《Akamai：2022年勒索軟件威脅報告（英文版）（30頁）.pdf》由會員分享，可在線閱讀，更多相關《Akamai：2022年勒索軟件威脅報告（英文版）（30頁）.pdf（30頁珍藏版）》請在三個皮匠報告上搜索。

1、R E P O R T2021Sustainability ReportT H R E AT R E P O R TAkamai RansomwareThreat ReportH1 |1Table of ContentsHighlights 3The global effects of Conti 5Global attack trends 6Industry and vertical trends 8Revenue trends 10Understanding the attackers toolkit 12The kill chain 12The RaaS attackers cookbo

2、ok 13Network propagation goals 14A step-by-step guide to network dominance 16The toolset 18Initial access 18Lateral movement 19Persistency and backdoors 20Credential harvesting |2Mitigation 21Resisting Contis favored initial infection vectors 21Expected penetration 21Detect and cut threat actors lat

3、eral movement 22Segmentation is key 22Preventing lateral movement with protocol-restricting rules 22Protecting backups 28Segment critical data services 28Detailed response plans |3Highlights In recent years,ransomware has become ubiquitous with cybersecurity attacks,costing more than US$20 billion g

4、lobally in damages in 2021.The advent of high-profile ransomware attacks,starting with 2017s WannaCry global attack,has significantly elevated ransomware awareness.Recent years have seen ransomware attackers strike at schools,government,healthcare,and infrastructure,among other targets.This report w

5、ill focus on the organizations that execute these attacks,and the ways in which they operate.Ransomware as a service(RaaS)groups have grown into businesses,with structures mimicking the very companies they seek to extort customer service representatives,new employee training,and more.A recent leak o

6、f documents from Conti,one of the worlds most prolific RaaS providers,revealed some of its inner workings,providing researchers and reporters with insight into how these organizations operate.Akamai researchers have been analyzing and researching RaaS providers to reveal some of the underlying mecha

7、nisms that have contributed to their success.The results provide a thorough reporting of attack trends,tools,and the mitigation that must follow.The report finds:60%of successful Conti ransomware attacks are on U.S.organizations 30%of successful Conti ransomware attacks are on EU organizations Manuf

8、acturing is highest on the list of Conti victims,highlighting the risk of supply chain disruptions Critical infrastructure accounts for 12%of overall victims Business services attacks account for 13%,which emphasizes the potential for supply chain cyberattacks The overwhelming majority of Conti vict

9、ims are businesses with US$10 million to US$250 million in |4 Approximately 40%of Conti victims are businesses in the US$10 million to US$50 million revenue range Victim revenue trends indicate a potential“Goldilocks”range of successful victims in medium and small businesses,who can afford substanti

10、al ransom,but do not yet have a mature security practice Attack scenarios are multifaceted and detail-oriented,with a strong focus on hands-on network propagation TTPs hint at the need for strong protections against lateral movement and the critical role those protections can play in defending again

11、st ransomware TTPs are well known,but highly effective,and help reveal the tools commonly used by other groups.Studying these TTPs offers security teams insights into attackers modi operandi in order to better prepare against them.Contis emphasis on hacking and hands-on propagation,rather than encry

12、ption,should drive network defenders to focus on those parts of the kill chain as well,instead of focusing on the encryption |5The global effects of ContiThere are many ways to analyze ransomware activity online,from conducting surveys to examining product data.Each method has some inherent advantag

13、es and limitations in trying to provide a holistic view of global ransomware activity.The research conducted for this report strives to provide an accurate account of one of the worlds leading RaaS groups.We chose to focus on an analysis of victims of the Conti RaaS group to establish relevance to C

14、ontis tools and techniques that will be explored later in the report.The data is gathered from Contis dark marketplace,where victim data and information is bought and sold.Contis goal is to extort their victims into paying ransom,and to meet that goal,they share information that helps us create an a

