Joseph Carson, Chief Security Scientist & Advisory CISO, Thycotic
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Yours. It's a pleasure to be here. And I'm really excited to be here actually in person. It's been a while since I've traveled. So I think one you've been at this conference, you've been learning about things that you should be doing, things that you need to be implementing in order to become more resilient, to do more automation, to make the user experience better. But I want to bring it back to reality. I want to provide you a bit of knowledge and lessons learned about why you should be doing it. What's the reasons you should be implementing those solutions and resiliency and automation.
So I've been given information. I, I get involved a lot in response and digital forensics over my career, and not many organizations give permission to talk about it. They don't like to talk about their failures. They don't like to talk about when they became a victim, but fortunate enough, I've been given permission to do this. Talk to take you through the journey of a real world ransomware case. So my name is Joseph Carson, and I'm the chief security scientist at based in talent Estonia. And I want to take you through that journey because I think it's important that you learn the lessons.
You'll learn what happened. You'll learn the techniques, that attackers of views, and I'm gonna take you through two perspectives. The first perspective is from an instant responder when bad things happen. And the second perspective I'm gonna take you through the mind of an attacker and take you through the exact techniques which are used in almost all ransomware cases. It's almost a replica footprint in every single case, just the ransomware variant might be different. This particular incident comes down to the cry lock version. So cry lock is a ransomware.
That's been around for a number of years. The former version, the one zero version was known as cry. This is version two, zero, which actually started in the wild about Midsummer mid-year last year, especially when a lot of people were working remotely. And for organizations, you might find this yourself. All of a sudden, you come into the workplace, you open you up your laptop. You start to log and your face typically with a, a policy, a login prompt saying your organizations become the victim of SMER you log. And this is what you see in your desktop. It might be your employees.
It might be your third parties. You find out, you might hear it from external resources. You might hear it from law enforcement, but ultimately you're gonna see something like this in your screen. And when you see this, it means really, really bad news. And it means that you must act fast. You must be prepared. You have a lot of questions that you need to get answered.
You want to know how long this attack has been going on for typically you, what can in this case, the attackers had access for about almost 20 days, but the initial access, the credentials that were compromised were actually compromised seven months prior to the attack. And we're likely sold in the dark net to the next set of criminals who then used and abused them.
So seven months from that initial credential being compromised to 20 days of dwell time with the attackers gain access had actually did basically enumeration their lateral, moves their elevations, stealing data, and then deploying a nasty ransomware. You'll have a question about what systems has been impacted. Did they have access to your domain administrators, cuz that can really tell you about the impact and the damage that you're potentially facing? What data did they steal? What techniques did they use? What back doors have they left behind?
So creating this footprint is one of the most difficult things to do in its response. And it means that when you're going through this, what evidence is remaining because the attackers typically they delete their history, they clean their tracks. So you have very little understanding about what happened. I use a metaphor as an its responder. When you're dealing with criminals who have deleted the footprints, it's almost like you have a 200 piece Gaw puzzle that was originally 10,000 pieces. And you're now trying to figure out what that bigger picture is with only 200 pieces remaining.
It's a very difficult thing to do. And you have the go and answer by the attack path. What staging systems are used, what tools are used, how they gain access, what accounts have been compromised. So it's really important that you have an instant response plan.
And when, I mean a response plan, I mean you also must be response ready? Those are two different things. Having a plan is one thing, but being instant response ready is another thing that means you must test it. You must have agreements up front. You must have retainers against experts who come in and do disc imaging, create your super timelines, help you do the remediation, help you actually recover data. So it's really important that you actually not just have a plan. It's great to have a plan and sitting in your drawer, but when you need to use it, you must be ready.
That means you must test it. You must practice it. You must go through workshops to make sure that you're not, your skills are actually up to date and that you actually have fresh. And when you're ready to use them, you know how to do it. So response plan is critical and it means that in response plan is not just about, is this gonna click through? Okay. It worked. So in response plan is not just about going through and having a security response. It's a 360 response because when you become a victim of ransomware, it means that your entire organization is gonna be impacted.
It means that you have to have ownership and leadership. Who's gonna be responsible for communication, who from HR is gonna be responding to employees questions because it might actually involve their sensitive data that might be stolen. Who from legal is gonna tell you what actually regulations or compliance you need to actually report to whether it being the data protection authority, whether it being actually reporting to law enforcement, they need to tell you about what your legal ramifications might be. You might actually have to actually communicate with the ransom or guying itself.
