Zerologon scored a perfect 10 CVSS score. Threats rating a perfect 10 are easy to execute and have deep-reaching impact. Fortunately, they aren’t frequent, especially in prominent software brands such as Windows. Still, organizations that perpetually lag when it comes to patching become prime targets for cybercriminals. Flaws like Zerologon are rare, but there’s no reason to assume that the next attack will not be using a perfect 10 CVSS vulnerability, this time a zero-day.
Zerologon: Unexpected squall
Zerologon escalates a domain user beyond their current role and permissions to a Windows Domain Administrator. This vulnerability is trivially easy to exploit. While it seems that the most obvious threat is a disgruntled insider, attackers may target any average user. The most significant risk comes from a user with an already compromised system.
In this scenario, a bad actor has already taken over an end user’s system but is constrained only to their current level of access. By executing this exploit, the bad actor can break out of their existing permissions box. This attack grants them the proverbial keys to the kingdom in a Windows domain to access whatever Windows-based devices they wish.
Part of why Zerologon is problematic is that many organizations rely on Windows as an authoritative identity for a domain. To save time, they promote their Windows Domain Administrators to an Administrator role throughout the organizational IT ecosystem and assign bulk permissions, rather than adding them individually. This method eases administration by removing the need to update the access permissions frequently as these users change jobs. This practice violates the principle of least privilege, leaving an opening for anyone with a Windows Domain Administrator role to exercise broad-reaching access rights beyond what they require to fulfill the role.
Beware of sharks
Advanced preparation for attacks like these requires a fundamental paradigm shift in organizational boundary definitions away from a legacy mentality to a more modern cybersecurity mindset. The traditional castle model assumes all threats remain outside the firewall boundary and trust everything either natively internal or connected via VPN to some degree.
Modern cybersecurity professionals understand the advantage of controls like zero standing privilege (ZSP), which authorizes no one and requires that each user request access and evaluation before granting privileged access. Think of it much like the security check at an airport. To get in, everyone —passenger, pilot, even store staff— needs to be inspected, prove they belong and have nothing questionable in their possession.
This continual re-certification prevents users from gaining access once they’ve experienced an event that alters their eligibility, such as leaving the organization or changing positions. Checking permissions before approving them ensures only those who currently require a resource can access it.
My hero zero (standing privilege)
Implementing the design concept of zero standing privilege is crucial to hardening against privilege escalation attacks, as it removes the administrator’s vast amounts of standing power and access. Users acquire these rights for a limited period and only on an as-needed basis. This Just-In-Time (JIT) method of provisioning creates a better access review process. Requests are either granted time-bound access or flagged for escalation to a human approver, ensuring automation oversight.
An essential component of zero standing privilege is avoiding super-user roles and access. Old school practitioners may find it odd and question the impact on daily administrative tasks that keep the ecosystem running. Users manage these tasks through heavily logged time-limited permission assignments. Reliable user behavior analytics, combined with risk-based privileged access management (PAM) and machine learning supported log analysis, offers organizations better contextual identity information. Understanding how their privileged access is leveraged and identifying access misuse before it takes root is vital to preventing a breach.
Peering into the depths
To even start with zero standing privilege, an organization must understand what assets they consider privileged. The categorization of digital assets begins the process. The next step is assigning ownership of these resources. Doing this allows organizations to configure the PAM software to accommodate the policies and access rules defined organizationally, ensuring access rules meet governance and compliance requirements.
The PAM solution requires in-depth visibility of each individual’s full access across all cloud and SaaS environments, as well as throughout the internal IT infrastructure. This information improves the identification of toxic combinations, where granted permissions create compliance issues such as segregation of duties (SoD) violations.
AI & UEBA to the rescue
Zero standing privilege generates a large number of user logs and behavioral information over time. Manual log review becomes unsustainable very quickly. Leveraging the power of AI and machine learning to derive intelligent analytics allows organizations to identify risky behaviors and locate potential breaches far faster than human users.
Integration of a user and entity behavior analytics (UEBA) software establishes baselines of behavior, triggering alerts when deviations occur. UEBA systems detect insider threats and advanced persistent threats (APTs) while generating contextual identity information.
UEBA systems track all behavior linked back to an entity and identify anomalous behaviors such as spikes in access requests, requesting access to data that would typically not be allowed for that user’s roles, or systematically accessing numerous items. Contextual information helps organizations identifying situations that might indicate a breach or point to unauthorized exfiltration of data.
