Top 20 CIS Critical Security Controls (CSC) Through the Eyes of a Hacker – CSC 10

In this blog series members of Optiv's attack and penetration team are covering the top 20 Center for Internet Security (CIS) Critical Security Controls (CSC), showing an attack example and explaining how the control could have prevented the attack from being successful. Please read previous posts covering:

• CSC 1: Inventory of Authorized and Unauthorized Devices
• CSC 2: Inventory of Authorized and Unauthorized Software
• CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
• CSC 4: Continuous Vulnerability Assessment and Remediation
• CSC 5: Controlled Use of Administrative Privileges
• CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
• CSC 7: Email and Web Browser Protections
• CSC 8: Malware Defenses
• CSC 9: Limitation and Control of Network Ports, Protocols and Services

CSC 10: Data Recovery Capability

The Control

The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it.

The Attack

Data recovery, or specifically data backups, might be one of the most known and least implemented controls. Having good data recovery can be the difference between an attack causing massive data loss and an attack only causing minor down time. In general, most attacks are more focused on compromising data than destroying data. This is not always true though, with the most notable and notorious attack that destroys data being ransomware. Not only has ransomware proved to be very effective at destroying data, it has also proven to be lucrative for attackers, which will only increase the frequency and sophistication of these attacks.

In this attack example I am going to demonstrate just how easy it is to create ransomware that attacks and holds for ransom personal and company data. There are a few examples of open source ransomware on the internet that anyone can download and use for free (though some of these projects have recently stopped). There are also paid examples where criminals can buy this particular type of malware for usage.

What makes ransomware so dangerous is how easy it can be to make. This also leads in to how hard it might be to detect each newly created ransomware. In short you really only need three parts to build ransomware

1. You need a simple function that will encrypt and decrypt files on a computer.
2. You need a function that can find all files of a certain extension or type to pass to your encrypt/decrypt function.
3. You need to alert the user that a ransom must be paid and how to pay that ransom.

These are really the three main parts of ransomware. There are much more sophisticated examples that have command and control servers, different evasion tactics and advanced key exchange protocols. Though all these things help create a more advanced and user friendly ransomware they’re not needed to create an effective tool.

So my simple ransomware is a Windows executable that when ran will find files of a certain extension, encrypt them with a pre-seeded key, then alert the user that their files are encrypted and they must pay a ransom. This only took me a day to create and is undetectable to antivirus.

Figure 1: Ransomware and a few test files

Figure 2: Test text data

Figure 3: Encrypted data

Figure 4: Ransom note

The Solution

If creating ransomware is easy, and my antivirus won’t detect custom or advanced ransomware, what’s the solution? Having good data recovery is one of the best ways to combat ransomware. Not only is the backup important to safe guard data but it also can recover the data that was encrypted via ransomware. Simply backing up data is not truly enough to ensure its integrity and availability. With this in mind here are some things to consider when implementing or evaluating your data recovery solution.

1. Implement a file system that supports snapshots. When snapshots are implemented data recovery is fast, painless and has low overhead.
2. Utilize encryption. Most, if not all backup software supports encryption and this can help with a few different security issues one of which is the confidentiality of your data. Encrypt your data at rest as well as in transit.   
3. Implement a one-way backup solution. Devices should be able to create new backups, not change or delete old ones. This is best implemented with a differential backup, and storage that is not continuously addressed though system calls.
4. Test your backup solution. Having a backup of your systems may make you feel good, but if you don’t test these backups they might come to disappoint you down the road. Testing your backups should be part of your process, not part of your panic.
5. Replicate your backups. Having a backup in one place is great. Having it in two places is better. This can help if your backup data is attacked, your replicated data may save you.
6. Create a backup policy. Plan your backup policy to follow any regulatory or official requirements and include current diagrams of your backup process. 
7. Create offsite or offline backups. Offsite backups can be useful in a physical attack or natural disaster while offline backup can protect against ransomware or other network attacks on your data.
8. Implement a reporting system. You should know when backups have failed or backup configurations has been changed. Backups should be automatic but you want these systems to check in.

By implementing data recovery, you stand the best chance to protect your data from attackers via ransomware or other data attacks. Data recovery may seem like a costly investment in the “just in case” scenario, but if implemented properly when other controls fail your data can still be recovered. 

The next post will cover CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers and Switches.