Today’s digital enterprise is a hybrid environment of on-premise systems and cloud services with multiple entry points for attacks like NetWalker. The work from the home operating model forced by COVID-19 has only expanded the attack surface and increased the risk for successful ransomware attacks if organizations did not adapt their security posture. Mitigating the risk of attacks like NetWalker requires a security architecture with the right controls at the device, on the network, and in security operations (spec ops). The Center for Internet Security (CIS) Top 20 Cyber Security Controls provides a good guide to build that architecture. For ransomware, and NetWalker in particular, the controls must be layered throughout the enterprise. The following outlines the key security controls needed at each layer of the architecture to protect your enterprise against ransomware.
To assess your capability against NetWalker, you must match your existing controls against the attack stages we learned from the Preview of MVISION Insights. For a detailed analysis of the NetWalker ransomware attack, see McAfee.com/activate ATR’s blog but, for simplicity, we matched the attack stages to the MITRE ATT&CK Framework below.
Initial Access Stage Defensive Overview
According to Threat Intelligence and Research, the initial access is performed either through vulnerability exploitation or spear-phishing attachments. The following chart summarizes the controls expected to have the most effective against initial stage techniques and the McAfee.com/activate solutions to implement those controls where possible.
| MITRE Tactic | MITRE Techniques | CSC Controls | McAfee Capability |
| Initial Access | Exploit Public-Facing Applications (T1190) Tomcat, Web Logic | CSC 2 Inventory of Software Assets CSC 3 Continuous Vulnerability Assessment CSC 5 Secure Configuration of hardware and software CSC 9 Limitation of Network Ports and Protocols CSC 12 Boundary Defense CSC 18 Application Software Security | Endpoint Security Platform 10.7, Threat Prevention, Application Control (MAC) Network Security Platform (NSP) |
| Initial Access | Spear Phishing Attachments (T1566.001) | CSC 7 – Email and Web Browser Protections CSC 8 – Malware Defenses | Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection, Web Gateway (MWG), Advanced Threat Defense, Web Gateway Cloud Service (WGCS) |
| Initial Access | Valid Accounts (T1078) RDP Compromised | CSC 5 Secure Configuration of hardware and software CSC 9 Limitation of Network Ports and Protocols CSC 12 Boundary Defense | Endpoint Security Platform 10.7, Threat Prevention |
As attackers can quickly change spear-phishing attachments, it is important to have adaptable defenses that include user awareness training and response procedures, behavior-based malware defenses on email systems, web access and endpoint systems, and finally sec ops playbooks for early detection and response against suspicious email attachments or other phishing techniques. For more information on how McAfee.com/activate can protect against suspicious email attachments, review this additional blog post.
Using valid accounts and protocols, such as for Remote Desktop Protocol, is an attack technique we have seen rise during the initial COVID-19 period. To further understand how McAfee.com/activate defends against RDP as an initial access vector, as well as how the attackers are using it to deploy ransomware, please see our previous posts.
No comments:
Post a Comment