Industry Insights with Todd Inskeep

Fraud Management & Cybercrime , Governance & Risk Management , Next-Generation Technologies & Secure Development

Risk Containment Strategies to Avoid the Next Petya

Risk Containment Strategies to Avoid the Next Petya

Ransomware has been in the headlines with Petya, like WannaCry before it, spreading rapidly around the globe. If you are not familiar with this week's news, organizations around the globe suffered another ransomware attack on Tuesday including pharmaceutical companies, Chernobyl radiation detection systems, the Kiev metro, as well as airports and banks.

See Also: 5 Requirements for Modern DLP

Addressing these advanced attacks as simple malware outbreaks is not enough. Nor can you just replay the ransomware prevention handbook with good backups. Organizations need to fundamentally approach advanced threats by developing their risk mitigation options from the viewpoint of a dynamic and adaptive adversary and then evaluate those options within a business context. Current risk management approaches describe technical risks within a business context. Organizations should focus on Risk Containment strategies that preempt common adversary approaches and deliberately slow or limit the spread of the next advanced attack.

Three steps can help prepare your organization to contain and manage these types of advanced attacks:

  1. Review how adversaries maneuver within an environment. Think about your networks and critical systems. Adversaries use the same high-risk ports, protocols, and services (PPS) as privileged users and support systems. High-risk PPSs include RPC, RDP, WinRM, and PowerShell remoting to communicate with other systems. Adversaries also use credential stealing attacks and leverage stolen credentials to authenticate and gain access to, or escalate privileges on additional systems.
  2. Evaluate systems involved in high-risk PPS communications. Many organizations have some part of their network assigned to IT engineers, admins, and technical support personnel that frequently initiate communications broadly across the enterprise using these high-risk PPSs. There are also some infrastructure support servers that initiate and/or receive these types of requests. While these high-risk PPSs are required for portions of the infrastructure, there are large portions where high-risk PPSs are not required. Fortunately, organizations can reduce risk contagion with ACLs, network and/or host firewalls, two-factor authentication, less privileges, and purposeful design of their authentication systems.
  3. Establish Risk Containment to protect the critical systems. The first element of a containment strategy is limiting the systems that can initiate or receive high-risk PPS communications to or from critical systems (e.g., Enterprise Resource Planning, Industrial Control Systems, Personal Health Information, other critical business services). Effective monitoring and eventual blocking unnecessary high-risk PPS can be achieved with a combination of network or system firewalls/ACLs. The second element of a containment strategy is to ensure effective account security. Separating privileged from non-privileged accounts, implementing strong passwords, and deploying multi-factor authentication can all inhibit an adversary from getting into critical systems. The last element is to protect the integrity of the authentication systems. Secure architecture for Active Directory forests and domains strongly inhibits an adversary from pivoting into critical systems. Advanced threats and malware attacks are growing in frequently, ingenuity, and impact. Risk containment strategies that are based on business operations and built into the technical architecture help manage the overall risk, and will help companies respond and recover from cyberattacks more quickly.

About the Author

Todd Inskeep

Todd Inskeep

RSA Conference Advisory Board and Principal, Commercial Consulting, Booz Allen Hamilton

Todd Inskeep has spent more than 25 years bringing innovative, strategic thinking to Information Security problems across a range of industries and organizations. He currently leads Booz Allen Hamilton's commercial product and manufacturing practice. Starting from secure radio systems he has worked in virtually every aspect of cybersecurity, including such diverse areas as early PKI and VPN systems, desktop systems, mobile, policy, security architecture and eCommerce - including fraud management. Most recently he's worked on cyber security assessments including overall security programs and specific assessments of supply chain security and product security. He has filed multiple patent applications, and spent time as an Executive-in-Residence at the MIT Media Lab's Center for Future Banking. Todd started in the Information Security group of the National Security Agency (NSA), later joining Bank of America before spending time with Samsung Business Services.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.