15、nalysis of attack preferences,successes,and failures of the infamous group.The data reflects the past year of activity and is fully anonymized.For context,Conti is a notorious RaaS group that was first detected in 2020 and appears to be based in Russia.It is believed that the group is the successor

16、to the Ryuk ransomware group also known as Wizard Spider.According to Chainalysis,the ransomware group was the highest-grossing ransomware group in 2021,with an estimated revenue of at least US$180 million.Notably,the group has recently successfully attacked the Costa Rican government,the Irish Depa

17、rtment of Health,and others(see U.S.FBI Flash CP-000147-MW:Conti Ransomware Attacks Impact Healthcare and First Responder Networks)|6Global attack trends To understand Contis worldwide attack patterns,we must first break them down into geographical and vertical data.Distribution of victims by countr

18、y(Figure 1)shows that 57%of Conti victims come from the United States,followed by the United Kingdom,Germany,and Italy.This could indicate a heavy slant toward the North American and European regions in terms of Contis target selection.This would fall in line with Contis recently declared support fo

19、r Russia in the war against Ukraine.While Conti is not a nation-state attack group,they have made their sentiments public,to the extent of threatening opponents of the Russian government.A recent American government advisory similarly warned of a rise in attacks on U.S.companies coming from Russian

20、attack groups,which seems to be supported by the distribution of victims above.The U.S.advisory further puts forth suggested policies and implementations to mitigate this threat,with a specific emphasis on critical infrastructure companies.Fig.1:Attacks by country(May 1,2021 April 30,2022)6040200Uni

21、ted StatesCanadaGermanyAustraliaSwitzerlandUnited KingdomFranceNorwayItalySpainOther0204060United StatesUnited KingdomGermanyItalyCanadaFranceAustraliaSpainNorwaySwitzerlandOtherAttack Totals May 1,2021-April 30,2022Top 10 Countries by Attack Count56.68%8.17%9.65%5.45%5.20%4.70%3.96%2.48%1.73%0.99%0

22、.99%Attack totals(%)|7A high-level examination of victim trends by region(Figure 2)shows EMEA as the second-largest successfully attacked region,followed by APAC and LATAM.Despite the low victim count of the APAC and LATAM regions in relation to North America and EMEA,its important not to disregard

23、the significance of these attacks,as the impact of each individual attack can vary between regions.A notable example is Contis recent successful attack on the Costa Rican government,which caused widespread disruption in the region.Overall,however,Contis focus on specific regions over others is not s

24、urprising.Its attack on Costa Rica is an example of how its alignment with Russian state goals may cause it to hit unexpected targets in many parts of the world.However,outside of that,there seems to be a“regionalization”of ransomware threat actors,who show a language,region,and country preference.F

25、ig.2:Attacks by region(May 1,2021 April 30,2022)6040200North AmericaAPACEMEALATAM0204060North AmericaEMEAAP ALAT AAttack Total May 1,2021-April 30,2022Top Regions by Attack Count61.39%31.19%5.45%1.73%Attack totals(%)|8Industry and vertical trendsNext,we analyze the vertical distribution of targets o

26、f successful Conti attacks.Industry and vertical analyses play an important role in cybersecurity.While attack groups dont necessarily target some industries over others,the data in Fig.3 indicates the success rate of how Contis attacks differ between industries and verticals.There are similarities

27、and differences among industries that may be important to analyze and note.As we break down the list of victims by industry,we find a number of interesting trends to consider.To observe these trends,we need to look beyond the direct financial impact of these attacks,and examine the broader impacts o

28、f business disruption brought about by ransomware attacks.As demonstrated with the Colonial Pipeline attack,attacks on some verticals may cause a longer lasting and more critical impact than others.Three important findings arise from our analysis of victims by industry;chiefly,the high potential for

29、 supply chain disruption,the high number of critical infrastructure victims,and the potential for supply chain cyberattacks through the vulnerability of third parties.Fig.3:Attacks by industry(May 1,2021 April 30,2022)3020100ManufacturingInsurance&legalHealthcareEnergy,utilities,&telecommunicationsM

