Best Practices: Securing Sysadmin Tools

Legitimate tools used by IT/system administrators have become valuable cybercriminal targets because of the privilege they provide for greater network access. While malware threats continue to evolve and proliferate, sysadmin tools have opened wider gates for them to deploy blindsiding attack tactics.

The Petya outbreak that infected many European organizations demonstrated the large-scale damage that could stem from abusing PsExec and the Windows Management Instrumentation (WMI). PowerShell has also seen multiple incidents of abuse over the years. From the Poweliks Trojan downloader, the information stealer FAREIT, and banking malware VAWTRAK to ransomware families such as PowerWare, and Cerber version 6, Powershell has been favored by attackers because it is easy to write and simple to obfuscate. In addition, malicious PowerShell scripts are a key ingredient of a lot of fileless malware that are capable of stealthily breaking into networks.

Remote desktop protocol (RDP), which is currently used by more than five million internet endpoints, is also no stranger to abuse. Last year, businesses in Australia and New Zealand got hit by RDP brute force attacks from ransomware operators.

To mitigate these threats, IT/system administrators can use the following best practices:

Restrict access

Properly categorize users and the networks they access to segment user privileges and network traffic. The risk of exposure to threats can be reduced by only granting enough access or privilege for a user to accomplish his task, or an application to be run.

Implementing two-factor authentication, account lockout policies and setting user permission/restriction rules can help defend against RDP brute force attacks. A bastion host that only allows access to certain IP addresses can also be implemented to reduce and withstand possible attacks.

Moreover, access should be limited to other management protocols such as VNC and SSH. Using a public key infrastructure (PKI) instead of knowledge-based passwords to access protocols like SSH is recommended to achieve a more secure authentication method. Granting limited access to other sensitive ports like TCP 135, 445, 1433 (MSSQL), 3306 (MySQL), and even web management consoles like phpMyAdmin is also recommended as they are popular targets in the wild.

Monitor systems and networks

Threats that abuse legitimate tools and services can indicate command and control communications to the attacker’s servers. Employing firewalls as well as intrusion detection and prevention systems will help deter incursion or data exfiltration attempts. This can be complemented by a security mechanism that can actively monitor inbound and outbound network traffic for any suspicious behavior.

System administrators must also regularly keep logs and record system activities, whether in applications, registry, and system or network events, and ensure that attackers cannot modify them. Aside from providing aid in incident response and remediation, these logs also help security researchers better understand the threat.

Patch and update

Ensuring that the operating system, software, and other applications are updated with the latest patches prevents threats from exploiting security gaps. This year, the success of attacks by WannaCry, UIWIX, and Adylkuzz have illustrated the consequences of overlooking unpatched vulnerabilities. Employing virtual patching is also an option for shielding systems and networks from unknown vulnerabilities, even without a patch.

For whitelisted applications that have become favorite targets by fileless malware operators, a robust patch management policy that balances business productivity and security is recommended.

Cyber-educate IT/security administrators

Organizations should conduct regular training to ensure that IT/sysadmins have a solid understanding of company security policy and procedure. Vigilantly monitoring the misuse of sysadmin tools can help organizations prevent threats from entering their network.

Sysadmin tools are responsible for making sure that systems and networks are not interrupted so business operations are kept up and running. Besides the abovementioned recommended practices, here are some other recommendations they can take to prevent sysadmin tools from being misused:

• Secure the email gateway and adopt best practices that mitigate email-based threats. Having an additional layer of security mechanisms that can filter and categorize malicious URLs is also recommended. 
• Ensure that connected devices are properly wiped during cleanups to mitigate the risks of further damage from threats.
• Enable a sandbox that can contain fileless Trojan downloaders and macro malware that typically utilize PowerShell scripts and shellcode to deliver their payloads. A sandbox that can analyze the various routines and behaviors of the malware can help identify the obfuscation or evasion tactics that threats can use.