Cyber attackers disrupt your IT infrastructure. They leaked sensitive information and encrypted it in several extortion ransomware attacks.
What do they do? What else can you do to stop it?
Is your door locked?
To better understand how cyber attackers launch successful ransomware attacks, let’s first follow the attacks and look at the tactics, techniques, and procedures (TTPs) used in the Right ransomware attack playbook.
From the beginning to the end of the game, attackers exploit weaknesses – including man reduction, parking, rules, various attacks and security. not good.
Privilege Elevation and Delegation Management (PEDM) can prevent, detect or contain incidents in many areas before they become illegal. But the Band-Aid approach of Privileged Access Management (PAM) doesn’t work. Every step of the brake chain needs to be monitored. For this blog, we’re going to focus on the basics of the basics.
Types of Attack Chain A ransomware attack chain begins on the left side of the chain, at the “front door”, where cyber attackers are the first base. From this fixed point, attackers can infiltrate deep into your network and systems, disrupting your business.
Your staff’s office and local accounts represent the largest source of attack for this login. The SANS organization says that 85% of reported cyberattacks start from a compromised endpoint. Lost and stolen laptops have become commonplace, despite the global pandemic and reduced travel.
User office, covering your operations, provides multiple access points. Third-party operators with extensive hardware, outsourcing services, or access to your systems via VPNs add access points to your IT systems. We use VPN to access applications and servers remotely. Developers use the API and CLI to access the administrative state of our business applications and retrieve important data. Criminals continue to exploit these vulnerabilities with remote work and home Wi-Fi networks that are less secure than office LANs.
Also Check Our New Online Video Downloader
As users, we are guardians of content and weak links. We need to train users to detect social engineering such as phishing attacks. Even with good safety training in place, we cannot always be on the alert. Therefore, users need to be trained not to click on phishing links, and this is supported by training when we accidentally click on the link. When we make a mistake, create a supportive environment that encourages prompt reporting, not embarrassment or revenge.
MVP Endpoint PAM Capability
So what can we do at the office level to prevent, detect and contain attacks that go beyond our primary defense? The main endpoint of the PAM process is shown in the figure above, which is appropriate. Let’s use the rest of this blog to review the latest PAM resources.
Manage and Vault Local Administrator Accounts Use
Endpoint PAM to discover local accounts, applications, and processes associated with accounts belonging to a Windows domain or a single workstation. This is the basis for establishing access control policies and ensuring minimum privileges.
Attackers prioritize account takeover (ATO) to own user workstations. Phishing a regular workstation user account gets a foot in the door, but if the user is logged in as a local admin, the attacker hits pay dirt, inheriting full rights. Make sure to take local privileged accounts out of regular circulation by vaulting them for emergency access only.
Enable scheduled password rotation and strong quality of service to improve resistance to brute-force cracking. Ensure common privileged accounts on workstations, such as local “administrator,” have unique passwords. This prevents attackers from using compromised passwords to gain access to other systems.
TIP: Find a standalone endpoint PEDM solution. However, it has all these features built in so you don’t need a dedicated museum. If you need more stable storage later on, make sure your last PAM vendor can provide it and the two products can be combined well.
Privileged account entrusted, user logged in with minimum required. PAM rules may allow applications to be processed on demand or require users to submit recommendations based on agreed functionality. If allowed, the application will run with elevated privileges one or more times during the expiring private time window to prevent unauthorized display. We reduce risk because PAM supports application code, not user session. PAM automatically removes permissions when the application exits.
NOTE: The PEDM solution must support just-in-time (JIT) progression. Find advanced settings that can replace Microsoft Account Control (UAC) user authentication popups with other custom actions such as asking for a reason, requesting confirmation from a task, and allowing group administrators to access the correct credentials during support.
Admin Privileged Group Membership
Membership in a privileged or privileged group, such as local administrators or administrators, gives the user more privileges. Threat actors who complete their accounts receivable (ATO) will also take these rights and make them profitable.
Comments: Find a PEDM solution that removes persistent permissions and checks membership in a local group. If additions or deletions are not approved, PAM solutions must be adjusted accordingly to restore legal compliance. Rules should be managed centrally and control at both ends, avoiding security and management control.
Organizations are transforming their businesses where IT infrastructure is shared on-premises and in the cloud.
Recommendation: Modern office PEDM solutions should offer customers the choice of SaaS or self-driving deployment. It should support the same work to ensure equity for organizations that use both or switch from one to the other.
Ransomware is at the core of our discussion, so let’s take a closer look. Ransomware adheres to the correct ransomware Common Tactics, Techniques and Procedures (TTPs), including escalating laws, downloading tools, migrating systems, and encrypting or destroying files on disk. PAM can be effective in preventing the spread of ransomware and locking it into the machine where it resides.
RECOMMENDED: Make sure your PEDM solution supports the following features:
Icons – Legal Minimum
- not only is it allowed to spend less money, it can protect the user from less money.
- Use appropriate local means (“on the ground”) to conceal crime.
General persistence mechanisms to protect mainstays such as services, scheduled tasks, and registry keys.
The Volume Shadow Service copy (disk snapshot used for backup) was deleted before the encryption operation took place.
Disable native security software such as AV, EDR and firewalls.
Outage due to ransomware unable to interact with working files and install software.
Password hashing is used because the administration group does not need to log into the privileged account.
Icon – Authorized Applications
Ensure that only authorized applications can run, block everything including special ransomware tools.
During ransomware attacks, we will encounter unknown applications that are not related to PAM rules. Policy integration with third-party malicious code sample databases such as Cylance and Virus Total allows PAM to incorporate reputation scores into its policy engine, automatically blocking execution in a timely manner.
Drive-by Office Data and Data Entry
Running other custom applications or child processes is a malware attack. For example, Excel or Word files may contain malicious code that attempts to generate CMD or PowerShell commands. Block ransomware by controlling which apps can access certain files, and prevent malware by deleting or encrypting them. For example, only allow excel.exe to access .xls files and word.exe to access .docx files.
Catch All Policy
For anything that is not expressly covered by the Allow, Elevate Privilege, or Deny policy, for example, the Catch policy for new ransomware not covered by PAM rules or other rules.
I have come to the end of this blog. I hope you have gained some information to help you better understand and appreciate the importance of protecting your workplace with PEDM.