Your compass points to ZTA
Protecting against privilege escalation threats requires more than merely staying up to date on patches. Part of stopping attacks like Zerologon is to re-imagine how security is architected in an organization. Centering identity as the new security perimeter and implementing zero standing privilege are essential to the foundation of a security model known as zero trust architecture (ZTA).
Zero trust architecture has existed for a while in the corporate world. It is gaining attention from the public sector since NIST’s recent approval of SP-207 outlined ZTA and how to leverage it for the government agencies. NIST’s sanctification of ZTA opened the doors for government entities and civilian contractors to incorporate it into their security model. Taking this route helps to close the privilege escalation pathway providing your organization a secure harbor in the event of another cybersecurity perfect storm.
CVE-2020-1472, a privilege elevation vulnerability in the Netlogon Remote Protocol (MS-NRPC) for which Microsoft released a patch in August, has just become a huge liability for organizations that are struggling with timely patching.
Secura researchers – the very same ones who found and disclosed the flaw to Microsoft – have published additional technical details on Monday, and just a few hours later several PoC exploit/tools have been published on GitHub.
CVE-2020-1472 (aka Zerologon) affects all supported Windows Server versions, but the danger is highest for servers that function as Active Directory domain controllers in enterprise networks.
The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol.
“By simply sending a number of Netlogon messages in which various fields are filled with zeroes, an attacker can change the computer password of the domain controller that is stored in the AD. This can then be used to obtain domain admin credentials and then restore the original DC password,” Secura researchers explained.
“This attack has a huge impact: it basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain. The attack is completely unauthenticated: the attacker does not need any user credentials.”
“In a hypothetical attack, one could use this vulnerability to deploy ransomware throughout an organization and maintain a persistent presence if cleanup and restoration efforts miss any additional malicious scripts,” Tenable security response manager Ryan Seguin noted.
“Organizations with network-accessible backups could end up with a perfect storm if a ransomware group destroys backups to increase their likelihood of payout from the victim organization.”
Yeah, I can confirm that this public exploit for Zerologon (CVE-2020-1472) works. Anybody who has not installed the patch from August’s Patch Tuesday already is going to be in much worse shape than they already were.https://t.co/SWK2hUDOYc https://t.co/0SDFfageQC pic.twitter.com/Lg8auMdtVU
— Will Dormann (@wdormann) September 14, 2020
Secura researchers published a Python script organizations can used to check whether a domain controller is vulnerable or not.
Systems that have received the patch released in August are safe from attack, as it enforces secure NRPC for all Windows servers and clients in the domain. All Active Directory domain controllers should be updated, including read-only domain controllers.
“The updates will enable the Domain Controllers (DCs) to protect Windows devices by default, log events for non-compliant device discovery, and have the option to enable protection for all domain-joined devices with explicit exceptions,” Microsoft explained.
But complete remediation will happen after organizations deploy Domain Controller (DC) enforcement mode, which requires all Windows and non-Windows devices to use secure NRPC or to explicitly allow the account by adding an exception for any non-compliant device.
While organization can deploy DC enforcement mode immediately by enabling specific registry key, on February 9, 2021, DCs will be placed in enforcement mode automatically.
This phased rollout is due to the fact that there are many non-Windows device implementations of the Netlogon Remote Protocol, and vendors of non-compliant implementations have been given enough time to provide customers with the needed updates.
“Great security awareness training, that is part of a healthy cyber security culture and that is aimed at encouraging positive security behaviours, is essential. The problem is that awareness-raising training has a history of being dry, dull, technically-focused and ineffective,” Dr. Jessica Barker, Co-CEO of Cygenta, told us in a recent interview.
In order to select the right security awareness solution for your business, you need to think about a number of factors. We’ve talked to several industry professionals to get their insight on the topic.
David Lannin, CTO, Sapphire
Engaging positively with your audience is critical in the success of any security awareness solution. Every individual is different, each having their preferences of learning style, content and pace. The solution you consider should be able to adapt to this, having rich and varied content suited to the right users and groups across your business.
Do not lose sight at how diverse an audience can be and where their areas of expertise lie. Educating a purchasing team on handling financial information online is appropriate, but a generic warning about password usage may be less useful to the security teams.
