Ransomware has become an endemic problem in both the public and private sectors globally. And, let’s be honest: it has been for years. Recently, the cybercrime landscape shifted. High-profile incidents have underscored a pattern of ransomware gangs moving steadily up the food chain: from small, unsophisticated organizations such as local governments to some of the largest, wealthiest and most technically sophisticated firms in the world, including Garmin, Konica-Minolta and the mobile operator Orange.
How have they done it? By attacking what we call Critical Controls Infrastructure (CCI). Simply put, CCI are the systems deep inside a company that implement the key controls that underpin the organization’s security program. These include general IT controls, but most especially include authentication infrastructure such as Microsoft Active Directory.
Ransomware has become an important topic for me. Before joining QOMPLX as CISO, I was the global cyber risk officer for JP Morgan Chase. Prior to that, I was a managing director at Goldman Sachs with responsibility for vulnerability management, audit assurance, and technology risk measurement. From experience, I can tell say that preventing ransomware attacks has become a common topic of conversation among CISOs, with my peers and with QOMPLX’s customers. Ransomware attacks have evolved from disruptive to destructive, and have devastating consequences for companies: interrupting critical services or destroying IT assets across the enterprise. In just one prominent example, the shipping giant Maersk lost tens of thousands of servers in a devastating attack by the NotPetya malware - an incident that cost the company hundreds of millions of dollars to rebuild.
The bad guys have a simple, three-step playbook:
- Get In: Find an external weakness, or phish an employee.
- Spread: Forge or steal credentials to gain domain administrator privileges, move laterally, and push ransomware out globally.
- Profit: Extort a king’s ransom—or else burn the target’s Windows assets to the ground.
Security teams can prevent attacks by disrupting those initial steps and keep ransomware criminals off the network or, at the very least, stop them from extending their access to it beyond their initial victim.
That’s why it’s important to ensure the integrity of CCI. History tells us that ransomware attacks turn catastrophic when crimeware groups target Active Directory, a ubiquitous piece of infrastructure that implements multiple critical controls. Consider this: the company’s Active Directory deployment isn’t just used for authentication. It’s also a lightweight configuration management database (CMDB) that contains all of the company’s Windows assets. It’s a policy enforcement point for passwords and other crucial desktop security policies. It’s also a privileged identity store that lists the company’s domain administrators and an entitlements repository for Windows privileges.
And it’s because Active Directory does so many important tasks that it has become such a valuable target for attackers. It’s a treasure map to the company’s most valuable IT assets. An adversary that can exploit it to obtain domain administrator privileges owns the organization from tip to tail.
CISOs think of authentication as their most important IT control. I call it the “apex control" of the CISO’s program. That’s because to grant privileges, manage incidents, or develop software, security pros must first authenticate. And then, to make changes to systems, trade, modify books and records, or do anything else that has an operational, financial, regulatory, or control impact, security pros must be granted entitlements to run these tasks based on their authenticated identity. Unfortunately, the attack techniques used in ransomware campaigns—including Golden Ticket, Kerberoastong, Pass-the-Hash and related techniques—subvert this process: allowing malicious actors to pose as credentialed users seeking permission to access network resources. Without the bedrock of valid authentication, authorization becomes useless. The attacker who gains an entry point by abusing authentication can quickly move laterally by subverting authorization without being noticed.
Looked at from the CISO’s perspective, ransomware and similar attacks that target Active Directory fundamentally subvert authentication. When identities are forged or abused, IT can no longer trust authentication as a control.
What about all that network, endpoint and user monitoring technology companies invest in? Well, if the company cannot trust that its authentication or authorization systems work as designed, those are also of little use. Attackers using stolen identities can easily “live off the land,” using approved administrative tools to gain access to sensitive data and IT systems. Even worse: if the CISO can’t trust his user authentication and authorization, he has no idea whether the downstream IT general controls for incident management, change management, software development lifecycle, or business resilience work properly either.
The consequences of this are clear – and they are dire. Publicly-traded companies that must attest to the integrity of their Sarbanes-Oxley Section 404 controls cannot do so with confidence following a ransomware attack. If customers and partners rely on the company’s SOC2 or SSAE-18 external audit reports to assure that the organization has a decent security program, those certifications may also go out the window in the context of a ransomware attack.
The bottom line: Companies must become fanatical about protecting CCI. Consider Active Directory a critical implementation of the company’s most critical controls: authentication and authorization. Organizations must protect both.
Andy Jaquith, CISO and general manager of the Cyber Business Unit, QOMPLX