You might actually not have your actually services will completely come to a standstill. So it's really important to understand what your impact and this means that ins response is not a security response. It's not an it response. It's an organization response ins response plan for these should actually come on life of safety in, in the organization. It means that the entire organization must work together across multiple, multiple departments to actually give back to operations again. So it's great to have a checklist and it's great to go through and be ready.
But when you're facing this, when you do become a victim and when you do become a victim of ransoms, not a matter of if it's a matter of when the question is, how ready are you to respond? How quickly can you go back? How resilient is your organization? And it means that if you a ransom or victim typically has three responses, when you do see that ransom or prompt coming up, you either going to restore from a backup. And I do hope you have some segregated backup that you're not using the same backup in your production systems on the same flat network.
And it's online because in this particular incident, they did have backups. They did have online backups and those backups were well encrypted, just like the production systems. So it's important to make sure you have segmentation that your backups are not using the same credentials. They're not on the same flat network. And you actually get into actually having sometimes even offline backups or segregated backups that are on completely different networks. If you don't have a backup, your backup is encrypted.
Then you're faced with a second option about going down the criminal payment option, which I highly recommend not doing cuz there's no guarantee in recovery. And what you're doing is you're making my job more difficult in the future. The third option is you do nothing and rebuild from scratch. Which many organizations have done that particular organization in this incident, they actually had a year old migration system that fortune left was still available.
So they had a, a machine that was recoverable from a year ago, but it meant that they had to go through and scrape discs and USB drives and paper, receipts, and paper information to recreate that one year of lost digital data. That's the impact. I've even seen individuals who have lost their life, their digital life from ransomware, their complete family pictures, pictures of the parents or grandparents that is unrecoverable. So this has deep impacts, not just the individuals, but the organizations.
There is a fourth option that I don't list here because it's not one that's guaranteed is you might get security researchers like myself who find weaknesses in the encryption techniques that is used. And therefore you might sometimes find a, a way around it or a key that can recover the data, but it's not guaranteed in all variants of ransomware.
So you typically are faced with a big question and if it is an active, still an ongoing active ransomware attack, the question is how do you ensure that the attackers don't have access to your systems now for on-premise environments, it's typically a little bit easier. You just run to the actually internet router and you unplug. And that's what we actually had to do in this case. We actually unplug the internet connection for the organization and isolated.
The network now for cloud systems is a little bit more difficult forcing enough, the cloud systems were not impacted in this particular incident. So it meant that their cloud systems, they could actually continue. And that's always a great use case for having a hybrid environment that sometimes if you do become a victim, you do have additional services that remain available and operatable that therefore you can continue providing some services. So it's always good to diversify and de-risk as much as possible, but you'll be faced with these decisions. Can you move back to manual operations?
Can you unplug from the internet? Can you regain control of your systems? Are the attackers still having access? And one of the more important things, once you do become a victim, it's to find that crypto it's important to know what you're dealing with because a lot of encrypt, they have different capabilities and features and function lines that they actually do. So it's really important to find one of those machines that's in impacted or infected find it. You typically find it in the temporary folder locations or downloader folders.
They might find an email locations, but finding that crypto's incredibly important to how you respond to the incident. And when you do to get the crypto, one of the first things I tend to do is I'll run it in a dynamic analysis. I'll also do static analysis. I'll also look at Joe's sandbox for potentially similar variants. Joe sandbox is great because it will actually simulate the actually ransomware running in a system. And it will tell you things like, does it have a command and control? Does it steal credentials? Does it leave back doors? Does it later remove the network?
It gives you a better understanding about potentially what you're dealing with and how you respond to it. So it's really important to get a good understanding about what it is that you're dealing with. So tools like this is really helpful. You also wanna get an understanding about is this known, is this a new variant or is this something that's sexually known in the, you know, in the public domain, does other organizations have become victims and have uploaded samples?
And this actually incident that when we actually tested against virus total only three antivirus software vendors detected it three. So even if you were running AV in your environment for this particular variant to cry, lock, it wouldn't have prevented it. You would still become a victim if you weren't one of those three running one of those three antivirus out of the 60, 70 that were not detecting it. So it's really important to actually understand about would your defenses have prevented in the first place? The next important part is following the attackers footprints.
This is tends to be my job. And I thought rather than actually just going through entire slides, I thought I would give you actually real demonstration using machines and actually showing you the real scripts, the real techniques and tools that the attackers used. So I'm gonna switch over to my demo machine here. I'm gonna try and make sure you might have some technical people, some non-technical people. So I'll try to make sure that it's educational for everybody. So let's move into the demo and take your walkthrough. So I'm now gonna sit down.