30、inerals,mining,&agricultureRetailTechnologyEducationBusiness servicesOtherGovernmentHospitalityCustomer servicesConstructionReal estateTransportationFinance29.46%13.37%11.6311.144.46%4.46%3.71%3.71%3.22%2.48%2.23%2.23%1.98%1.73%1.73%1.73%0.74%0102030ManufacturingBusiness ServicesRetailConstructionEn

31、ergy,Utilities&TelecommunicationsHospitalityTechnolo-Transporta-Insurance&LegalOtherMinerals,Mining&AgricultureReal EstateConsumer ServicesEducationFinanceHealthcareGovernmentAttack Total May 1,2021-April 30,2022Top Industries by Attack Count29.46%13.37%2.23%11.63%11.14%4.46%4.46%3.71%3.71%3.22%2.48

32、%1.98%2.23%0.74%1.73%1.73%1.73%Attack totals(%)|9The high number of manufacturing victims is difficult to ignore.Attacks on manufacturing can cause far-reaching supply chain disruptions,including to pharmaceutical companies,food and beverage,automotive,and medical devices.Business disruption in thes

33、e verticals can create a shortage of goods that can create large-scale impact,if not immediately,then over time.A small demonstration of this effect can be seen in 2017s ransomware attack on a pharmaceutical company,which left the company needing to borrow vaccines from a stockpile maintained by the

34、 U.S.Centers for Disease Control and Prevention to meet demand.Utilities,healthcare,transportation,government,and education represent 12%of the total victims.Attacks on these verticals can cause an immediate disruption to large populations,and can have catastrophic,real-world implications.The collat

35、eral consequence of ransomwares impact could be considered a cyber-kinetic impact.One example of this is healthcare,where ransomware attacks have caused significant disruptions to vital care and have even caused a number of deaths around the world.Another concern arising from this analysis is the po

36、ssibility of supply chain cyberattacks,such as the recent SolarWinds and HAFNIUM attacks.Unlike the disruption of physical supply chains(mentioned above),a supply chain cyberattack breaches a third party to get to a larger,more lucrative victim.The high number of business services victims points to

37、the risk of supply chain cyberattacks,not from the ransomware operators themselves(although that is indeed possible),but rather via leaked documents.Companies providing services to organizations may have access to sensitive information,which could potentially be used in attacks against affiliated co

38、mpanies.A notable example is a 2013 attack on a retail company,which put 40 million credit cards and debit cards at risk,and was made possible through a third-party HVAC |10Revenue trendsRansomware as an attack vector is largely financially motivated,which,in part,is one of the reasons it has gained

39、 so much attention in recent years.An analysis of attacks by revenue allows us to examine the motivations and success rates of RaaS groups against different sizes of companies.It is often assumed that RaaS groups target only the largest organizations,but a closer observation reveals a somewhat diffe

40、rent picture of victim distribution through revenue groups.Fig.4 displays victim distribution by revenue range.It is important to note these are not the ransom figures,but the overall revenue of each company.Globally,we see 76%of affected organizations have up to US$250 million in revenue.More than

41、40%of victims make revenue up to US$50 million,and 35%make US$50 million to US$250 million.This reveals an interesting trend in the success pattern of RaaS groups like Conti.While the hardest-hitting attacks are often the ones that are publicized,it seems that the majority of successful ransomware a

42、ttacks happen in the lower revenue brackets.Fig.4:Attacks by revenue(May 1,2021 April 30,2022)403020100$0$50M$51M$250M$251M$500M$501M$1BGreater than$1BUnknown40.84%35.15%10.64%5.94%4.46%2.97%010203040$0-$50M$51M-$250M$251M-$500M$501M-$1BGreater Than$1BUnknownAttack Totals May 1,2021-April 30,2022Tot

