Ransomware has been in the news too frequently. In this article, “Five Strategies and Microsoft Solutions that Protect Against Ransomware Attacks,” we will address five (5) areas of focus that can decrease the attack surface and make it more difficult for an attacker to gain elevated privileges and take over devices, and how to recover from a successful attack.
What is Ransomware?
Cybersecurity attacks continue to make headlines in the news. Our personal and business information is located on many different platforms over the cloud. Protecting this information from ransomware, brute force, injection, and man-in-the-middle attacks through proactive hunting, recognition, and resolution are paramount.
Of these attacks, ransomware continues to be one that makes the news with gaining successful access to the information from high-profile companies. In this age of increased concern around the protection and integrity of data, how can a company protect themselves from having their systems hi-jacked, encrypted, and held for ransom. In this article, we will address five (5) areas of focus that can decrease the attack surface and make it more difficult for an attacker to gain elevated privileges and take over devices, and how to recover from a successful attack.
1. Zero Trust with Conditional Access policies and MFA
Within cloud services, the provider is responsible for the physical controls, identity and access become the first line of defense that a customer has the ability to configure and protect against threats. This is why statements like, “Identity is the new control plane”, or “Identity is the new perimeter” have become popular when discussing cloud security.
Even if your company maintains a private datacenter for the primary business applications, there is still a good chance that you are consuming a cloud application that uses your company identity. For this reason, having the proper controls in place, such as multi-factor authentication (MFA), conditional access policies, and Azure Identity Protection, will help to decrease vulnerabilities and recognize potential threats before a wide-spread attack can take place.
Protecting identities is a high-level of importance in securing cloud infrastructure. Therefore, we need to make sure that a user that is requesting access to our resources is truly that user and not an attacker that has been able to gain access to that user’s credentials. It is important to understand the core concept that a company should adhere to when securing identity and access. This concept is the zero-trust methodology and the foundation of this methodology is exactly what it states: TRUST NO ONE!
The zero-trust methodology is a process of continuously requiring someone on the network to verify that they are who they say that they are. The concept seems to be straightforward and simple, but if you were to constantly ask users to enter their username and password, they would get frustrated. To avoid this frustration, zero-trust implementation utilizes various signals that alert potential anomalous behavior, leaked credentials, or insecure devices that trigger the need for a user to re-verify their identity. These signals lead to a decision on what is needed to provide access to applications, files, or websites.
The above diagram shows how to enforce a zero-trust methodology within Microsoft Azure Active Directory (AAD) using Conditional Access policies to enforce additional verification with Multi-factor authentication (MFA) when accessing applications.
Putting Conditional Access Policies that enforce MFA to access resources and applications protect against attackers gaining access to critical applications to exploit. The next step is to avoid users from having elevated access unless it is absolutely necessary.
2. Principle of Least Privilege and Privileged Identity Management
In our growing cloud infrastructure, there are users that need access to resources at an administrator level. How we plan, manage, and monitor these administrator roles will have a direct impact on the security of our cloud infrastructure.
When designing and scoping the company roles for IAM, the principle of least privilege should always be at the forefront of the discussion. This is the concepts that any user or resource only has access to the applications, resources, and information that they require to perform their specific job duties. Anything above that poses a vulnerability and potential threat to the company that sensitive information could be leaked to those that should not be allowed to view.
The scope of IAM is to manage that any user, group, or resource has been properly assigned roles and access that adheres to this principle. This should be properly documented by job title with role assignments, and the roles should be reviewed regularly with department owners to verify that the assignments are still accurate and valid. When we discuss creating users and groups in a later chapter, we will discuss options for creating role assignments in a dynamic, auto-assigned manner, and how to automate the review of these roles.
What is Privilege Identity Management (PIM)?
A major area of Identity Governance that we need to manage is privileged access based on administrative user accounts. As we continue to add and activate these administrative roles within our tenant, we begin to increase the attack surface that someone that gains unauthorized access to a compromised account may have elevated privileges.
Identity and Access Administrators have the responsibility to protect and defend this layer through utilizing the concepts of zero-trust and principle of least privilege to assign and manage these administrator accounts. You should have a clear strategy with defined job tasks for every administrator user account to plan for proper assignment of these roles. This strategy should include meeting with stakeholders and discussing the roles that each department member requires to complete their job tasks. In addition, you should be monitoring the activity of these accounts and verifying the continued requirement for users to have these privileged access roles.
To enforce the concepts of zero-trust, you have the capability to assign Conditional Access policies to these accounts. To address and protect privileged assignments, Azure AD provides Privileged Identity Management within the Identity Governance solutions.
Privileged Identity Management provides just-in-time privileged access to users. Since users are only provided active administrator roles for a short window of time, this reduces the attack surface and potential for these user accounts from causing exposure to privileged access from an attack. Privileged Identity Management provides an approval and justification process for activating privileged role assignments, which includes notifications when a role is activated and an audit trail of these activations.
