Tuesday, May 16, 2017

Protecting against a ransomware attack


Wikipedia describes ransomware as “a type of malicious software that carries out the cryptoviral extortion attack from cryptovirology that blocks access to data until a ransom is paid and displays a message requesting payment to unlock it.” 

In Layman's terms, it denies you access to your own files until you pay the ransomware creators to unlock your files. This extortion method has proven to be very profitable, with CryptoLocker and CryptoWall netting their creators U$3 million and US$17 million respectively.

Ransomware attacks are typically carried out by a Trojan, where the user is tricked into opening a seemingly legitimate attachment or document. Once activated, the ransomware will spread by exploiting vulnerabilities on the target systems. Once a system has been compromised and the files encrypted the victim will be issued with instructions on how to unlock the files - unlocking methods invariably involves paying the ransomware creators via hard-to-trace channels such as Bitcoin.

Whilst the result of a ransomware attack may be devastating, there are a lot of measures that one can take to protect your organisation. I will give a brief overview of these methods below. Do note that attacks, and indeed defense mechanisms, are constantly evolving. Thus the measures below are in no way exhaustive, but should be seen as a very strong baseline to work from.


Secure your perimeter

Your first line of defense is crucial. As such you need to make sure that a Unified Threat Management (UTM) firewall is part of your perimeter security solution. This will allow you to activate measures such as Anti-Virus and Malware scanning as well as Intrusion Detection and Prevention Systems (IDS / IPS). A UTM firewall will also allow you to configure outbound filtering, which will prevent any "phone-home" communication between a compromised system and its command-and-control servers.


Secure your E-Mail

E-Mail is one of the most prevalent attack vectors, so it just makes sense to invest significant effort to secure it. Start off by enable strong spam filters to prevent phishing and other similar forms of attack from reaching your users. You should furthermore look at implementing methods to authenticate inbound mail, these include technologies such as Domain Message Authentication Reporting and Conformance (DMARC), DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF). All these technologies complement each other and works together to detect and prevent mail spoofing. Of course you also need to make sure you are scanning all mails for viruses and, last but not least, filter all executable and "bad" file types.


Patch Management

Most ransomware propagates by exploiting Operating System Vulnerabilities. Point in case is the WannaCry variant which utilizes the EternalBlue exploit, which was actually patched by Microsoft two months before the first attacks hit. This clearly demonstrates the value of patching. Ensure you have a proper patch management strategy in place and that systems are patched timeously.


Endpoint Anti-Virus

This goes without saying - always ensure that your anti-virus (AV) solution is up to date and that real-time scanning is enabled. Apart from that you'll also need to configure it to perform regular scheduled scans. Most AV solutions now also include heuristic technologies, which allows it to detect and remove threats for which there are no signatures yet, make sure you utilize this. Lastly, ensure that the endpoint's firewall is activated if provided as part of your AV solution.


Implement Least Privilege

Limit the use of administrative privileges to a minimum and also make sure that User Access Control (UAC) is activated. The principle of Least Privilege should also be applied when granting users access to network resources. Only give write permissions to users that absolutely need those permissions. Default to read only permissions when possible. You should also regularly audit your file shares and review the needed permissions for each share. Ransomware will typically enumerate all network resources an infected system has access to and then encrypt those resources. You can significantly reduce the impact of Ransomware by limiting user access to network resources and just granting them access to what they actually need.


Block file execution from certain paths

Ransomware generally executes from temporary folders located in Windows AppData folders. To protect against this you should configure a Software Restriction Policy to prevent executable files from running out of the %APPDATA% location. A much more exhaustive list can be obtained here.


Implement Geo-Blocking and blocking of known bad IP addresses

If possible for your organisation you should configure your perimeter firewall to block traffic to "at-risk" countries if you do not do business in these countries. For example a large percentage of Ransomware variants rely on communication with Russian IP blocks to function and spread. Protection mechanisms such as these are admittedly crude, but can be surprisingly effective. Furthermore if your perimeter solution allows you to do so, you should explicitly block all traffic to known bad IP addresses.


Application Whitelisting

Application whitelisting is perhaps the most effective method of protecting against ransomware attacks. The flip side is that it also typically takes the most effort and resources in terms of testing, implementing and maintaining.  There are various solutions available to implement application whitelisting, but as a start you should consider the AppLocker and Software Restriction Policies native to Windows.