I'm gonna tick on the, the attackers hat and I'm gonna play the role of the attacker in this environment. So switching over to my virtual machines, I got a bunch of machines running here. So just for simplicity terms, I'm using Kelly, which is basically a penetration testing tool set. I've also got a victim machine and this is running windows 10 latest version. And then I've got a domain controller.
So I'm gonna take the scenario of walking through and actually compromising that windows 10 machine doing further enumeration and elevating up to getting full domain rights and then showing you how easy it is for the attack. It again, access. Now the initial access, we don't know to date how the credentials got compromised. We just know that there was an RDP or RDP facing server to the public domain that enabled the, an accountant in a different country to access financial information, to do business.
And of course, as the pandemic started last year, that many organizations quickly needed to keep operations. They needed to keep employees productive and people were working remotely. So in order to enable organizations to stay productive, many of them opened up remote desktop protocol to the public domain. So the first instance of this access, we knew that it was a credentials had been compromised. We don't know how they get the credentials, but there's several options. That was potential.
One option that I'm showing here is potentially that the hash was compromised either from a previous data breach. And it was a reuse credential. And this is actually showing you the NTLM hash of a machine and simply running a hash cat against this hash. We'll actually find clear tax password. The reason for this is of course, when we leave humans to make decisions about passwords, we are not the greatest at making passwords. If you leave it to your employees to make those decisions, you're actually creating a risk for your organization. So that's one of the major areas.
Another method is of course, is using things like responder and responder allows you to get the network cash. And again, going down to allowing humans to make decisions about passwords allows you to simply use tools like hashtag to be able to get declare tax password. So one of the areas of course is reusing are actually having humans create passwords means that organizations tend to be at risk from those human creative passwords, because we tend to create by default passwords. We can remember, and therefore they are weak.
The next possibility is going through also because it was an RDP RDP facing server on the internet is the potential of a brute force attack, not just from a previous compromise or through a fishing campaign. That actually it was a brute force attack against the RDP. So in this case, I'm using crew bar and the minus B is actually for, I wanna do a brute force against RDP. This is the target system I've already done, done enumeration to simplify the, the brute force by finding out who the user is.
And then I I'm passing a password list or word list simply by running this it's now basically attempting RDP, brute force against the server. And eventually once it finds the successful credential, it actually shows me that was a successful. And this is the password for that user. When you make a server publicly facing within 30 seconds, scanners are detecting what services you're making available. And if you're not adding additional security controls in place, we're making it easy for attackers to be successful just like in this case. So now the attacker has a credential, a valid credential.
So now they can go and simply RDP for simple purposes. I'm just gonna go directly to the virtual machine and gonna log in with the credential that we've compromised. So I'm the attacker now logging in with authorized authentic credentials. So a user which basically their credentials has been compromised. So I'm not under disguise as an employee. And one of the first things an attacker's gonna do is find out, well, what privileges do I have in this local machine?
So the first thing they're gonna do something like, who am I slash priv, they're gonna do host name, they'll do IP config and also do net local group. And by doing that look, local group will actually tell me what privileges I have in this local machine. And unfortunately many organizations still today give their employees local administrator rights. And that is one of the biggest mistakes I can.
I, I don't, I can't emphasize how critical it is that if you still are giving employees local administrator rights, that it's two steps away from the attacker elevating up to full domain rights, two steps. So you have to be aware of how sensitive and how high risk local admin accounts are. And we sometimes have that assumption.
Well, it says local, it's only in the machine. How, how harmful can it be? They get it. They can only do damage in that machine. Incorrect. They get local minister rights. They can do damage to your entire network. So to show you how that happens, I'll take you through a few scenarios. Another thing that was common and in this actually this incident on the desktop, there was a file named important stuff, and the attacker sees it and they open it up and what's in that important stuff, credentials in clear text.
So another common mistake that employees do is that they want to make it easier for themselves. And if we don't provide ways for them to help manage their environment and manage themselves, they will revert to these techniques. So they actually had SQL credentials in a particular text, password and desktop. What other mistakes to employees do? What do our browsers ask for every time you log into a system, what they say, give me your passwords. You would like to store your passwords in, in the, the browser, make your life much easier.