43、al Attacks by Revenue Range40.84%35.15%10.64%4.46%5.94%2.97%Attack totals(%)|11It is possible that these companies represent an optimal range for these ransomware groups,where companies make enough revenue to pay a substantial ransom,but are not yet mature enough to defend themselves successfully ag

44、ainst Conti and other RaaS groups.As we break down these groups further(Figure 5),we find that 14%of successful attacks occurred in the US$10 million to US$25 million range,another 14%in the US$25 million to US$50 million range,19%of victims in the US$50 million to US$100 million revenue range,and 1

45、6%in the US$100 million to US$250 million range.The data positions these four groups in a significantly higher risk bracket.At the high end,we find 9%of companies with revenues exceeding US$500 million.This is still quite high,considering these companies are fewer and farther between.Successful atta

46、cks on large companies usually carry with them a larger collateral impact.When analyzing the amount of data extracted in this revenue range,we find both extremes the highest and lowest amount of data extracted indicating that the organizations in this group are more capable of defending against rans

47、omware attacks,and the massive impact if they fail to do so.Fig 5:Attacks by more specific revenue(May 1,2021 April 30,2022)20151050Under$500,000$500,000$1M$1M$5M$5M$10M$10M$25M$50M$100M$100M$250M$25M$50M$250M$500M$500M$1B$1B$5B19.31%15.84%14.36%14.1110.64%6.44%4.95%4.70%4.46%0.50%0.50%05101520Under

48、$500,000$500,000-$1 mil.$1 mil.-$5 mil.$5 mil.-$10 mil.$10 mil.-$25 mil.$25 mil.-$50 mil.$50 mil.-$100 mil.$100 mil.-$250 mil.$250 mil.-$500 mil.$500 mil.-$1 bil.$1 bil.-$5 bil.Attack Totals May 1,2021-April 30,2022Total Attacks by Revenue Range0.50%0.50%4.70%4.95%6.44%14.11%14.36%19.31%15.84%10.64%

49、4.46%Attack totals(%)|12Understanding the attackers toolkitTo devise proper mitigation strategies for Conti in particular,and ransomware attacks in general,we first have to look at the arsenal of tools that are used by ransomware operators.Fortunately,there is a lot of similarity between the various

50、 ransomware groups regarding the TTPs that they use.This means that we can discuss strategies that should mitigate,or at least hinder,most ransomware attacks.For our analysis of ransomware attacker TTPs,we turn to the recent Conti leak of documents.On February 27,2022,the Twitter handle ContiLeaks w

51、as created and began leaking internal documents and chat logs of the group,as well as the addresses of some of their internal servers and source code.This leak of documentation and source code reveals the most commonly used TTPs.The research below focuses on the tools and techniques,and the appropri

52、ate mitigation strategies.The kill chainTo begin examining the ransomware attack methodology,we look to the ransomware kill chain as illustrated in DFIR reports.While leaks can give us a nice overview of the attackers entire toolset and the thought process behind the inclusion/usage of each tool,DFI

53、R reports tell us how those TTPs were used in actuality.They both paint a similar picture.A typical ransomware kill chain looks something like this:Lateral MovementSpread across the network for maximum coverageEncryptionPKI with encryption to prevent crackingProfit?ExfiltrationFind and steal valuabl

54、e dataRansom NoteWallpaper and ransom txt fileInitial Foothold(Spear)Phishing or vulnerable exposed |13Ransomware attacks are multifaceted an initial breach is not enough.An attacker or malware must also spread across the network before beginning encryption to maximize the damage.If only a single co

55、mputer is encrypted,they will not have enough leverage to demand a ransom.This fact makes the lateral movement stage the“make or break”part of a successful ransomware operation.While the tools used for lateral movement(and other stages in the kill chain)can be extracted with DFIR,the thought process

56、 behind using them is harder to glean.For that,we can use the recent Conti leak to look at how a network attack progresses.The RaaS attackers cookbookThe first thing to note when discussing Conti is their manual,hands-on approach to attacks.Contis attack doctrine is not a novel one,but is still high

