Best Practices: Securing Sysadmin Tools

September 05, 2017

Legitimate tools used by IT/system administrators have become valuable cybercriminal targets because of the privilege they provide for greater network access. While malware threats continue to evolve and proliferate, sysadmin tools have opened wider gates for them to deploy blindsiding attack tactics.

The Petya outbreak that infected many European organizations demonstrated the large-scale damage that could stem from abusing PsExec and the Windows Management Instrumentation (WMI). PowerShell has also seen multiple incidents of abuse over the years. From the Poweliks Trojan downloader, the information stealer FAREIT, and banking malware VAWTRAK to ransomware families such as PowerWare, and Cerber version 6, Powershell has been favored by attackers because it is easy to write and simple to obfuscate. In addition, malicious PowerShell scripts are a key ingredient of a lot of fileless malware that are capable of stealthily breaking into networks.

Remote desktop protocol (RDP), which is currently used by more than five million internet endpoints, is also no stranger to abuse. Last year, businesses in Australia and New Zealand got hit by RDP brute force attacks from ransomware operators.

To mitigate these threats, IT/system administrators can use the following best practices:

Restrict access

Properly categorize users and the networks they access to segment user privileges and network traffic. The risk of exposure to threats can be reduced by only granting enough access or privilege for a user to accomplish his task, or an application to be run.

Implementing two-factor authentication, account lockout policies and setting user permission/restriction rules can help defend against RDP brute force attacks. A bastion host that only allows access to certain IP addresses can also be implemented to reduce and withstand possible attacks.

Moreover, access should be limited to other management protocols such as VNC and SSH. Using a public key infrastructure (PKI) instead of knowledge-based passwords to access protocols like SSH is recommended to achieve a more secure authentication method. Granting limited access to other sensitive ports like TCP 135, 445, 1433 (MSSQL), 3306 (MySQL), and even web management consoles like phpMyAdmin is also recommended as they are popular targets in the wild.

Monitor systems and networks

Threats that abuse legitimate tools and services can indicate command and control communications to the attacker’s servers. Employing firewalls as well as intrusion detection and prevention systems will help deter incursion or data exfiltration attempts. This can be complemented by a security mechanism that can actively monitor inbound and outbound network traffic for any suspicious behavior.

System administrators must also regularly keep logs and record system activities, whether in applications, registry, and system or network events, and ensure that attackers cannot modify them. Aside from providing aid in incident response and remediation, these logs also help security researchers better understand the threat.

Patch and update

Ensuring that the operating system, software, and other applications are updated with the latest patches prevents threats from exploiting security gaps. This year, the success of attacks by WannaCryUIWIX, and Adylkuzz have illustrated the consequences of overlooking unpatched vulnerabilities. Employing virtual patching is also an option for shielding systems and networks from unknown vulnerabilities, even without a patch.

For whitelisted applications that have become favorite targets by fileless malware operators, a robust patch management policy that balances business productivity and security is recommended.

Cyber-educate IT/security administrators

Organizations should conduct regular training to ensure that IT/sysadmins have a solid understanding of company security policy and procedure. Vigilantly monitoring the misuse of sysadmin tools can help organizations prevent threats from entering their network.

Sysadmin tools are responsible for making sure that systems and networks are not interrupted so business operations are kept up and running. Besides the abovementioned recommended practices, here are some other recommendations they can take to prevent sysadmin tools from being misused:

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.