Conclusions from reading threat analyst reports

A couple time a week I read up on the articles released by Microsoft’s threat analysts. They are really wonderful material. They start with a history of the criminal activity, progress through the development of the malware and how it works, where its targets have been and then what their suggestions are for avoided being the next victim. As part of my upcoming newly redesigned cloud-only Ransomware Prevention Kit I’ve been going through them looking for patterns, developing actions, and taking onboard their suggested remediations.

They aren’t as smart as we think they are

There are some striking similarities in the articles. Despite criminal masterminds and “security researchers” always coming up with the next greatest tool for causing financial damage to our businesses and economy, there are patterns.

The method of getting in, via some unpatched system, zero day, successful phish, or social engineering method, is the novel part of the whole ransomware empire. What isn’t novel is what they do next, to gain the control they need inside of our networks to do damage.

This is good news for IT professionals.

For example, in the notice released today about a scheme labeled Dev-050, we are informed that it exploits GoAnywhere Managed File Transfers, some zero-day flaws and other targeted applications with vulnerabilities. We also learn that it delivers Truebot, some scripts and a ransomware called Clop. Finally, there’s a mention that this Dev-050 system is available to ransomware-as-a-service buyers and includes regular updates which include new zero-day opportunities. Then it runs a batch file and using FileZilla to exfiltrate data.

This information provides us with clues on where to look for tips on hardening our networks.

Hardening SaaS based business

When we get to the point where a business is using all cloud resident applications, where does the hardening go? It’s goes on the device, and in the admin consoles of Microsoft 365 to provide for identity protection.

There is a small handful of common areas which should be the starting point for everyone.

  • Attack surface reduction rules
  • Cloud based malware protection
  • Email security
  • Strict conditional access
  • Managed devices
  • Managed applications
  • Device hardening
  • Update management
  • Identity security

Where should you start?

It takes some effort to get your ransomware prevention strategy going. Before you can even consider doing any of the above configurations, you’ve got to have the following in place.

  • Licensing minimums
    • Microsoft 365 Business Premium
    • Azure AD P2
  • Azure AD joined devices
  • Windows 11

All we do is support IT professionals. Microsoft 365 technical assistance, newsletter, Security community, MSP Legislation community, EndPoint, Defender and Lighthouse community, Peer groups, courses, papers, Business consulting and more.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.