How ServiceNow Can Help Reduce the Exposure and Impact of Ransomware

As ransomware continues to be a persistent threat to all industry verticals, ServiceNow® has the capabilities to help customers minimize their attack surface to avoid exploitation and quickly respond to a ransomware breach if needed. 

Vulnerability hygiene and automation reduces the attack surface and expedites response

In many organizations, manual processes slow vulnerability management teams down because there are just too many vulnerabilities to deal with and not enough business context to know which systems to patch first. There’s no need to wait for the dreaded zero-day. In a ransomware attack successfully executed by the DarkSide RaaS group in May 2021 that targeted national infrastructure, DarkSide exploited two existing vulnerabilities; CVE-2021-20016 was used in the initial attack to gain access, and CVE-2020-1472 was used to elevate to privileged access.  These vulnerabilities were published as “Critical” by the National Vulnerability Database (NVD) in February 2021 and August 2020 respectively. 

By making vulnerability management more automated and risk-driven, ServiceNow can help create efficiency and focus to reduce the presence of vulnerabilities. ServiceNow Vulnerability Response helps customers streamline vulnerability remediation tasks through automated prioritization, assignment, grouping, and advanced analytics. It connects to existing tools and structured data ingested via out-of-the-box (OOB), pre-built integrations with many of the major vulnerability scan vendors, including Tenable, Qualys, Rapid7, and others (See store.servicenow.com to download).  Having this structured data from your scanner gives organizations the ability to automate remediation processes using risk multipliers beyond basic CVSS score, such as exploitability, date published, attack vector, and more. Combining these risk multipliers with information about the system in the ServiceNow CMDB, including business criticality, whether or not the system processes regulated PCI or PII data, external accessibility (Internet-facing hosts), and more allows Vulnerability Response to score risk in a flexible way that matches your organizational environment, context, and posture. The product’s workflows transform each vulnerability into a task for remediation, auto-prioritizes them based on these scores, automatically assigns the vulnerabilities for more efficient remediation, and when possible, provides the solution based on the vendor’s recommendations. 

With ServiceNow’s ability to use data from the vulnerability scanner alongside native CMDB data, the remediation tasks for each of the vulnerabilities used by DarkSide could have hit a critical priority status well before a breach. Pre-defined, no-code automation could have automatically prioritized, assigned, and grouped all vulnerabilities with the following criteria:

• CVSS score above 9
• published over 90 days ago
• low complexity for exploitation
• exploitable via remote execution
• on a business-critical system

Both of the vulnerabilities used by DarkSide met these criteria. These vulnerabilities, and vulnerabilities like them, can be expedited and correctly assigned to authorized IT owners for immediate remediation using ServiceNow when customer-defined risk criteria are clearly defined and acted upon.

Furthermore, standard ServiceNow functionality can allow the vulnerability management team to automate other functionality as well.  Remediation targets (also called SLAs, or “service level agreements”) can be automatically linked to each vulnerability, and the vulnerability manager can track the remediation success along the way.  Notifications can also go out when vulnerabilities are not remediated on time.  Finally, out-of-the-box reporting and dashboarding allows for visibility and insight into the health of the vulnerability management program and is critical in reducing the attack surface, from an enterprise perspective all the way down to a single vulnerability on a single host.

Early detection, containment, and mitigation of security attacks and incidents

Vulnerabilities aren’t the only area where ServiceNow can help. Using the recent national infrastructure breach as an example, the attackers implemented multiple types of attacks to infiltrate the system, including brute force password attacks, phishing emails, and once the initial malware payload was deployed, hosts beaconing out to command-and-control infrastructure prior to the hard drives being encrypted.  ServiceNow® Security Incident Response allows customers quickly respond to these types of security events in a few steps:

• Integrate with major SIEMs, including Splunk, LogRhythm, Microsoft Azure Sentinel, and more to ingest and deduplicate security alerts
• Perform automatic threat lookups via integration with major threat intelligence feeds like Recorded Future, CrowdStrike, VirusTotal, and other STIX/TAXII feeds
• Automate runbooks and create customizable playbooks for various security incident types, including phishing, malware, brute force password attempts, and more
• Orchestrate response tasks and data communication with other parts of IT
• Document each step taken in a security incident via a post-incident review
• Track overall SOC responsiveness and effectiveness via real-time dashboards

For example, a high maturity customer implemented a multilevel ransomware runbook with orchestration using ServiceNow Security Incident Response with the following:

• Automated alert ingestion via SIEM
• Automated threat lookups via out-of-the-box threat intelligence integrations
• Automated task creation and routing to SOC team members
• Validation of scope of breach by SOC analysts and outcome-based workflow continuation
• Automated invocation of a “break the glass” sub-workflow for actively spreading ransomware to include immediate automation of the following:
  • Automated notification to and approval from pertinent stakeholders to allow for all of the following automated orchestrated actions:
    • Disabling of any affected user accounts
    • Network and Endpoint ACL traffic blacklisting of pertinent ports and protocols
    • Disabling Active Directory Replication
    • Datacenter network isolation
    • Shutdown of system backups
    • Restoration of system images using known good backups

All of these activities and security incidents are tracked as structured data within the ServiceNow platform.  This allows for advanced trending and analytics, providing visibility into the health of the customer’s SOC program.
Finally, it is also important to note that each step of a ransomware attack from initial reconnaissance all the way through to data encryption and exfiltration can be mapped to the MITRE ATT&CK Enterprise Framework. Threat hunters can use the integration between MITRE ATT&CK and ServiceNow Security Incident Response to detect if their organization is under attack, where a bad actor is in the network, and what the appropriate response should be in order to break the attack chain.  In addition, a heat map shows where there are coverage gaps that are most relevant and most high impact to address.

Where Do We Go from Here?

Ransomware has been around for a while. Its public success as disruptor, not just cash source, means it will get more dangerous: a recent Sophos survey found that the number of ransomware incidents had fallen slightly, but the cost and impact had risen dramatically. What’s more, organizations are realizing that no one is beneath the bad actors’ notice. When CISOs and other executives take a good, hard look at the state of their cybersecurity response, they may realize there are far more gaps than they imagined. Manual processes, swivel-chair incident management, and the inability to see and prioritize the truly critical vulnerabilities and security incidents slow response to a crawl. They provide plenty of time for exploitation and exfiltration. And they make it next to impossible to proactively manage the organization’s attack surface.

When organizations use automated tools and processes to enhance their security and vulnerability response, they gain visibility into how they can efficiently reduce their risk and the ability to execute the tasks quickly and comprehensively.

Learn more at servicenow.com/securityoperations

You can also view the ServiceNow infographic "What is Your Exposure to Ransomware" here