FPCH Admin AWS Posted February 21, 2018 FPCH Admin Posted February 21, 2018 (edited) In the first blog post of this 3-part series, we introduced what rapid cyberattacks are and illustrated how rapid cyberattacks are different in terms of execution and outcome. In the second blog post, we provided some details on Petya and how it worked. In this final blog post, we will share: Microsofts roadmap of recommendations to mitigate rapid cyberattacks. Outside-in perspectives on rapid cyberattacks and mitigation methods based on a survey of global organizations. Because of how critical security hygiene issues have become and how challenging it is for organizations to follow the guidance and the multiple recommended practices, Microsoft is taking a fresh approach to solving them. Microsoft is working actively with NIST, the Center for Internet Security (CIS), DHS NCCIC (formerly US-CERT), industry partners, and the cybersecurity community to jointly develop and publish practical guides on critical hygiene and to implement reference solutions starting with these recommendations on rapid cyberattacks as related to patch management. Roadmap of prescriptive recommendations for mitigating rapid cyberattacks We group our mitigation recommendations into four categories based on the effect they have on mitigating risk: EXPLOIT MITIGATION Mitigate software vulnerabilities that allow worms and attackers to enter and/or traverse an environment BUSINESS CONTINUITY / DISASTER RECOVERY (BC/DR) Rapidly resume business operations after a destructive attack LATERAL TRAVERSAL / SECURING PRIVILEGED ACCESS Mitigate ability to traverse (spread) using impersonation and credential theft attacks ATTACK SURFACE REDUCTION Reduce critical risk factors across all attack stages (prepare, enter, traverse, execute) Figure 1: Key components of mitigation strategy for rapid cyberattacks We recognize every organization has unique challenges and investments in cybersecurity (people and technology) and cannot possibly make every single recommendation a top nor immediate priority. Accordingly, we have broken down the primary (default) recommendations for mitigating rapid cyberattacks into three buckets: Quick wins: what we recommend organizations accomplish in the first 30 days Less than 90 days: what we recommend organizations accomplish in the medium term Next quarter and beyond: what we recommend organizations accomplish in the longer term The following list is our primary recommendations on how to mitigate these attacks. Figure 2: Microsofts primary recommendations for mitigating rapid cyberattacks This list has been carefully prioritized based on Microsofts direct experience investigating (and helping organizations recover from) these attacks as well as collaboration with numerous industry experts. This is a default set of recommendations and should be tailored to each enterprise based on defenses already in place. You can read more about the details of each recommendation in the slide text and notes of the published slide deck. In prioritizing the quick wins for the first 30 days, the primary considerations we used are: Whether the measure directly mitigates a key attack component. Whether most enterprises could rapidly implement the mitigation (configure, enable, deploy) without significant impact on existing user experiences and business processes. Figure 3: Mapping each recommendation into the mitigation strategy components In addition to the primary recommendations, Microsoft has an additional set of recommendations that could provide significant benefits depending on circumstances of the organization: Ensure outsourcing contracts and SLAs are compatible with rapid security response Move critical workloads to SaaS and PaaS as you are able Validate existing network controls (internet ingress, internal Lab/ICS/SCADA isolation) Enable UEFI Secure Boot Complete SPA roadmap Phase 2 Protect backup and deployment systems from rapid destruction Restrict inbound peer traffic on all workstations Use application whitelisting Remove local administrator privileges from end-users Implement modern threat detection and automated response solutions Disable unneeded protocols Replace insecure protocols with secure equivalents (TelnetSSH, HTTP HTTPS, etc.) There are specific reasons why these 12 recommendations, although helpful for certain organizations/circumstances, were excluded from the list of primary recommendations. You can read about those reasons in the slide notes of the published slide deckif interested. Outside-in perspectives on rapid cyberattacks and mitigation methods In late November 2017 Microsoft hosted a webinar on this topic and solicited feedback from the attendees which comprised of 845 IT professionals from small organizations to large global enterprises. Here are a few interesting insights from the poll questions. Rapid cyberattack experience When asked if they had experienced a rapid cyberattack (e.g. WannaCrypt, Petya or other), ~38% stated they did. Awareness of SPA roadmap When asked if theyre aware of Microsofts Securing Privileged Access (SPA) roadmap, most, 66%, stated that they were not. Patching systems When we asked within how many days ( 83% can patch workstations within 30 days; 44% within 7 days 81% can patch servers within 30 days; 51% within 7 days 54% can patch Linux/Other devices within 30 days; 25% within 7 days Removal of SMBv1 When asked where they are on the path towards removing SMBv1, 26% said they have completed removing it, another 21% said they are in progress or in the process of doing so, and ~18% more are planning to do so. Adopting roadmap recommendations When asked what is blocking them from adopting Microsofts roadmap recommendations for securing against rapid cyberattacks, the top three reasons respondents shared are: Lack of time Lack of resources Lack of support from upper management/executive buy-in To help organizations overcome these challenges, Microsoft can be engaged to: Assist with implementing the mitigations described in SPA Roadmap and Rapid Cyberattack Guidance. Investigate an active incident with enterprise-wide malware hunting, analysis, and reverse engineering techniques. This includes providing tailored cyberthreat intelligence and strategic guidance to harden the environment against advanced and persistent attacks. Microsoft can provide onsite teams and remote support to help you investigate suspicious events, detect malicious attacks, and respond to security breaches. Proactively hunt for persistent adversaries in your environment using similar methods as an active incident response (above). Contact your Microsoft Technical Account Manager (TAM) or Account Executive to learn more about how to engage Microsoft for incident response. Contact your Microsoft Technical Account Manager (TAM) or Account Executive to learn more about how to engage Microsoft for incident response. More information We hope you found the 3-part blog series on the topic of rapid cyberattacks and some recommendations on how to mitigate them useful. For more information and resources on rapid cyber attacks, please visit the additional links here: On-demand webinar Protect Against Rapid Cyberattacks (Petya, WannaCrypt, and similar). Additional resources Tips to mitigate known rapid cyberattacks with Windows 10 (and Windows Defender Advanced Threat Protection): New ransomware, old techniques: Petya adds worm capabilities Windows 10 platform resilience against the Petya ransomware attack Windows 10 Creators Update provides next-gen ransomware protection Windows Defender ATP thwarts Operation WilySupply software supply chain cyberattack Mitigate backup destruction by ransomware with Azure Backup security features Detect leaked credentials in Azure Active Directory Rapidly detect polymorphic and emerging threats and enable advanced protection with Windows Defender Antivirus cloud protection service (formerly Microsoft Active Protection Service (MAPS)) Apply network protection with Windows Defender Exploit Guard Safeguard integrity of privileged accounts that administer and manage IT systems by considering Securing Privileged Access (SPA) roadmap Mitigate risk of lateral escalation and Pass-the-Hash (PtH) credential replay attack with Local Admin Password Solution (LAPS) Mitigate exploitation of SMBv1 vulnerability via Petya or other rapid cyberattack by following guidance on disabling SMBv1 Continue reading... Edited February 22, 2018 by AWS Quote Off Topic Forum - Unlike the Rest
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.