For the month of September, we'll be running a blog series devoted to our brokers; taking a deeper look into the hearts and minds of our cybersecurity analysts and underwriting team as we explore ways to solve cyber risk.
One of the most unexpected issues that can arise in the underwriting process is for the Coalition security and underwriting team to flag a quote for a secondary review, or, even more unexpectedly, for that to result in a contingency or a declination.
That's why we are dedicating this month to contingencies and common security risks. We'll explore key considerations about common exposures and how that translates into risk. Today we are going to break down RDP.
In a recent blog post, we discussed the necessity for backups and various strategies to mitigate ransomware and malware risks. One of the ways that Coalition actively defends against losses arising from ransomware is to notify policyholders and potential policyholders about key exposures that lead to ransomware compromises. The critical security exposure that is most often present as a technical and predictive indicator of ransomware infections is (drumroll please) Microsoft remote desktops exposed to the internet — better known as RDP!
RDP stands for Remote Desktop Protocol and is a common service used on Windows networks to provide remote access to desktops.
Unfortunately, threat actors would also love to have remote access to these desktops for monetary gain or other malicious intent. What's worse, while some might think (or argue) a password, multi-factor, and other additional methods of securing RDP might prevent an adversary from gaining a foothold — this is incorrect. Let me tell you why.
RDP is a ubiquitous remote access solution used very often in Microsoft Windows environments for enabling a familiar experience for users — remote access to the well-known Windows desktop. The underlying program and network protocol used to communicate between the client (the one viewing the desktop) and the server (the system being accessed) is most commonly secured by a username and password — similar to how users normally log in to any Windows desktop.
The protocol, or digital language that the client and the server use to communicate, has also repeatedly been a problem alone with a history of vulnerabilities that have allowed hackers to completely bypass the need for usernames or passwords to gain access.
The most recent vulnerability disclosed, called BlueKeep, let attackers manipulate the protocol to bypass the requirement of both a username and password completely. This allowed adversaries to run malicious programs on all the vulnerable instances of RDP adversaries could find. This led to widespread issues. Many companies returned from the weekend to find business computers had been locked and data encrypted.
The only thing remaining? A ransom note.
So here is the big question, and the most difficult aspect to communicate to IT professionals who understand the technology well but may not deal with threat actors daily. Why is Coalition adamant that businesses close RDP now? Windows servers have been updated to remediate the BlueKeep vulnerability by implementing NLA (Network Level Authentication) and multi-factor authentication, so why are we still aggressively against RDP exposure?
Let's consider this from a different angle. Imagine being a fly on the wall of a virtual hacking operations center. You see a group of threat actors and a large world map with a few red dots representing easy hacking targets. From your view, you see a surprising wave of excitement fill the room as the Windows BlueKeep vulnerability first enters the public domain. What used to be a few red dots on the map has turned into millions of red dots, and the hackers are scrambling to figure out who to attack first.
This new vulnerability lets all of those hackers pick and choose what targets to ransom, what data to steal, and what companies house massive amounts of consumer data ready to exploit at a later date.
These hackers are working furiously to beat the clock (and other hacking groups) for the best targets and biggest payouts. They are frenzied to capitalize on the easier targets before the opportunity fades as IT admins catch wind and begin to close RDP or fix the vulnerability.
This operations center has perfected the tools, software, processes, and procedures needed to refine their approach to target RDP at scale. Eventually, this map of red vulnerable targets slowly returns to a normal state as remote access is closed. But, wait, a global pandemic has spread and forced everyone to work from home.
Now, businesses are forced to find ways to provide remote access to business systems, and that map of vulnerable companies starts to light up again. All the tools, processes, and procedures these attackers used to capitalize on the Windows BlueKeep vulnerability are now repurposed to take advantage of this new exposure that is going to be around for a long time. Still the same RDP.
Hackers suffer from the same reward-based deception and cognitive bias that influences human behavior at a very primal level. They are much more likely to persist in a technical condition long after a critical vulnerability like BlueKeep for RDP has been patched.
After all, these imaginary hackers spent all that time and energy developing the tools to scan for, evaluate, and exploit RDP. Adversaries also learned either implicitly or explicitly that businesses with RDP exposure often have infrastructure inside a brick and mortar location that can be held hostage. The mere presence of RDP signals an opportunity for ransomware attacks.
Hackers now know that certain company processes rely on certain systems, making them critical for business operations — perfect targets for ransomware.
RDP is the prevailing indicator concerning ransomware claims, and data continues to show that companies are specifically targeted due to the mere presence of RDP.
Instead of RDP, consider some alternatives such as LogMeIn, TeamViewer, or free alternatives like Apache Guacamole. If RDP must be used, ask IT experts to restrict access to only the IP addresses necessary, or utilize a VPN to prevent unauthorized individuals from even seeing that RDP exists within the organization. Remember, the problem is not just securing the access, but also preventing adversaries from realizing a good ransomware target exists.
Ransomware is taking organizations hostage (quite literally) by encrypting and disabling access to business-critical systems and data until a ransom payment is made. In the first half of 2020 alone we observed a 47% increase in the average ransom demand. For more information, download the H1 2020 Cyber Insurance Claims Report.