And it also makes a attacker life much easier as well, because simply they go to passwords. And I really like, I like security by design, but I also like security by default. And unfortunately browsers do not do security by default. And it means that the default is security is turned off. So when the attacker basically goes to the browser to look in the passwords, they'll let start finding a lot of save passwords in the browser. This is no better than putting it in clear tax password in the desktop. It's just a different location, the same thing.
But yeah, that makes the employee's life a little bit easier, but it means that simply they can go and find out. Now the email password of the employee, they can find out cloud applications, other passwords that are safe for accessing SAS based applications now gives the attacker even further reach into the organization's infrastructure simply because we still do while it's security by design, when we're not doing security by default, we're at risk. And this is another mistake that we tend to, to sometimes forget and assume.
Next thing that I'll do is before I actually, so now I got an understanding of I'm a local administrator before I start doing really bad stuff. What I tend to do is I'll go to my cloud environment and I'll download a little bunch of scripts. And these are some of the scripts that I actually download. The first one's a clean script. Then I've got a disabled security script. Then I've got a fine password script. They downloader downloads my malicious tools, launch attack deploys. Either I can choose a staging machine.
I want to create a staging machine over here, or I want to deploy the ransomware. I wanna create a new user for persistence or open up RDP or create sticky keys back doors. If ever the chance that the user changes their password. Then I actually still have a back door to the system. These are the real scripts that was used in the attack. Just to show you what's in those scripts in the automation. So simply because I'm a local administrator, I can actually go and disable security in the system.
I can disable all the security I can go and disable all basically any scans, any services that's monitoring. And when I do that, I can do further Mia's activity. The next thing I'll do is then basically run, find passwords to see if there's passwords in the registry. In the file system, I might create a new user in case of the user changes their password. So I'll go and create something that allows me to create a back door.
When I disable the security, the next phase, then launches, I will then go and do my downloader and the downloader will then go up into the cloud pill down another package that will allow me to then do malicious activity. So I'm still a local minister at this point, when I'm done, I've done enumeration. I might go and run other tools such as when PEs, which is windows privilege, enumeration or elevation or escalation, awesome scripts. And what this will look for is other potential weaknesses to allow me to elevate privileges.
Well, that's running. One of the other techniques will go is now the security's disabled. I'll go in and download MI cuts because now the system's not looking for, it's not scanning. When I download MI cats. The next days I want to elevate privileges, I'm still local administrator. I wanna get full privileges so I can cause as much damage to the environment as possible and later move. So we'll go ahead and run.
The enable credit script enable credits in windows server 2012, SP one, they made a change that passwords that we'd not be stored in clear text and memory, but with a simple registry change as a local administrator, I can revert that back to turned on. So I go and enable that registry key back then I go and run a script, which is the dump, the credentials. And it will actually then go and pull the passwords and clear text or get the hash. So after Roman, Minica what I can start seeing is who's basically been interacting with this system, but my goal is to get the domain administrator.
I still want to elevate up to the full rights, but when I enable this, it hasn't the administrator hasn't logged in since. So it only happens post that registry change. So what the attacker will then do is that while I still want administrator the sessions typically last summer, between 30 minutes to two hours, no more, I will then go back in. I will go to my automation and I will run the clean script, leading all traces of my activity. I will reenable security. I will log off, go play. Some games, do more hacking in other companies, whatever it might be.
Come back two days later and then redo that same process. Go back, run the enumeration, run the disabled security, go back, run the credential command. And eventually maybe I get a domain credential or not. If you don't a second time, what the attackers will then do is cause some problems in this system go and delete a few files. Cause an error message. Maybe try to get some memory leaks, clean up their scripts, go away in the hope that your help desk workers are domain administrator. See that there's a problem in the system. They will log, fix it and log off.
And when your domain administrators, they like to use their domain account everywhere and all systems. And eventually after a few tries and those techniques, the attacker will go through. And after running this numerous times, they will ultimately find that here is the clear tax password of the domain admin account. When this happens, the next thing they'll do is go back and they'll actually do scanning integration. So we'll go and run a scanner. We'll find out where all your backup servers are and what we like to name servers by their functionality.
So your backup servers probably called backup. Your SQL servers probably called SQL your CRM, probably CRM ERPs, E R P. We like to name things what they do. And therefore, sometimes we make it easy for the scanning enumeration. So once the attackers got the credentials for the domain controller, the next thing they'll do is they'll use tools like this, which is a network scanner. These are legitimate tools, which are used for good. So sometimes it's really hard to detect legitimate tools that are being used maliciously here in this tool, I've actually set up a lot of automation.
