In Cisco Talos’ first episode of Talos Threat Perspective (TTP) episode, two Talos Threat Intelligence experts, Nick Biasini and James Nutland, discuss new research on the most prominent ransomware groups. They also pick three key topics and trends to focus on: initial access, differences among the groups, and the vulnerabilities they most heavily target.
In their research, Talos evaluated the top 14 ransomware groups and reviewed their tactics and techniques. And what they found is attackers are frequently logging in with valid credentials and user identities, rather than hacking in. Ultimately, the affiliates behind many of these ransomware groups have one goal in mind: profit. Depending on the desperation of the affiliate, that means they might target anyone, even hospitals or schools. They are taking advantage of identity-based vulnerabilities to gain initial access and then escalate their privileges, and the damage they can do to an organization.
In practice, this can take many forms, but adversaries are clearly relying more on stolen valid credentials. As Nick stated in the TTP episode, “the protections that you can put in place for identity are going to become increasingly important.” This means looking for anomalies in user behavior, including the date, time, and location of access.
One example of initial access attackers are using is OS credential dumping by extracting legitimate user credentials from Local Security Authority Subsystem Service (LSASS). Attackers can use this data to escalate privileges for stored credentials and gain access to sensitive resources.
When attackers do gain access, some threat actors are now more focused on extortion tactics that skip the encryption phase altogether. Nick warns, “focus on pre-ransomware detection, detect it before it gets bad. Detect the initial access. Detect the lateral movement before they’re doing data gathering, before they’re doing exfiltration.”
Cisco’s User Protection Suite does just that. The Suite provides a layered approach to protecting users by putting the user at the center of the security strategy, in order to reduce the attack surface. That means protecting their identity, devices, and safeguarding access to internal resources. Starting with the inbox, Cisco Secure Email Threat Defense uses multiple AI models to block known and emerging threats before they reach the end user.
If a user’s credentials (username and password) are compromised and an attacker tries to reuse them, Duo provides phishing-resistant authentication, and pairs authentication with device trust policies to ensure only trusted users are granted access. Nick also mentioned the importance of evaluating anomalies in user behavior. Through Risk-Based Authentication, Duo can evaluate these changes, like distance between the authentication and access device or impossible travel from the last authentication, and automatically step up the requirements at login.
While these strong protections for users are an important step in securing your environment, it’s also important to have visibility into all your identities across your organization. That’s where Cisco Identity Intelligence comes in. It ingests data across your identity ecosystem. That includes any identity providers (IdP), HR information systems (HRIS), and SaaS applications like Salesforce. This helps expose vulnerabilities, like dormant MFA accounts (which were found in 24% of organizations), or accounts that lack strong MFA.
Once a user logs into their account, it is important for organizations to follow the principle of least-privileged access. That means only grant users access to the resources they need for their jobs. Secure Access provides Zero Trust Access capabilities, so users are granted application-specific access, rather than expose the entire network. In a breach, it limits the impact and restricts data an attacker has access to.
Finally, Secure Endpoint ensures that users are accessing resources from a safe device that is not infected with malware. And it works alongside Duo to stop the user from accessing corporate resources if the device is compromised.
At Cisco, we know it’s not enough to put one protection in place and assume all users are safe from these types of attacks. Attackers are constantly finding new ways to get around security protocols. Layered protections are designed to stop attackers from exploiting potential gaps in the attack surface. However, we also know it’s important to design security solutions to stop attackers without slowing down users. Through tools like Duo Passport, users authenticate once and can access all protected resources. Paired with Secure Access’ ZTA capabilities, users are provided direct access to private applications, regardless of if they are in the office or remote. By putting users first, this means users won’t side-step security measures and security won’t slow down their productivity.
To learn more about Talos trends, check out their blog on stolen credentials and MFA attacks. To explore more about Cisco’s User Protection Suite, connect with an expert today.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Security on social!
Cisco Security Social Channels
Instagram
Facebook
Twitter
LinkedIn
