain Controllers. This isn’t something you should do on a whim; but on the other hand is something pretty easy to implement via policies and procedures. Personally, I’m a little skeptical on how useful it is on preventing ransomware. Once the attacker compromises the “Golden Ticket” they’ll create more accounts to maintain persistence. In other words, I would not see this as a magic bullet but another layer in a defense. You can read more at https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/faqs-from-the-field-on-krbtgt-reset/2367838

Backing up Active Directory should already be a given in important environments. If anything, you should have server backups, Active Directory backups, and some sort of change management process to track authorized changes. There was also discussion of offsite/cold backups which should definitely be part of a comprehensive disaster recovery plan.

Application allowlisting and blocklisting is another measure that can be problematic to put into place depending on your environment. A very restrictive/secure workplace will have no issues putting application allowlisting into place. Coming from Higher Education, allowlisting isn’t really possible on student and faculty facing computers. The lab showed using Windows Defender Application Control to block the usage of 7-Zip. This preventative measure circles back to the same caveats as firewall rules and DNS sinkholing. This is something that must be constantly maintained and monitored to be effective.

Related to application blocklisting, properly securing PowerShell and its usage on systems is something I think should have been talked about in the course. Threat actors are leveraging the ability to use PowerShell for living off the land attacks. There are numerous articles about securing PowerShell including:

-https://www.cisa.gov/news-events/alerts/2022/06/22/keeping-powershell-measures-use-and-embrace -https://learn.microsoft.com/en-us/powershell/scripting/security/security-features?view=powershell-7.4 -https://www.csoonline.com/article/573069/how-to-keep-attackers-from-using-powershell-against-you.html

Disabling SMBv1 is another must do if you are running older operating systems prior to Windows 11 and Server 2019. I’d hope that at this point, anyone still running SMBv1 has hardened those networks/systems in other ways and are only running it due to legacy hardware/software that can’t be updated. Those systems should definitely not be exposed to the intenet.

Looking forward to attending more in the future. I’ll be sure to write about them.