So here I can use PS exec to create a malicious user. So simply by running this, I have the domain controller credential. I can go and enter in the administrator account in here. And the password that we got from Mimi cuts because of the local admin rights. Now it's gonna go to domain controller, correct me, a backdoor user that will allow me to then log into the domain controller. And the next thing that they'll do is now we've got a domain controller access. They will go and log directly in from that compromised machine. And now they have full domain administrator access.
They will then go and choose targeted initial staging systems to actually put the ransomware on. And it's actually only at this point to decide, Hmm, which actually ransomware variant will I use because they probably have a bunch of them. And they'll be looking for which antivirus software, which anti malware protection you have. And they will choose the one that isn't yours is not detecting. And that stage once domain admin credentials have been accessed, it's literally, you're talking about hours before the ransomwares deployed hours.
And these are simply the, the real techniques of getting access. This is why a dent and access management is so critical. This is why a lot of things we're talking about over this event is to prevent these types of simple things from happening to give you a chance at protecting your organizations. So moving back just to a quick recap here Is understanding the attacker path and the footprint. We're really giving, understanding about what techniques they use. And that's my job is to find out those techniques. And ultimately they give you that recap.
They use, if you giving local minister access, they can disable security, everything you put in place. We need to stop giving local minister access to employees. We need to move to real time elevation on demand, elevation, not having persistent privileges. We need to move to where it's actually privileges on demand. In real time, when we look at persistent back doors, you need to be threat hunting. You need to be looking for the attackers.
There was so many events in error message and logs that if you had to been looking that would've given the, the issue defenders a chance at knowing something bad was gonna happen, you need to be looking for this. You need to be actually running and scanning the environment for when things like sticky keys is creating back doors. That when you go to the login prompt and you click in the utility helper, and all of a sudden you gotta command prompt. You gotta be looking for those, you be scanning and inventory your environment for those back doors.
You also make money looking for actually, whenever your security has disabled for maybe two hours a machine, all of a sudden had a bunch of arrows, the agent wasn't running, or there was actually a period of time where security was not running in that system. That's suspicious just because it came back on doesn't mean it was just anomaly or that machine was offline or something happened. Start investigating it, isolated understand. Maybe there was actually back doors of configuration change that was made during that time, just because it was offline and came back online.
Doesn't mean everything is okay. You need to investigate it.
Also, the lateral moves. There's a lot of tools out there which actually have actually good purposes, but can also be used by malicious actors as well. So it's really important to understand about putting controls things like application control around this that can only run, run at certain times of the day during business hours. And when it's being run outside of ours, therefore you can actually do more approval or workflows or actually automation around those, getting into automation as well, understanding about what tools are being used in your environment and limiting some of those as well.
And next thing is what can we do to reduce these risks? And I say that it's important that you get back to basics. We get the basics, right?
My job, while I'm a cybersecurity professional, I realize that my job is all about reducing risk. It's about listening to you and understanding about what your business risks are and what I can do to help reduce those risks. My job is to make the attacker's job as difficult as possible. My job is to force them to take more risks. My job is to force them to make more noise, the more noise they make during their attacking techniques. The more chance you have at detecting them before they deploy are deployed the malicious ransomware or steal your data.
It's to give us a chance at stopping it early enough. So some of my top tips to help you get started and go on this journey is good.
Education, awareness, and knowledge. Hopefully this is a step in the right direction to give you some of those understandings to give you some of the techniques that attackers you. So you know what things you can put in place. They make those more difficult and please have solid backup and recovery plan and a tested one as well. I don't wanna have to go into organizations and see that their backups are also encrypted. The principal lease privilege do not use domain administrators freely and easily use them with caution.
When you do use them rotate their credentials afterwards, have strong privilege access management, help move passwords into the background. So your employees don't need to make those password choices. Application control, make sure that even authenticated known good applications are being used for legitimate purposes and have good auditability in place and logs. Please collect logs and correlate them and archive them to make my job easier as well. And lastly, stay patched and updated. Security's not a checkbox. Security is a lifestyle it's, there's no end goal in security.
One of the best Brian Meister from Yahoo yesterday said it best. It's a choice to way that you want to operate. It's not just doing it for the sake of compliance and regulatory needs. It's a lifestyle choice that how your organization wants to operate to reduce the risk, to become more resilient, to make sure that you don't become the next victim. That's what security is. And my job is here to help you. So hopefully this has been educational. I don't know her. We one minute over and I apologize.