Netlogon vulnerability – The Essential Eight can save the day
A recently discovered vulnerability in Microsoft’s Netlogon authentication protocol (CVE-2020-1472) allows attackers to establish a vulnerable Netlogon secure channel connection to a domain controller. If an attacker successfully exploits this vulnerability, they can run specially crafted applications on the device and assume full administrative privileges.
This vulnerability was rightly classified at the highest possible impact score, making it one of the worst we have seen in a long time. Patching is often the very first mitigation strategy considered when vulnerabilities are made public, but in this case because of its nature as Microsoft’s core authentication protocol, a patch may take several months to arrive and for many, it may be impossible to apply because it may break vital lines of business applications.
Let us say, for now, that it is impossible to patch your systems. Either you have an old architecture that is using out of support Microsoft servers, or you have business applications that rely on the services that, once patched, will no longer work. You must make a choice as to what to do, since leaving this risk untreated is untenable. What options do you have?
Designing risk mitigation strategies
The scoring system used for vulnerabilities doesn’t account for the controls you have within your business, so even a vulnerability scored as a 10 can be brought below the threshold of acceptable risk, meaning you don’t need to patch it, as long as you have compensating controls in place to safeguard it from exploitation.
Start by exploring the vulnerability
You can start by looking at the details of the vulnerability and see how it works. Even if the bulletin says the only answer is to patch, you may be able to design a mitigating solution around it that greatly enhances your resilience. In the case of this Microsoft issue, the attacker needs to be connected to the same network as the target machine, so you should ask yourself how can you prevent an attacker getting connected to your network in the first place? You might already have network gatekeeper protocols, such as 802.1x in place, which works to enforce strong authentication for systems trying to join the network, called Network Access Control (NAC). If you can also block unknown MAC address connections to your physical network, that can also provide a level of protection, and can work on Wi-Fi and wired networks. There are other network level mitigations you can consider, some of which are even stronger than these, so if you have them or can easily deploy them, you should take these into account when considering the real likelihood that an attacker can mount a rogue device from your location and attack your domain controller.
What about device takeover, where the attacker uses an already permitted device by hacking into someone’s account and using that system to launch the second attack that exploits this vulnerability? Again, this might sound like a big problem, but you can ask many questions as to how they achieved that goal. Work backwards. If they run the exploit on the victim’s machine, how did they get it there? Did they have to install software? If so, how did they get access to the computer in the first place? Was this through a brute force attack against a weak password, or maybe the user fell for a targeted phishing attack. Now consider which of your security controls might prevent each of the layers of this attack.
The power of Application Whitelisting / Application Control
If you have application whitelisting, the attacker will struggle to install the malicious code needed to exploit the target Microsoft authentication protocol on the user’s system. This means that even if they successfully launched a phishing attack, the fact that they cannot run the exploit greatly reduces the risk. If the user’s password was subject to a brute force attack, then the enforcement of strong passwords, or the implementation of multi-factor authentication (MFA) will act as a strong defence.
If the user’s account doesn’t have the permissions to run system level commands, then the attacker might be thwarted because the system calls needed to launch the exploit are still out of reach. Each of these layers of protection make it sufficiently hard for an attacker to successfully exploit your systems, even with the most catastrophic vulnerability and the perfect exploit, because you have considered the security architecture as a whole and not just looked at point solutions for fixing single issues.
The Essential Eight
The Australian Cyber Security Centre’s (ACSC) Essential Eight Strategies to Mitigate Cyber Security Incidents is a list of widely regarded security controls that will protect organisations from up to 85% of targeted attacks. That is a bold claim, but when you look at the highly exploitable vulnerability we’ve been analysing above, any organisation with the Essential Eight controls in place will already have MFA, limited user privileges, application control (whitelisting), operating systems and applications under a strict patch regime, and a few other controls that help with locking down Microsoft Office and the recovery processes, in the event of a successful attack.
ACSC Essential Eight
As a cyber resilience baseline, irrespective of whether you have a dedicated Cyber Security team or whether you have one person that looks after your IT, the mitigation strategies in the Essential Eight are easily understood and can be implemented by any competent ICT administrator; they should become a mandatory implementation standard for any organisation, for all IT systems.
Beware of the dynamic nature of cyber resilience
The only caution with the Essential Eight, as with any cyber mitigation strategy, is that while these controls are excellent at keeping out all but the most sophisticated and highly motivated hackers (nation states), as with all ICT systems, these controls can drift off compliance and leave you exposed without your knowledge. Privileges might be added to certain accounts over time, for example, and those accumulated privileges can become the chink in your organisation’s armour. Patch compliance might also drift, application control (whitelisting) might not be applied to a new fleet of laptops (because of an oversight or misconfiguration).
Regular measurement of cyber resilience is critical
In order to retain your strong baseline of cyber resilience, you will need to find a way to monitor ongoing performance against the Essential Eight target state, such that any deviation from that baseline of cyber maturity is immediately flagged for remediation; what was robust yesterday, may be vulnerable today.
If you are concerned about vulnerabilities such as this critical Netlogon problem, Huntsman Security’s Essential Eight monitoring solutions report on whether you are protected or not. To find out more, get in touch today.