57、ly successful.The use of effective tools and the consistency of operation seems to do the trick.They do utilize some automated or scripted functions,but operators are generally expected to do the work of obtaining credentials and making cognizant decisions on spreading in the network.Contis methodol

58、ogy can be summarized as“harvest credentials,propagate,repeat.”This occurs after the initial access stage,so an operator is assumed to have access to a machine in the network.At that point,their goal is to begin propagating through the network,first either by attempting to dump and decrypt passwords

59、 or by using brute force.The operator is then instructed to use the harvested credentials on the next machine which expands their reach,then repeat step one.Likewise,operators are taught that encryption doesnt start until network dominance has been reached,which ensures the impact is maximized.Suppl

60、y chain attackAttackerService providerProduct/service infectedMultiple companies compromised through trusted |14Domain Controller(DC)TargetNetwork propagation goalsFirst and foremost,Contis goal is to reach the domain controller(DC).Operators are instructed to work their way to the DC via the aforem

61、entioned process of stealing credentials and expanding.Since the process seems to be largely manual,this allows Conti operators a level of discretion in choosing targets.Once the domain admin credentials are found,Conti operators will have gained access to a number of critical assets:Login logs for

62、most of the network to analyze user behavior DNS records for most of the domain,which can be used to infer usage Password hashes Focal points for lateral movementCERT NZs lifecycle of a ransomware incident(Figure 6)is a useful illustration of Contis interest in the DC,along with the path they take t

63、hat allows them to target it.Conti makes their way via myriad infection vectors.Once a vulnerable attack surface is identified,an operator is called in.The operator works through the initial access layers,laterally moving into position,and then focuses on breaking into the DC.Fig.6:CERT NZs lifecycl

64、e of a ransomware |15This focus on the DC bolsters the idea that the network propagation phase is crucial to the attack.From the DC,the attackers can extract most(if not all)the credentials they need to access the entire network.Also,as more domain configuration is usually stored there,the attackers

65、 usually gain a lot of intel about the network itself and its crown jewels.Interestingly,Conti discourages leaving backdoors and persistence on the DC,and instead encourages backdooring outward-facing servers since a DC is(in their words)much more heavily monitored.This tells of a strong OPSEC minds

66、et that precedes the attack,likely contributing to their success.Conti defines crown jewels as network file shares and other machines that hold data that can be exfiltrated,including:Emails,address lists,contact information Databases Source code Accounting information Design documents Passwords/cred

67、entials for other networks Digital |16A step-by-step guide to network dominanceAlso extracted from Contis leaked manuals is a step-by-step technical guideline on gaining network dominance.Figure 7 is an almost literal translation of their method,but a bit more organized than the original text.It req

68、uires some technical understanding of the tools and processes used.However,for those concerned with defending their organization against similar attacks,or those looking to emulate a ransomware attack,valuable information can be gathered about the type of telemetry that should appear during the late

69、ral movement and privilege escalation phases.Fig.7:Step-by-step guidelinesUser credential brute forcepropagate to next |171.Query domain structure(using adfind,net view,etc)a.Sometimes passwords will appear in those tools output immediately,under some comments2.Try to elevate to SYSTEM rights3.If po

70、ssible:a.Poison ARP-cache and intercept password hashes from other machines in the networkb.Dump local password hashes4.If not:a.Try to see if other machines in the network are accessible,specifically if their admin$share is accessiblei.If it is,jump there to obtain SYSTEM rightsb.Look for RCE vulne

71、rabilities in the networkc.Attempt Kerberoast to obtain more password hashesd.For small networks,also possible to attempt brute forcing user passwordsi.Theres a special emphasis on testing the lockout limits for brute force before attempting it5.For any server with a writable inetpub directory,drop

