Preventing WannaCry and Petya / NotPetya Attacks
Following the devastating WannaCry malware attack, the Petya / NotPetya wiper outbreak once again highlighted the necessity of having a proper defense in depth strategy in place. Defense in depth demands an organization use strong preventative strategies, on top of robust detection and response capabilities. This multilayer approach enables attacks to be stopped at the perimeter or quickly detected and neutralized should defenses be breached.
While LogRhythm is very good at enhancing your detection and response capabilities (as seen in a couple of recent blogs: NotPetya Technical Analysis and Detecting Petya / NotPetya Ransomware. I wanted to highlight how you can also utilize the LogRhythm Platform to support your preventative cybersecurity strategies.
Let’s look to see how the LogRhythm Platform’s powerful tool set can help you implement or validate your prevention strategy.
Validating Third-Party Software on Your Network
When it comes to security, half the battle is understanding what’s on your network. In recent attacks, the infection point has been identified as the software supply chain. If organizations had the necessary visibility into their network, a breach could have potentially been avoided.
Audit, log, and scan results ingested by the LogRhythm platform provide valuable and actionable insight to achieve enterprise-wide visibility.
For example, recently, a customer of mine was collecting daily scan results from their point-of-sale (POS) system, ingesting the data, and then displaying the results on LogRhythm WebUI dashboards. These dashboards clearly showed the risk rating of each asset at each store, including third-party applications that were required as part of the supply chain.
As the high-risk assets were patched or removed, the dashboard automatically updated to reflect the scan results. Even more, the historical information is preserved and available in the LogRhythm platform for further analysis or reporting.
Patch and Patch Some More!
This isn’t news. But even as patching is a popular control and explained wonderfully in the ASD Top 4 controls. many of today’s compromises use publicly available exploits for which a patch exists.
The LogRhythm platform can collect Windows Setup Event Logs, third-party patch-management system logs, and vulnerability scan results to show which hosts have or have not been patched.
This data can be used for data analysis and trending to understand how effective an existing patch management process is (or is not) working. This functionality can also help ensure all patches are properly rolled out to prevent future compromises.
Local or Domain Admin (DA) Permissions for That Initial Compromise
Best practice dictates that you don’t use local admin accounts for ease of use. By doing this, you can prevent many initial infection vectors. Our friends down under have some fantastic advice on how to administer least privilege.
To ensure proper privileges are applied, the LogRhythm platform can use its SmartResponse feature to run scripts to validate members of local admin groups.
The query results can be automatically delivered into the LogRhythm platform where you can build a case to evaluate if privileges are really needed. Furthermore, you can build a daily dashboard that reflect query results and provide insight into highly privileged users or into assets that need to be added to a high-risk asset list. In addition, the LogRhythm also integrates natively with Active Directory (AD) so you can search for domain admin usage relatively easily.
Figure 1: LogRhythm Search on Domain Admin Usage
Use Privileged Administrative Workstation (PAW) per Microsoft Best Practice
Malware uses privilege escalation tools to capture administrative credentials. Microsoft has established best practices and covers in detail how not to expose your network and AD to malware attempting to grab admin creds.
You can use LogRhythm to help with prevention by ensuring administrative authentication methods and processes are used. This ensures highly privileged credentials aren’t left on workstations and member servers.
Security Training Campaigns
If you are using dedicated tools for security training, you can use LogRhythm dashboards to show who has or has not performed training. You can also add users who commonly fall for security training tests to high risk user lists (PhishMe Triage, and the like).
By combining this information with other best practices and insights, you can gain some very valuable insights. For example, the LogRhythm platform can tie together discrete events, such as risky users and vulnerable assets, which need fixing by administrators. Without LogRhythm, your organization would be opened to loss of highly privileged user credentials.
Figure 2: Privileged Access Workstations Diagram (Source: Microsoft)
Stopping Lateral Movement
Blocking the execution of non-authorized admin tools can thwart some lateral movement efforts. Having a defined administrative tool process can have similar effects. The LogRhythm platform helps validate what is happening on a network around administrative tool usage.
You can use this data to ensure your prevention strategy is being honored or fine-tune as needed. While simple in concept, application whitelisting can be effective here too (there’s a reason it’s the ASD number one control
In the recent WannaCry and Petya / NotPetya attacks, tools were embedded or variant. While ensuring these tools weren’t lying around wouldn’t have solved the problem by itself, the combination of above controls would move you towards thwarting the attack.
Leveraging Microsoft Sysmon or Windows Event Collectors to Protect Workstations
Workstations are the most likely compromise point, and this is where you need to ensure you have suitable log and audit collection. By using Microsoft Sysmon or Windows Event Collectors, you can easily (and freely) collect the log and audit data needed for threat detection.
Both technologies can be easily integrated with the LogRhythm platform. This data can be then analyzed and used to validate a number of the above controls—all without collecting a mountain of log data. The NSA has published a guide on Spotting the Adversary with Windows Event Log Monitoring which is a good start if you are looking for more information.
LogRhythm helps many an organization enhance their detection and response capabilities, but the platform can also be used for prevention. Hopefully the above snippets give you some insight into how LogRhythm can support preventative cybersecurity strategies, if you’re not already doing so.