BeyondTrust Privileged Remote Access, if deployed correctly, can be an incredible tool to limit the damage that ransomware gangs can cause across all of your devices. This deployment guide covers how threat actors move through your network to steal data and spread ransomware, and how we can best deploy BeyondTrust Privileged Remote Access to prevent it.
How Ransomware Gangs Deploy Ransomware
The Mitre ATT&CK framework is an excellent, detailed, technical guide for the attack paths that threat actors can leverage in their pursuit of illicit gains. When deployed correctly, BeyondTrust Privileged Remote Access can be very effective at limiting their ability to:
- Establish initial access into your network by restricting the use of remote administration tools to a single, centralised, MFA backed and audited method
- Move laterally around your network by allowing you to block RDP, SSH, VNC, and other remote management tools between devices and networks and restricting administration access to the BeyondTrust platform only
- Elevate privilege from Domain User to Domain Admin by ensuring that admin passwords are rotated after every use, never exposed to end users, and never used on unauthorised devices (e.g. Domain Admin accounts on standard servers).
By applying good cybersecurity principles while designing your implementation you can make life very difficult for would-be attackers to achieve their end goal.
BeyondTrust Privileged Remote Access Key Concepts
- A Jump Client is an agent installed onto each server which provides secure, remote screen sharing (think console-like keyboard/mouse/screen access), file transfers, and device health information, and can be used to scan for and manage local Windows user accounts. The Jump Client agent runs as a service as the SYSTEM user and hooks into Windows internal functions to inject credentials at appropriate times.
- A Jump Point is a server running the BeyondTrust SSH/RDP/VNC proxy application. A jump point server can be used to RDP to anything, even if a Jump Client is not installed. It can also discover and take ownership of Active Directory domain accounts.
- A Jump Item is something which you can remotely manage through BeyondTrust. Not all jump items have jump clients installed. Some Jump Items are configuration only (pointers to IPs/hostnames).
- A Jump Group is a collection of Jump Items. A Jump Client cannot be a member of more than one Jump Group.
- A Remote RDP session is a BeyondTrust manged RDP session which originates at a jump point server. This means you can have more than one user connecting to a server at the same time (Jump Clients limit to 1 session but BeyondTrust users can share the session)
- An Account Group is a collection of usernames/passwords or usernames/SSH keys (Accounts) managed by BeyondTrust. These credentials are rotated by the BeyondTrust platform and should not be changed manually. For most accounts, nobody should ever see the passwords as BeyondTrust will inject them into sessions on your behalf.
Leave a Reply