Disable MS Office Macros

Many variants of Ransomware leverage Macros to propagate. If possible you should disable this functionality within Office documents, or at the very minimum for documents received via mail and downloaded from the Internet. Alternatively you can make use of the Office File Viewer to view these untrusted documents.


Enable Filescreen

Windows FileScreen was a popular method to detect ransomware infections, however its functionality has been greatly reduced because of new ransomware variants randomizing file extensions. It might still add value in your organisation and assist with alerting and tracing the origin of a ransomware outbreak. A fairly comprehensive list of file extensions can be found here.


Enable Logging (SIEM)

A proper logging solution will be invaluable in tracing the origin of a ransomware outbreak. The value in a SIEM solution is that you will be able to correlate the logs of a multitude of different devices to find out how the attack happened. This in turn will allow you to take measure to prevent a re-occurrence. A properly configured SIEM solution will also act as an efficient early-warning system, which will allow you to limit the spread and fallout of a ransomware infection should you be compromised.



If all else fails your backups will be what stands between you and disaster. Back up your data regularly, as per your organisation's Recovery Point Objective's (RPO). Verify the integrity of those backups and test the restoration process regularly to ensure it is working. You also need to secure your backups, or at the very least take them offline so that it cannot be affected by the same ransomware you are trying to protect against.

Configuring FortiGate IPS to block WannaCry ransomware

I’ll split this up in two scenarios – the first being where there is no IPS being done yet and you just want to block WannaCry, and the second being where you already have IPS measures in place protecting to your clients

No IPS in place yet

  1. Create an IPS protection profile containing the MS.SMB.Server.SMB1.Trans2.Secondary.Handling.Code.Execution signature
  2. Ensure that the protection profile is set to Block
  3. Apply the IPS signature to all policies governing your intra-VLAN traffic

Adding the WannaCry signature to your existing client targeting IPS profile

The target type for this signature unfortunately has the target type Server, even though client OS’s are also being targeted.  This means you’ll have to manually add it to your client-targeting IPS profile.

Another point to note is that it is listed as a Rate-based signature, so ensure that your signature has a threshold of zero.

Here is more information about the relevant signature from Fortinet: https://fortiguard.com/encyclopedia/ips/43796

Monday, January 9, 2017

Configuring password expiration for FortiGate users


A FortiGate device allows you to create a password policy for administrative accounts via the web interface.  Unfortunately this functionality is not exposed for normal, local user accounts.  Typically this isn't a big pain point as I would imagine that most customers would make use of external authentication (FSSO / LDAP / Radius etc.).  That said, I recently had a situation where a client had a bunch of local users configured and they wanted to implement password expiry, with users being prompted to change passwords upon expiry.  Authentication was done via Captive Portal.

The FortiOS handbook came up blank, but a chat with my Fortinet SE provided me with a solution.  First we need to configure the actual policy, then apply it to a user account. 

The password policy is configured like so:

config user password-policy
edit "pwpol01"
set expire-days 2
set warn-days 1

We then apply it to a user:

config user local
edit "user01"
set type password
set passwd-policy "pwpol01"

Unfortunately password policies can only be applied to users, and not to groups, so it is a bit of a pain if you have lots of users, although in that use case you will be better off using external authentication or FortiAuthenticator.  When the configurable number of days has been reached, the user will be prompted via their captive portal to renew their password before the expiration day is reached.

Friday, November 18, 2016

Becoming a Payment Card Industry Professional (PCIP)


I am very proud to say that I now hold the Payments Card Industry Professional (PCIP) certification. This is a journey that took me about 6 months to complete and I'll share some tips and experience I've picked up on my way to becoming certified.

The registration process starts by submitting your application as well as supporting documentation to the PCI Council via their website. The approval typically takes about two weeks and it might be that they ask you for proof of work experience and additional security certifications. In my case I've been fortunate to have about a decade of experience in the InfoSec field in general, and 3 years working for clients who need to be PCI-DSS compliant.

What do you need to do?

