Lessons from the Conti Ransomware Group Around Vulnerability Management
There was a fascinating bit of research recently published by Breach Quest. In it they dissect communications of the Conti ransomware group from February 2022. For those not familiar with the Conti group, they're currently number one on https://ransomwhe.re/ listing of the all-time highest ransomware payouts.
This group has generated more than $50 million USD in ransomware payments since their creation. Research of Conti's successful exploits underscore why the industry's focus on cyber hygiene cannot be overstated – they targeted well known Windows vulnerabilities and were able to capitalize on low hanging fruit. First, they infiltrate with a remote code execution (their favorite seemed to be cve-2020-1472 a.k.a Zerologon). Next, they escalate privileges on the machine using a whole host of attacks. Finally, they spread laterally to other devices and networked resources until they have established their foot hold and are ready to initiate ransomware. Again, these vulnerabilities being leveraged to gain access and spread across the network are not sophisticated zero-day exploits – all of these have patches available. In fact, some of these vulnerabilities successfully exploited have been around since 2015!
More than anything, this investigation emphasizes the need for patch management. However, patching systems isn't as easy as it used to be. With labor shortages and a rising number of patches needed (for software and operating systems alike), we're looking at increased demand and reduced amount of patching team talent across many large organizations.
With the increasing demand for patching and the pressures on limited resources, businesses are stuck trying to make priority decisions in a scalable, fact-based manner.
The need for intelligent, prioritized patching that is context aware has given birth to a new sector of solutions called vulnerability managers. Kenna (a part of Cisco) is one such solution. Kenna helps prioritize vulnerabilities for remediation. Kenna utilizes threat and exploit intelligence feeds, weaponized kits, popularity, advanced prediction models, and of course CVSS score to calculate their Kenna Vulnerability Score. The customization of Kenna comes in when you assign assets a Priority Score. The Kenna asset Priority Score is on a scale from 1-10 (10 being the highest priority) and helps Kenna prioritize asset remediation scoring. This calculation is simple, Kenna takes the Vulnerability Score (1-100) and multiplies it by the Asset Priority (1-10). The resulting Asset Score is the asset's risk-based score out of 1000. The higher the score, the more important the remediation is to perform for security teams.
Helping teams prioritize vulnerabilities is essential to breech prevention as the number of vulnerabilities continue to rise. Relying on the CVSS score just doesn't cut it anymore – businesses require context aware intelligent data to prioritize the most critical threats. For example, if we look at our Conti list of vulnerabilities and compared it to Kenna's scoring system, we can see what order we should prioritize vulnerabilities.
When looking at the CVSS score we're looking at a range of (6.9-10) where the Kenna score is giving us a range of (17-100) for the same set of vulnerabilities. Notice how there's a ton of 7.8 scores? That is where Kenna helps prioritization. While the Conti group is targeting vulnerabilities across the spectrum, for Kenna, the prioritization goes to the remote code executions and the more dangerous privilege escalations first. Armed with the proper intelligence, the business can prioritize mitigation of Conti's preferred approach to access the environment, and then address the escalation of privileges vulnerabilities on the assets that are deemed most critical.
A deeper analysis of this example further reflects the value and intelligence behind Kenna's model, as the lower Kenna Vulnerability Scores reflect a higher degree of difficulty to perform and require additional chained vulnerabilities to be successful. For example, the CVE at the bottom (cve-2020-0638) requires execution permissions to work and can be stopped if Microsoft's UAC (User Account Control) is enabled. Also, it's worth keeping in mind that the Kenna Vulnerability Score is multiplied by the Assets Priority Score to get the asset's Default Asset Score. Thus, even if the most secure asset had the lowest Kenna score on our table of 17, it could potentially still score an Asset Score of 170 (17x10) if it was one of the highest priority assets in the environment.
We continue to explore opportunities to assist our clients and drive maturity into their cybersecurity posture and vulnerability management is a growing challenge for many of these clients. WWT offers solutions like Kenna to help reduce organizational risk and provide efficiencies in prioritized patch management across the enterprise.