72、an aspx webshell6.Scan the network for further spread |18The toolsetTo achieve their network infiltration and propagation goals,ransomware groups employ various tools,most of which are well known and heavily used in the industry.In fact,usually only the crypter(and sometimes the trojan)seem to be pr

73、oprietary and differ between the various ransomware groups.But the lateral movement,propagation,and exfiltration TTPs should be familiar to anyone on both red and blue teams:Cobalt Strike,Mimikatz,and PsExec,to name a few.Initial accessFor most ransomware,it seems that the most common breach vector

74、is phishing,causing the user to open a weaponized document or archive.Other common methods include breaching VPN or RDP servers by“guessing”the correct credentials.Contis leak provided design documentation for internet crawlers that implement other less commonly seen methods of infection:ServiceCraw

75、ler logicApache TomcatScan for Tomcat servers,and attempt to exploit the cgi-bin vulnerabilityOutlook Web Access(OWA)Internet crawler and credential brute forcerSQLScan websites that have user inputs and attempt to use SQL injection on themPrintersScan for printers accessible from the internet and a

76、ttempt to exploit them using PRET|19Lateral movementThe common lateral movement techniques that are used by ransomware are the same ones that MITRE covers,namely:WMI used for triggering payloads remotely using/node:.process call create PsExec both the Sysinternals tool itself and its Cobalt Strike i

77、mplementation are used for remote payload execution Remote scheduled task using the command line utility SCHTASKS with the/s flag to create a remote task to execute a dropped payload RDP WinRMIn addition to those,zero-day exploits are also sometimes used:EternalBlue exploiting a remote code executio

78、n vulnerability in SMB BlueKeep exploiting a remote code execution vulnerability in RDP|20Persistency and backdoorsThe most common persistence method weve seen in reports and leaks is scheduled tasks.Contis leaked manuals also describe less commonly seen persistence methods:Registry run keys Office

79、application startup Windows services Image file execution options WMI event subscription AppInit DLLs Winlogon userInit LSASS notification packages Netsh helper DLLIn addition to the above,which are used to launch their beacons/reverse shells,the manuals also mention installing AnyDesk and Atera,as

80、well as changing the RDP port(and enabling it to pass through Windows firewall)all presumably to have another entry point in case communication is lost.Credential harvestingCredential harvesting is usually done by accessing LSASS or the SAM.The most common tool for this purpose(which also has a lot

81、of other credential dumping utilities)is Mimikatz.There are also other attacks and recent zero-days that can be employed to get credentials over the network:DCSync Zerologon exploiting a netlogon vulnerability to get an authenticated session to the DC and reset the krbtgt password Kerberoast used to

82、 crack Kerberos service user passwords from service tickets PetitPotam exploiting an Encrypting File System(EFS)vulnerability to get NTLM hashes from vulnerable |21MitigationA ransomware resiliency architecture covers multiple entry,exploitation,lateral movement,and targeting.The materials exposed b

83、y Contis leaks illustrate some of their favored approaches.Resisting Contis favored initial infection vectorsAs highlighted in the CERT NZ illustration(Figure 6),credential harvesting,exploit vulnerabilities,targeted internet exposed entry points,lateral movement,and privilege escalation are all in

84、the“Conti Playbook.”While ransomware operations certainly rely on(spear)phishing,its important not to neglect securing internet-exposed services,as they are similarly at risk.Using the TTPs for initial access,we recommend reducing the internet visibility for the following applications:1.Remote acces

85、s services(e.g.,RDP,SSH,TeamViewer,AnyDesk,VPNs)2.Potentially vulnerable services(e.g.,Apache,IIS,Nginx)3.Potentially vulnerable machines(detect machines with an unpatched operating system using Guardicore Insight)4.Unwanted exposed services(e.g.,databases,DCs,internal web or file servers)The existe

86、nce of public service tools like Shadowservers Network Reporting tool allows security teams to get an“outsiders view of their organizations vulnerabilities and exposures.”These daily reports help any organization see exposures and risks that miscreant organizations like Conti are likely to exploit.E