Privileged Identity Management minimizes potential exposure of resources if a user’s credentials are compromised. This makes the attacker less effective in their access to the user’s account and their ability to enable their ransomware agents.
3. Protected remote management of Virtual Machines
We have taken the actions to protect user identity through the authentication and authorization techniques in the first two recommendations. However, companies require the ability to remotely manage their virtual machines. This requires elevated administrator privileges that we wanted to avoid in the previous section. So, how can we limit the exposure of our virtual machines to securely manage them remotely. Here are a few options to consider.
Our challenge is to put multiple controls in place to mitigate our vulnerabilities and decrease the attack surface. One of the potentially vulnerable compute resources within any cloud infrastructure is the IaaS virtual machine. Since there is a level of access needed for these virtual machines to manage the operating system, this creates an attack surface that a bad actor could gain access with elevated privileges and gain access to data. The goal is to decrease this attack surface by limiting access to the public IP address. A firewall, as stated previously, is one option. Other options are to put a load balancer in front of your virtual machines.
A load balancer can route public traffic to virtual machines but, unlike virtual machines, there is no operating system that can be leveraged as an attack surface. Placing a load balancer in front of the virtual machines allows us to remove the public IP address completely from the network interface of the virtual machine, mitigating the virtual machine’s exposure to the Internet.
The second layer of defense for the network and virtual machines is the use of Network Security Groups. Network Security Groups (NSG) provide another layer of allow and deny rules beyond those that are found on a firewall. NSGs protect the source and destination port, protocol, and IP address, they do not perform any packet inspection like firewalls. These allow and deny rules can provide privileged access to specific IP addresses which will decrease the available attack surface for attackers. This includes blocking access to management ports, such as RDP and SSH. NSGs can protect at the virtual machine network interface or the entire subnet.
How do we securely manage our virtual machines with Bastion and just-in-time RBAC?
The previous section secured our virtual machines by removing the public IP address behind the load balancer and blocking RDP and SSH management ports. Since access through these ports via the Internet are no longer available, how are we going to be able to access our virtual machines to perform management tasks?
Bastion host was designed to mitigate the attack surface created by opening management ports and operating systems to the Internet. One way to protect against these attacks previously, IT departments would use a “jump box” virtual machine to authenticate and access the virtual network and then “jump” to one of the virtual machines on the virtual network. To reduce the potential exposure of the virtual machines, the usernames and passwords should not be the same to the jump box as they are on the production virtual machines.
Bastion host removes the attack surface by utilizing a user’s identity and access control to the Azure portal. The virtual machine contributor role will allow them to access the virtual machines and connect to them through the Bastion connection. The user experience is the same as they would use with RDP or SSH, without exposing the virtual machine to the Internet.
As stated, users that need access to the virtual machine can be assigned the virtual machine contributor role-based access control. If a user only needs to access these virtual machines on a limited basis, then we can create an assignment to this role that is only activated when needed utilizing privileged identity management.
4. Business Continuity with Azure Backup
The previous sections covered proactive steps to decrease our attack surfaces through identity protection and compute access architecture. These recommendations are effective. However, attackers seem to still find vulnerabilities that allow them to gain access. Proper due diligence within your security operations should identify and prohibit these attacks, but there are still situations where an attacker gets through. When this happens and an attacker is able to deploy ransomware, how can we restore our systems without paying millions in cryptocurrency to the attacker? Having a strong business continuity and disaster recovery plan will help.
Since a ransomware attack focuses on making compute resources and data to be encrypted and unaccessible, as a company, we want to be able to recover those resources, whether it is virtual machines, containers, databases, or storage accounts. Recovery of these resources can be done within Microsoft Azure utilizing Azure Backup and Azure Site Recovery services.
Both Azure Backup and Azure Site Recovery services are a part of the Azure Recovery Vault where snapshots of virtual machines, storage backup, and database protection are all located. Azure Backup provides a scheduled backup of images that are then protected within the Azure Recovery Vault. If a virtual machine is infected with ransomware, having a backup strategy will allow this virtual machine to be recovered with minimal data-loss. Azure Database platform services also have backup services within the service to protect against data-loss.
5. Data protection and anonymity
The final area that we are going to mention to protect against ransomware is data protection and anonymity of storage accounts. As stated in the previous section, one way to protect our data that is stored in databases is to utilize Azure platform services for databases rather than a virtual machine instance with the database software. For storage accounts, having proper backup and lifecycle management in place will protect against data exposure. Maintaining anonymity of data in our storage accounts through managing our own encryption keys within Azure Key Vault and using storage access signatures that expire when sharing data, will protect against data exposure and data loss.
Protecting our identities and resources in a proactive manner is the best way to limit the possibility of being a victim of a ransomware attack. These five areas are only a start. Having a proper business continuity strategy, along with defense in depth security posture management and security operations to detect and respond to a threat are all ways to stay out of the news.
Cloudreach is a Microsoft Expert MSP that has advisory services that can help you with your security operations needs. Our Microsoft Cloud Engineers can discuss your cloud security approach and how you are structuring your security posture management and security operations.