Attacks on authentication turn ransomware from disruption to disaster

Garmin reportedly paid cybercriminals millions of dollars following a WastedLocker ransomware attack that shut down its systems for several days. Today’s columnist, Andy Jaquith of QOMPLX, offers security pros insight into how ransomware cases have gone from disruption to disaster – even a recent death in Germany. (Photo Credit: Frederic J. Brown/A...

Ransomware has become an endemic problem in both the public and private sectors globally. And, let’s be honest: it has been for years. Recently, the cybercrime landscape shifted. High-profile incidents have underscored a pattern of ransomware gangs moving steadily up the food chain: from small, unsophisticated organizations such as local governments to some of the largest, wealthiest and most technically sophisticated firms in the world, including  Garmin, Konica-Minolta and the mobile operator Orange.

How have they done it? By attacking what we call Critical Controls Infrastructure (CCI). Simply put, CCI are the systems deep inside a company that implement the key controls that underpin the organization’s security program. These include  general IT controls, but most especially include authentication infrastructure such as Microsoft Active Directory.

Ransomware has become an important topic for me. Before joining QOMPLX as CISO, I was the global cyber risk officer for JP Morgan Chase. Prior to that, I was a managing director at Goldman Sachs with responsibility for vulnerability management, audit assurance, and technology risk measurement. From experience, I can tell say that preventing ransomware attacks has become a common topic of conversation among CISOs, with my peers and with QOMPLX’s customers. Ransomware attacks have evolved from disruptive to destructive, and have devastating consequences for companies: interrupting critical services or destroying IT assets across the enterprise. In just one prominent example, the shipping giant Maersk lost tens of thousands of servers in a devastating attack by the NotPetya malware - an incident that cost the company hundreds of millions of dollars to rebuild.

The bad guys have a simple, three-step playbook:

  1. Get In: Find an external weakness, or phish an employee.
  2. Spread: Forge or steal credentials to gain domain administrator privileges, move laterally, and push ransomware out globally.
  3. Profit: Extort a king’s ransom—or else burn the target’s Windows assets to the ground.

Security teams can prevent attacks by disrupting those initial steps and keep ransomware criminals off the network or, at the very least, stop them from extending their access to it beyond their initial victim.

That’s why it’s important to ensure the integrity of CCI. History tells us that ransomware attacks turn catastrophic when crimeware groups target Active Directory, a ubiquitous piece of infrastructure that implements multiple critical controls. Consider this: the company’s Active Directory deployment isn’t just used for authentication. It’s also a lightweight configuration management database (CMDB) that contains all of the company’s Windows assets. It’s a policy enforcement point for passwords and other crucial desktop security policies. It’s also a privileged identity store that lists the company’s domain administrators and an entitlements repository for Windows privileges.

And it’s because Active Directory does so many important tasks that it has become such a valuable target for attackers. It’s a treasure map to the company’s most valuable IT assets. An adversary that can exploit it to obtain domain administrator privileges owns the organization from tip to tail.

CISOs think of authentication as their most important IT control. I call it the “apex control" of the CISO’s program. That’s because to grant privileges, manage incidents, or develop software, security pros must first authenticate. And then, to make changes to systems, trade, modify books and records, or do anything else that has an operational, financial, regulatory, or control impact, security pros must be granted entitlements to run these tasks based on their authenticated identity. Unfortunately, the attack techniques used in ransomware campaigns—including Golden Ticket, Kerberoastong, Pass-the-Hash and related techniques—subvert this process: allowing malicious actors to pose as credentialed users seeking permission to access network resources. Without the bedrock of valid authentication, authorization becomes useless. The attacker who gains an entry point by abusing authentication can quickly move laterally by subverting authorization without being noticed.

Looked at from the CISO’s perspective, ransomware and similar attacks that target Active Directory fundamentally subvert authentication. When identities are forged or abused, IT can no longer trust authentication as a control.

What about all that network, endpoint and user monitoring technology companies  invest in? Well, if the company cannot trust that its authentication or authorization systems work as designed, those are also of little use. Attackers using stolen identities can easily “live off the land,” using approved administrative tools to gain access to sensitive data and IT systems. Even worse: if the CISO can’t trust his user authentication and authorization, he has no idea whether the downstream IT general controls for incident management, change management, software development lifecycle, or business resilience work properly either.

The consequences of this are clear – and they are dire. Publicly-traded companies that must attest to the integrity of their Sarbanes-Oxley Section 404 controls cannot do so with confidence following a ransomware attack. If customers and partners rely on the company’s SOC2 or SSAE-18 external audit reports to assure that the organization has a decent security program, those certifications may also go out the window in the context of a ransomware attack.

The bottom line: Companies must become fanatical about protecting CCI. Consider Active Directory a critical implementation of the company’s most critical controls: authentication and authorization. Organizations must protect both.

Andy Jaquith, CISO and general manager of the Cyber Business Unit, QOMPLX

Andy Jaquith

Andy Jaquith is the Managing Director of Markerbench. His 25-year career as a CISO, executive, and cyber practitioner spans startups (with two successful exits), Fortune 100s, global financial services firms, and AMLAW 50 firms. He has managed a broad spectrum of technology and cyber risk areas and is a trusted advisor to customers, staff, and boards.

Prior to Markerbench, Andy was the global Chief Information Security Officer (CISO) for Covington & Burling LLP, a $1.5B AMLAW 50 firm with 14 offices globally. His prior experience includes serving as the CISO of QOMPLX, Inc, a cyber-security startup focused on critical enterprise infrastructure. He was the global Cyber Security Operational Risk Officer for JP Morgan Chase, and was a Managing Director for Technology Risk Measurement and Analytics at Goldman Sachs. Andy’s earlier roles include as Chief Technology Officer (CTO) of the managed security services provider SilverSky. He has held senior security analyst roles at Forrester Research and Yankee Group, and was a co-founder of @stake, a pioneering cyber-security consultancy. Andrew wrote [the book on security metrics]( (“Security Metrics: Replacing Fear, Uncertainty and Doubt”), used by a generation of risk professionals to connect security to the corner office.

Andy graduated from Yale University with a BA in Economics and Political Science. He lives with his family in New York.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.