Conditional Access Policy Cybersecurity Identity Protection Microsoft Entra ID Zero-Trust

Part – 2 Ransomware Protection and Response Checklist

Soumitra ChakrabortyLeave a reply

4 steps to Protect your Enterprise from Ransomware

  1. Block unexpected traffic with host-based firewalls and network defenses.
  2. Isolate, disable, or retire insecure systems and protocols.
  3. Maintain your software so that it is updated and supported.
  4. Apply Security Baselines to harden internet-facing Windows servers and clients and Office applications. 
  5. Block known threats with ASR rules, tamper protection, and block at first site
  6. Enable AMSI for Office VBA.
  7. Implement Advanced Email security using Defender for Office 365.
  8. Enable attack surface reduction (ASR) rules to block common attack techniques.
  9. Enforce Zero Trust user and device validation with Azure AD Conditional Access.
  10. Configure security for third-party VPN solutions.
  11. Deploy Azure Point-to-Site (P2S) VPN.
  12. Publish on-premises web apps with Azure AD Application Proxy.
  13. Secure access to Azure resources with Azure Bastion.
  1. Backup all critical systems automatically on a regular schedule.
  2. Protect backups against deliberate erasure and encryption:
    •  Strong Protection: Require out of band steps (MFA or PIN) before modifying online backups (such as Azure Backup).
    • Strongest Protection: Store backups in online immutable storage (such as Azure Blob) and/or fully offline or off-site.
  3. Regularly exercise your business continuity/disaster recovery (BC/DR) plan.
  4. Protect supporting documents required for recovery such as restoration procedure documents, your configuration management database (CMDB), and network diagrams.
  1. Migrate your organization to the cloud:
  2. Designate Protected Folders.
  3. Review your permissions:
  4. Discover broad write/delete permissions on file shares, SharePoint, and other solutions. Broad is defined as many users having write or delete permissions for business-critical data.
  5. Reduce broad permissions while meeting business collaboration requirements.
  6. Audit and monitor to ensure broad permissions don’t reappear.
  7. Enforce strong MFA or password less sign-in for all users.
  8. Increase password security with Azure AD Password Protection.
  9. Enforce end-to-end session security for administration portals using Azure AD Conditional Access.
  10. Protect and monitor identity systems to prevent escalation attacks.
  11. Detect and mitigate lateral traversal with compromised devices.
  12. Use Azure AD Privileged Identity Management time-based and approval-based role activation.
  13. Use Privileged Access Management (PAM) to limit standing access to sensitive data or access to critical configuration settings.
  1. Implement sophisticated security awareness training to educate users on what to look for to prevent criminal applications from being downloaded/executed.
  2. Conduct simulated phishing attacks once a month to inoculate your users against current threats because your email filters miss between 5% and 10% of malicious emails.
  3. Prioritize common entry points:
  4. Use integrated Extended Detection and Response (XDR) tools like Microsoft 365 Defender and Azure Sentinel to provide high quality alerts and minimize friction and manual steps during response.
  5. Monitor for brute-force attempts like password spray with Azure Sentinel.
  6. Don’t ignore commodity malware. 
  7. Monitor for an adversary disabling security (this is often part of an attack chain) with Azure Sentinel, such as:
    • Event log clearing, especially the Security Event log and PowerShell Operational logs.
    • Disabling of security tools and controls (associated with some groups).
  8. Integrate outside experts into processes to supplement expertise, such as the Microsoft Detection and Response Team (DART).
  9. Rapidly isolate compromised computers using Defender for Endpoint.

Ransomware Response Checklist

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
  1. Determine if it is a real ransomware attack.
  2. Determine if more than one device is exploited.

If so, continue to the next steps

  1. Declare ransomware event.
  2. Begin using predefined, alternate communications.
  3. Notify team members, senior management and local law enforcement agency.
  1. Identify and Shut down infected systems immediately.
  2. Disconnect and isolate infected systems from the network.
  3. Isolate your backups immediately.
  4. Disable all shared drives that hold critical information.

Check the Following for Signs:

    1. Mapped or shared drives.
    2. Cloud-based storage: DropBox, Google Drive, OneDrive, etc.
    3. Network storage devices of any kind.
    4. External, USB or other hard drives.
    5. Determine Ransomware Strain. For example: Ryuk, Dharma, SamSam, etc.
    6. Identify the threat vector (malware, tools and scripts) used to infiltrate your network.
    7. Check logs and DLP software for signs of data leaks.
    8. Look for unexpected large archival files (e.g., zip, arc, etc.) containing confidential data that could have been used as staging files.
    9. Of course, one of the most accurate signs of ransomware data theft is a notice from the ransomware gang involved announcing that your data and/or credentials have been stolen.
  1. Initial investigators should try to stop/reduce any damage they discover, if possible.
  1. The goal is to make sure the team correctly understands all information, including scope and extent of damage.
  1. Pay the ransom or not?
  2. Repair or rebuild?
  3. Invite additional external parties?
  4. Notify regulatory bodies, law enforcement, CISA, FBI, etc.
  1. Restore/Rebuild from backup.
  2. Need to preserve evidence?
  3. Use business impact analysis to determine what devices and systems to recover and the associated timing.
  4. Restore critical infrastructure first.
  1. Mitigate social engineering.
  2. Patch software.
  3. Use multi-factor authentication (MFA) where you can.
  4. Use strong, unique passwords.
  5. Use antivirus or endpoint detection and response software.
  6. Use anti-spam/anti-phishing software.
  7. Use data leak prevention (DLP) software.
  8. Have a good back up and regularly test.

♥♥♥♥♥♥♥♥♥♥♥♥♥♥♥♥♥♥♥♥Thank You for Reading, See you in the next Blog♥♥♥♥♥♥♥♥♥♥♥♥♥♥♥♥♥♥♥♥♥♥♥

Post navigation

Leave a Reply

Your email address will not be published. Required fields are marked *