87、xpected penetrationA mature organization will know that a persistent attacker will relentlessly look for ways to succeed.Despite implementing all the proper defenses,there always exists a chance that your network will be breached eventually.This could be due to a user infected by a spear-phishing ca

88、mpaign or a server running a vulnerable service that was not mitigated properly.With this mindset,we should be prepared and have proper mitigations set beforehand.Lateral movement detection and prevention is one of the neglected areas that Conti favors in their exploitation.In fact,the March 21,2022

89、,U.S.Presidents Security Advisory called out lateral movement as a critical area of focus used by threat |22“Develop software only on a system that is highly secure and accessible only to those actually working on a particular project.This will make it much harder for an intruder to jump from system

90、 to system and compromise a product or steal your intellectual property.”We are going to focus on detecting and preventing lateral movement in organizations.The advice and tools here use the lessons gleaned from the Conti data dumps,along with our own experiences,to help organizations reduce lateral

91、 movement risk.Detect and cut threat actors lateral movementAssuming a machine has been breached,and the attackers have a foot in the door,we would want to limit them from propagating inside the network.This can be done in two ways:Segmentation and application ringfencing Restricting lateral movemen

92、t across the networkSegmentation is keyYou want to separate the network into operational segments by application,usage,or environment and not allow unnecessary connections both between and within those segments.Consider the following guidelines:1.Block any communication between laptops/workstations2

93、.Block communication from processes running with“powerful”domain users privileges,like domain administrators3.Limit users that can execute processes on your servers4.Limit access from laptops/workstations to data center servers and cloud instancesPreventing lateral movement with protocol-restricting

94、 rulesBelow are general guidelines for specific protocols and behaviors.Because of these protocols inherent usage in normal day-to-day operations,we cannot account for all usages and use cases.Consider the rules demonstrated below as examples and rules of thumb,and adjust them to your network and op

95、erational |23In all the scenarios,we finish by adding a general“block any”rule.You might want to first use a similar rule in alert mode,and after a monitoring period to see if there are more exceptions that you didnt cover with allow rules move the rule to block mode.WinRMWindows Remote Management(W

96、inRM)is the remote management infrastructure in Windows.It serves both remote WMI and remote PowerShell,two tools that attackers can(and do)utilize for their own purposes.Because of the administrative nature of this protocol,we suggest you create an exception for domain admins and IT personnel that

97、use it,but block it otherwise.Add an exception to your domain administrators and IT personnel that might use itIf you do not see WinRM(TCP ports 5985,5986)usage in your network,there is no need to allow it,but there is still need to block it,in case it is enabled and simply not in use normally.An at

98、tacker can still utilize it if it is not blocked explicitly.Blocking WinRM,along with RPC(covered next),will ensure that attackers cant utilize WMI for their malicious needs.Finish by blocking any access over WinRM WMI remote management |24SMB and RPCSMB(TCP port 445,139)and RPC(TCP port 135 for the

99、 portmapper and a dynamic port range for each service that utilizes it)are very important protocols in the Windows domain system.They are used for various communications against the DCs(authentication and group policy,for example),and for accessing file shares and network drives.SMB is also used for

100、 replication between various servers(e.g.,exchange servers and DCs).Consider the following guidelines first,add exceptions that ensure normal operations can continue unhindered:Replication allowanceAllow internal communication in applications assets that require replication,like DCs or exchange serv

101、ers.Allow SMB and RPC communication inside various applications for replicationDomain user authenticationAllow internal assets to access the DCs,to allow them to authenticate normally and not hamper the domain.Allow internal assets to access the domain controllers |25File serversAllow internal asset

102、s to access your file servers over SMB that is what theyre for,after all.Allow internal assets to access your file servers over SMBIf possible,refine the internal access restriction further,to not allow assets that dont need file servers to access them.For finishers,drop any other SMB and RPC commun

