Effective Protection is not a Single Action

Microsoft’s Digital Defense Report holds a trove of information. Besides some interesting facts on identity-based attacks, which I have discussed in an article on Attack-In-The-Middle protection mechanisms, there is also another interesting piece of information on page 27 of the report. Microsoft states that there is a 2.75x increase in ransomware encounters, but a threefold decrease in ransomware attacks being successful and reaching the ‘encryption’ state.

This is interesting as it shows that organizations are becoming better at combating ransomware attacks. In this article, I want to walk through some of my recommendations on combating ransomware.

Antivirus and EDR

The initial recommendation is straightforward, yet frequently overlooked during my interactions. Every endpoint in the corporate network needs to be secured using both an antivirus and an EDR (Extended Detection and Response) client. Without both, you are left vulnerable, as an attacker can do what they want when they gain access to a device. Antivirus and EDR tooling will both block attacks and create security alerts when suspicious activity is observed.

Hardening

Just deploying an antivirus and EDR tool on your devices isn’t enough. While this combination will stop the most common attacks, it won’t stop new types of attacks. These types of attacks are often unknown to security vendors. If you don’t know something exists, it is difficult to protect against it.

That is where hardening comes in. By implementing hardening controls, we block common attack vectors in an environment. This ensures they cannot be abused by threat actors. Multiple hardening controls are combined in a security baseline. A simple example of hardening is blocking SMBv1. SMBv1 was initially developed in 1983 and is often used in ransomware cases. It is an old and insecure protocol and should be avoided at all costs.

The main issue with hardening is that some of these legacy protocols are still used in production environments. When you are deploying a security baseline, you need to be wary of the potential impact every step of the way.

Luckily, other parties have done the heavy lifting and created ready-to-use security baselines. An example can be found in Jon Jarvis’ article, detailing how to deploy security baselines with Microsoft Intune.

Throughout my customers’ engagements, most of them don’t have a security baseline deployed, even though baselines can greatly increase the security protection available to companies.

Another great hardening control is Attack Surface Reduction rules. This is a part of Microsoft Defender Antivirus and is a set of rules that block common avenues of attack. By enabling these rules, you are one step ahead of an attacker. These rules are often called ‘zero-day killers’ as they are highly effective against blocking unknown threats.

If an organization is starting hardening efforts, I have a couple of tips:

  • Start Small
    • Don’t try to deploy all settings at once. You need time to familiarize yourself with the baseline and what impact it can have. Use an iterative process to deploy additional settings if no negative impact is observed.
  • Use Good Pilot Groups
    • While the concept of a ‘pilot’ or ‘test’ group is often used, the groups are not always built correctly. You need to ensure a pilot group contains users from every department and geographical location, so every scenario is adequately tested before it is deployed across the organization.
  • Frequent Updates
    • A security baseline needs to evolve. At least twice a year, validate the current baseline and check if updates are available. Vendors like Microsoft continuously provide new hardening controls, and these should be incorporated.

Managed Devices

The previous steps — ensuring devices are protected with antivirus and EDR tooling, plus ensuring they are hardened by a security baseline — can’t help when unmanaged devices aren’t blocked. The same is reflected in Microsoft’s reporting. In more than 90% of all ransomware cases, the attack started from an unmanaged device.

Organizations spend thousands of dollars to secure endpoints. But if an end-user is also able to use their home computer to work, all security controls are bypassed. Cloud and on-premises resources should only be accessible from a managed and secure device. This can be achieved by using Conditional Access.

Nevertheless, there is technical debt within any organization. I have not met a customer who had properly secured all their devices. Sometimes, there are operational or financial constraints that make it impossible to do so. In those circumstances, it is important to implement alternate controls. These alternate controls can be implementing network restrictions or ensuring only a limited number of people are able to access these machines.

Active Directory Security

Active Directory is still the center of almost every organization. Although more and more are migrating into a cloud-only environment, most of them still have an Active Directory footprint that is connected to the cloud environment.

While there are new types of attacks that focus on cloud, ransomware attacks are still primarily happening on Active Directory-based systems. More often than not, ransomware is being deployed using some AD functionality.

This is also explained in Victor’s latest article on hardening domain controllers against ransomware. The article explains in great depth what hardening efforts you should take.

One of the most important hardening actions to take is the implementation of a tier 0 architecture. This architecture builds a fort around Active Directory, making it much more difficult to breach your crown jewels. By doing so, you significantly decrease the chance that your entire environment is breached. For additional details, Michael Van Horenbeeck has a great article explaining tier 0 and how it works.

Security Operations

The glue that connects it all together is security operations. We can implement all of the security controls we want, but if nobody monitors them, they might as well be for nothing. When I am working on incident response cases, there are often alerts from security tools that warn the customer about the imminent threat. However, nobody was looking at them. Security is not a single action, but a continuous cycle. As an organization, you need to have people who monitor the environment 24/7 and are able to take action when something goes wrong. Within it, things are bound to go wrong.

Combating Ransomware Attacks

It is impossible to recommend one way to protect against ransomware. There are multiple steps that need to be taken to ensure we make it as hard as possible. Creating a priority based on this article is difficult as well. A lot depends on the structure and operational challenges that are present in an organization. If I provide a priority list, it is in the following order:

  1. Managed Devices – Having managed devices closes the gap significantly. It allows you to focus on what is important and ensure you know what your scope is.
  2. Antivirus and EDR – By having these two products deployed, you create visibility.
  3. Security Operations – Visibility is nothing without response. By activating security operations, you get to know your organization from another angle. You can see what types of attacks are happening and how you should prioritize.
  4. Active Directory Security – As Active Directory is the heart of the organization, protecting it is of the utmost importance.
  5. Hardening – Hardening your environment doesn’t happen in weeks. It’s a matter of months. That is why you should plan this work when you have done all of the basic steps.

About the Author

Thijs Lecomte

Thijs is a security consultant out of Belgium, working at The Collective, an MSSP with a Microsoft-focused Security Operations Center. His work consists out of leading the SOC team and implementing Microsoft Security solutions (such as Microsoft Sentinel and Defender) as a consultant. He is an MVP in the Security category and is a regular speaker at events and user groups. His best-known publication is as co-author of the 'Microsoft 365 Security for the IT Pro' ebook.

Leave a Reply