Once your application is approved you need to attend the PCIP course. This can be either on-line or classroom based. If you are new to the PCI-DSS field I would strongly suggest attending the classroom training, as access to the instructor as well as conversing with peers in the industry can be invaluable. If you have PCI-DSS experience then the on-line course will suffice.

Once you have completed the course, the PCI Council will register a user ID for you on the Pearson Vue website and provide you with a voucher to take the exam. It is up to you to do the booking on the Vue website. It is important to note that you have to use this voucher within 30 days of your training. If you fail the exam you can book to take it again at your own cost. If, heavens forbid, you fail it a second time you will have to attend the PCIP course again.

Preparing for the exam

First and foremost, know the PCI-DSS 3.2 Standard inside out. You do not have to know things like requirement 3.2.1 states that etc. You will however need to know how to successfully meet every requirement. In my case there was also a strong focus on the various Self-Assessment Questionnaires (SAQs) and in which cases they would be applicable. I was not tested on Reports of Compliance (ROC) or Attestation of Compliance (AOC) at all.

You should also know when encryption, strong cryptography, hashing, tokenization and masking should be used as well as the difference between all these. Make sure you know exactly when Compensating Controls are allowed, as well as what are the requirements for acceptance of those. I got maybe one or two question from the supplemental (Virtualization and TLS specifically). You don't have to study them in depth, but do read through them and understand the intent.

Next Steps

I find assisting our clients on their path towards PCI-DSS compliance to be an extremely challenging and rewarding endeavour. As such, the next step on my journey is to become a PCI Internal Security Assessor. I believe this will add tremendous value over and above that which we already provide to our clients in the financial services sector.

Thursday, November 17, 2016

Mitigating the BlackNurse exploit on Cisco and Fortigate equipment


"Blacknurse is a low bandwidth ICMP attack that is capable of doing denial of service to well known firewalls.  Most ICMP attacks that we see are based on ICMP Type 8 Code 0 also called a ping flood attack. 

BlackNurse is based on ICMP with Type 3 Code 3 packets. We know that when a user has allowed ICMP Type 3 Code 3 to outside interfaces, the BlackNurse attack becomes highly effective even at low bandwidth. 

Low bandwidth is in this case around 15-18 Mbit/s. This is to achieve the volume of packets needed which is around 40 to 50K packets per second. It does not matter if you have a 1 Gbit/s Internet connection." – as per http://blacknurse.dk/ 

Securing Fortigate

Andras the Techie created an Fortigate IPS signature to detect and drop this traffic:

config ips custom
    edit ICMP.Blacknurse
      set signature "F-SBID( --name \"ICMP.Blacknurse\"; --protocol icmp; --icmp_type 3; --icmp_code 3; --rate 250,1;)"
        set severity medium
        set location server
        set application Other
        set action block
        set status enable

His blog post also contains instructions on how to apply it to you policies.

Securing Cisco

Best is of course to filter this traffic upstream, before it hits your firewall.  This is what you’ll need to do on an Cisco IOS router:

config t
ip icmp rate-limit unreachable 100 1000
do copy run start

For Cisco IOS-XR you will need to do this:

icmp ipv4 rate-limit unreachable 2000

Thursday, November 5, 2015

Changing the case of a Windows hostname

Naming convention is something that I’m very particular about and one thing that has always bugged me is if hostnames are not the same case.  In the Windows world there is no functional difference between upper and lowercase hostname, but it’s still enough to bother me.

To change the case is surprisingly easy.

First we log onto “Active Directory Users and Computers” and enable the “Advanced Features” which lives in the View menu.


Double-click the offending hostname and go to the “Attribute Editor”.  Scroll down to the dNSHostName and change the case.


The change will take effect as soon as you reboot the host in question.

Wednesday, November 4, 2015

Cisco traceroute status codes

Just a quickie.  Cisco routers can give seemingly weird (especially if you’re coming from the Windows world) traceroute outputs.  This is something that I did not see documented in either the CCNA or CCNP training guides.

In Cisco routers, the codes for a traceroute command reply are:
! -- success
* -- time out
N -- network unreachable
H -- host unreachable
P -- protocol unreachable
A -- admin denied
Q -- source quench received (congestion)
? -- unknown (any other ICMP message)

For further reading refer to the IBM AIX documentation – as far as I can make out the AIX codes applies to Linux as well.