103、ication that wasnt specifically allowed.Finish by blocking RPC and SMB across the networkRDPRemote Desktop Protocol(RDP)is another tool that is frequently used.Unless absolutely necessary,we recommend you block it,and perhaps allow exceptions as they occur.If possible,deploy terminal servers to funn

104、el all the connections to a central location for easier,and more secure,monitoring.Consider the following scenarios and guidelines:Terminal serversUse Terminal servers to make all users RDP to a single place this allows for easier monitoring across the network of RDP usage,and also lets you configur

105、e stricter security policies on those servers.Allow internal assets to access your terminal servers over RDP|26Internal department accessYou might also want to allow RDP inside departments,or specific environments sometimes users need regular remote desktop access to their servers,and thats okay.For

106、 example,perhaps your IT department needs to access their servers regularly over RDPFinish by blocking any access over RDPSSHWhile SSH is useful for remote administration,and also serves to make other protocols secure(like sFTP),it is also a tool for attackers to breach machines and propagate around

107、 the network.Youll want to restrict network-wide SSH as much as possible.We recommend you create jump boxes from which users can use SSH,and give access to them only to users who need them.Jump boxesUse jump boxes and make users connect to other servers only through them.This will allow for easier m

108、onitoring on all connections as they come from a central place.Use security controls on the jump box to ensure who can access what.Allow internal assets to access your jump boxes over SSH|27Domain adminsIT personnel and domain administrators are more likely to need SSH access for their day-to-day op

109、erations.Consider adding special exceptions to them,in case they absolutely need it.Consider allowing your IT personnel and domain administrators SSH access to internal serversInternal environment accessSome applications need SSH communication,so you shouldnt explicitly block them it will hinder you

110、r operational continuity.Consider adding allow rules according to existing network flows,or simply inside an application or department segment.For example,your DB architects might need access to their serversOr(for example),some of the IT servers might need to use SSH tunnels on each other Finish by

111、 blocking any access over SSH|28Protecting backups To maximize damage,ransomware campaigns usually target the organizations backup application to encrypt the stored backup data.Use extra segmentations on your backup servers to further separate them from the rest of the network.Minimize communication

112、 to/from them using custom process-level microsegmentation policy rules.Segment critical data servicesYour data services and servers are targets.Use segmentation and ringfencing on critical data services such as your databases and file servers,and limit access to them from outside the network and fr

113、om regions in your network that do not need to access them.Limiting your data services exposure to only the operational minimum will reduce the risk factor to those services and mitigate ransomware exposure and propagation paths.Detailed response plansCreate and plan your breach mitigation policies

114、in advance to reduce response time once malware is detected.Consider the following guidelines for your mitigation policy:Consider cutting off file servers and SMB from desktop machines ransomware usually looks for network shares on the victim machine and encrypts them first.Dont let your file server

115、 be compromised by cutting it off from any machine that mustnt have it for operational continuity.Restrict lateral movement even more while you may need to leave some remote control channels open for your IT department,block the rest.For the channels that you do leave open,restrict them heavily with

116、 both machine and user policies.You can also create plans for the recovery process consider which applications and sections you need to bring online first,and create policies accordingly to keep them secure while you restore the rest of the |29Akamai powers and protects life online.The most innovati

117、ve companies worldwide choose Akamai to secure and deliver their digital experiences helping billions of people live,work,and play every day.With the worlds largest and most trusted edge platform,Akamai keeps apps,code,and experiences closer to users and threats farther away.Learn more about Akamais

118、 security,content delivery,and edge compute products and services at ,and ,or follow Akamai Technologies Twitter and LinkedIn.Published 06/|29CreditsEditorialTricia HowardAuthorsStiv KupchikEliad KimhyBarry GreeneReview and subject matter expertsOphir HarpazChelsea TuttleData analysisEliad KimhyOphir HarpazGeorgina Morales HampeProductionShivangi Sahu