Test your employee’s awareness and measure their improvement. This provides a full HR/audit trail, and publishing these results over time keeps staff engaged, showing changes in how effective security awareness training has been. Identifying individuals that are more phish-prone helps focus targeted training for those individuals – a weak link in your cyber defenses. Tailored training based on understanding ensures that those who demonstrate an understanding earlier in the process can be exempt from further training.
Ensure that the results are tangible. Be able to demonstrate the security awareness solution is effective and improving the overall security posture of the business.
Lise Lapointe, CEO, Terranova Security
The right security awareness training solution will drive long-term behavioral change among employees to create a cultural of security awareness.
There are five key components that must be in place to accomplish this:
- High quality content: Security training cannot effectively be approached as a “one-size-fits-all”. Different format and length in content promotes better participation and retention rates.
- Intuitive phishing simulator: Out-of-the-box phishing scenarios that reflect real-life cyber threats integrated with training for feedback.
- Multilingual content and platform: Out-of-the-box language support for global security awareness programs.
- Communication and reinforcement materials: Large libraries of predesigned content and templates for internal campaign promotion and content reinforcement including videos, posters and newsletters.
- Consultative approach: Security training that this is tied to the businesses needs with offerings including: CISO coaching, managed services and content customization.
By choosing the right security awareness training solution, businesses can develop customized, multi-language campaigns that are engaging and informative – and most importantly, successful.
Michael Madon, SVP & GM Security Awareness and Threat Intelligence Products, Mimecast
Human error poses one of the biggest risks to any organization. Yet, many organizations are conducting cyber awareness training quarterly or even less frequent – which is simply not enough. Mimecast recently surveyed 1,025 IT decision makers and found that 21% of respondents offer training on a monthly basis – a timeframe experts consider the gold standard.
The goal of any security awareness program should be to change employee’s perception of cybersecurity – helping them understand that it is not an inconvenience, but something that can help them be more effective in their jobs. But, effectively educating employees on email and web security cannot be achieved through one-off training sessions or siloed events that involve non-interactive materials like sterile corporate videos and mass-produced pamphlets.
When identifying a security awareness solution, organizations should look for the following:
- Humor – Not many people absorb information when it’s given in a format that is stale and boring. Humor captures people’s attention and is the best way to engage. Look for a solution that includes humor to communicate important information in a highly relatable way.
- Short and frequent content – Offering a regular cadence of concise trainings is a great way to ingrain cybersecurity best practices into employees’ day-to-day activities. Training sessions should be delivered monthly and be only 5 minutes or less.
- Risk scoring – Risk scoring capabilities can help identify employees who are most at risk for attack and can help focus increased time and resources on specific individuals.
Lance Spitzner, Certified Instructor, SANS Institute
Security awareness is ultimately a control to help ensure your organization is not only compliant, but you are effectively managing and measuring your human risk. As such, you need a solution that was developed by experts who understand risk and know both what risks and which behaviors to focus on.
These decisions should be driven by data based on today’s latest threats, technologies and incident drivers. If you are focusing on the wrong behaviors, not only are you wasting your organizations time but could be actually increasing the risk to your organization, such as requiring people to regularly change their passwords.
Other key factors include how often the content is updated and how people will relate to it. As technology, threats and organizations change so do risks. Your training should reflect that change. The other element is ensuring the training is a good fit for your organization and your culture. For example, if you have an outgoing organization that loves humor, then use humorous training. But if you have a large, diverse or more conservative organization, you will want training that adapts well to that environment.
Inge Wetzer, Social Psychologist Cybersecurity & Compliance, Secura
First of all; go one step back! Ask yourself the question: what exactly do you want to achieve? Looking for an awareness solution implies that your goal would be that all your employees are aware of the security risks and that they know what they should do. Your focus is: knowledge. However, a gap exists between knowing what you should do and actual behavior. Many people are aware that they should actually lock their computer screens, but many people still don’t behave accordingly.
Would you be happy if all employees in your organization pass an awareness test? What does this tell you about their actual behavior? So, you may not be looking for a security awareness solution, but for a security behavior solution?
Psychology teaches us that behavior is defined by more than knowledge: our actions are also driven by personal factors such as our motivation and past experience. In addition, organizational factors such as context and culture also define behavior. For effective behavioral change, all aspects of behavior should be addressed. Moreover, the attention to these factors should be recurrent to keep the topic top of mind. So, look for a continuous program that focuses on safe behavior as end goal by paying attention to its three determinants: knowledge, personal factors and organizational factors.