What’s Hot in M365 for addressing ransomware
Data loss can be devastating to a company. It can lead to lost revenue, lost productivity, and damaged reputation, to name a few. Data can be lost for various reasons; it can range from misplaced data to deleted data to cyber attacks that encrypt and exfiltrate your data.
Microsoft last month offered some general insights on how to secure networks against human-operated ransomware.
Ken Malcolmson and Jim Eckart, who are chief security advisors at Microsoft, described views largely based on Microsoft’s Detection and Response Team’s (DART’s) experiences, and gave their thoughts on the growing ransomware issue.
Human-operated ransomware basically involves having “a human at the keyboard moving around inside of your network, ultimately seeking to lock up your systems of operation and systems of revenue until you actually pay a ransom,” Eckart explained.
Cybercrime Is Cheap
The costs for criminals to get involved in cybercrime, such as ransomware, are pretty low, Eckart noted. He offered the following numbers, based on Microsoft’s “Digital Defense Report” research:
- Attackers for hire can cost as low as $250 per job.
- Spearphishers for hire range from $100 to $1,000.
- Ransomware kits can cost as little as $66, plus continuing royalties.
- Access to compromised devices gets priced at under $1 per device.
Attack Kill Chain
Attackers follow a pattern of first gaining initial access, typically through phishing campaigns or identity-based attacks. Another access method is to exploit RDP [Remote Desktop Protocol] misconfigurations or poorly maintained virtual private network (VPN) implementations.
To move around in a network, attackers use privilege escalation or credential theft, which is done to install malware on the network. They typically lay low before launching ransomware to encrypt the network’s data. In particular, attackers look to disrupt backup systems.
a few approaches to address this kill chain:
- For e-mail and collaboration apps, use a solution that sandboxes URLs and attachments across all channels.
- Use an industry-leading EDR [endpoint detection and response] solution that has attack-surface reduction capabilities, including macro scanning.
- Protect endpoints better for remote access by reexamining RDP or port configurations, and keep VPNs properly patched to reduce man-in-the middle attack scenarios.
Implementing multifactor authentication was also a recommended approach, but organizations have struggled to implement it.
Zero-Trust Model
Microsoft recommended following a zero-trust model to prevent initial access by attackers. The most important aspect of the zero-trust model is to assume compromise, It means being able to detect attackers as they move in the network and protect inner systems from data theft.
Microsoft Solutions
Malcolmson recommended using conditional access policies and depending on Azure Active Directory as “your single source of truth for identity provisioning.”
There should be strong authentication procedures in place. Organizations can also use Microsoft Information Protection solutions to protect data on devices. Malcolmson also touted the Microsoft Defender for Cloud Apps service, which can be used for “securely providing access to cloud applications.”
Microsoft Sentinel was recommended by Eckart as having the “machine learning capabilities that turn low-fidelity signals into high-fidelity alerts.”
Have a Backup Plan
Human-operated ransomware aims to lock up systems of operation and revenue, and so it’s important to not only have the ability to recover databases, but also “the ability to recover front-end servers and all of the different infrastructure that’s in place”