ABCDEFGHIJKLMNOPQRSTUVWXYZAAABACADAEAFAGAHAI
2
NoMeasureCategoryTypeDescriptionComplexity*
Effectiveness*
Impact*Possible IssuesLink 1Link 2Link 3Link 4Link 5
3
1Backup and Restore ProcessResilienceRecoveryMake sure to have adequate backup processes on place and frequently test a restore of these backups
("Schrödinger's backup - it is both existent and non-existent until you've tried a restore")		MediumHighLowhttp://windows.microsoft.com/en-us/windows/back-up-restore-faq#1TC=windows-7
4
2Windows Defender Ransomware ProtectionProtectionGPOWindows Defender includes a security feature called "Ransomware Protection" that allows you to enable various protections against ransomware infections. This feature is disabled by default in Windows 10. It can be activated via GPO and has the name "Controlled Folder Access". (see the links) LowHighLowhttps://www.windowscentral.com/how-enable-controlled-folder-access-windows-10-fall-creators-updatehttps://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/controlled-foldershttps://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders
5
3Block MacrosResistenceGPODisable macros in Office files downloaded from the Internet. This can be configured to work in two different modes:
A.) Open downloaded documents in 'Protected View'
B.) Open downloaded documents and block all macros		LowHighMediumCritical business processes that depend on macros (they exist, it's sad, but yes) https://www.404techsupport.com/2016/04/office2016-macro-group-policy/?utm_source=dlvr.it&utm_medium=twitterhttps://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6?ui=en-US&rs=en-US&ad=US
6
4Block Windows Binary Access to InternetResistenceGPOUse Windows Firwall policies to block binaries access to the so called "Remote Scope". These binaries include powershell.exe, bitsadmin.exe, certutil.exe, regsrv32.exe, mshta.exe, msbuild.exe, hh.exe, makecab.exe, ieexec.exe, extract.exe, expand.exe (see the links for details) MediumHighLowPowerShell and other scripted tools that pull updates from the Internethttps://medium.com/@dimitrismargaritis/prevent-legitimate-windows-executables-to-be-used-to-gain-initial-foothold-in-your-infrastructure-39771cd6ec90
7
5Filter Attachments Level 1ResistenceMail GatewayFilter the following attachments on your mail gateway:
.386, .ace, .acm, .acv, .ade, .adp, .adt, .ani, .app, .arc, .arj, .asd, .asp, .avb, .ax, .bas, .bat, .boo, .btm, .cab, .cbt, .cdr, .cer, .chm, .cla, .cmd, .cnv, .com, .cpl, .crt, .csc, .csh, .css, .dll, .dmg, .drv, .dvb, .email, .exe, .fon, .fxp, .gms, .gvb, .hlp, .ht, .hta, .htlp, .htt, .inf, .ini, .ins, .iso, .isp, .its, .jar, .job, .js, .jse, .ksh, .lib, .lnk, .maf, .mam, .maq, .mar, .mat, .mau, .mav, .maw, .mch, .mda, .mde, .mdt, .mdw, .mdz, .mht, .mhtm, .mhtml, .mpd, .mpt, .msc, .msi, .mso (except oledata.mso), .msp, .mst, .nws, .obd, .obj, .obt, .obz, .ocx, .ops, .ovl, .ovr, .pcd, .pci, .perl, .pgm, .pif, .pl, .pot, .prf, .prg, .ps1, .pub, .pwz, .qpw, .reg, .sbf, .scf, .scr, .sct, .sfx, .sfx, .sh, .shb, .shs, .shtml, .shw, .smm, .svg, .sys, .td0, .tlb, .tmp, .torrent, .tsk, .tsp, .tt6, .url, .vb, .vbe, .vbs, .vbx, .vom, .vsmacro, .vss, .vst, .vsw, .vwp, .vxd, .vxe, .wbk, .wbt, .wIz, .wk, .wml, .wms, .wpc, .wpd, .ws, .wsc, .wsf, .wsh		LowMediumLowUnknown if one of the extensions is used by business applications. They shouldn't - at least not from incoming emails.
8
6Filter Attachments Level 2ResistenceMail GatewayFilter the following attachments on your mail gateway:
(Filter expression of Level 1 plus) .doc, .docx, .xls, .xlsx, .rtf, .docm, .xlsm, .pptm, .bin, .one		MediumHighHighOffice Communication with old versions of Microsoft Office files (.doc, .xls)
9
7Use Web ProxiesResistenceBest PracticeMost malware isn't proxy-aware and tries to connect directly to their C2 or web host that holds the next stage. LowHighMediumIt's a change in your architecture that could lead to all kinds of issues.
10
8Block Executable Downloads / Splash ScreensResistenceBest PracticeWhen using a web proxy, block executable downloads. Alternatively just block executable downloads from all domains classified as "unknown" or "unclassified". A more moderate approach would be to show a splash page for every new (unknown) domain. LowHighMediumThis could be an issue if you don't have a sound software management and every workstations pulls updates directly from the Internet instead of a local software distribution server
11
9Enforce UAC PromptResistenceGPOEnforce administrative users to confirm an action that requires elevated rightsLowMediumLowAdministrator's resentmenthttps://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx
12
10Remove Admin PrivilegesResistenceBest PracticeRemove and restrict administrative rights whenever possible. Malware can only modify files that users have write access to.MediumMediumMediumHigher administrative costs
13
11Restrict Workstation CommunicationResistenceBest PracticeActivate the Windows Firewall to restrict workstation to workstation communication. This reduces the impact of a single infected machine as it cannot spread from workstation to workstation using the extracted credentials. MediumLowLowhttps://medium.com/@cryps1s/endpoint-isolation-with-the-windows-firewall-462a795f4cfb
14
12Sandboxing Email InputProtectionAdvanced Malware ProtectionUsing sandbox that opens email attachments and removes attachments based on behavior analysisMediumHigh-
15
13Execution PreventionResistence3rd Party ToolsSoftware that allows to control the execution of processes - sometimes integrated in Antivirus software
Free: AntiHook, ProcessGuard, System Safety Monitor		MediumMedium-
16
14Change Default "Open With" to NotepadResistenceGPOForce extensions primarily used for infections to open up in Notepad rather than Windows Script Host or Internet ExplorerLowMediumMediumSome extensions will have legitimate uses, e.g., .vbs for logon scripts.https://bluesoul.me/2016/05/12/use-gpo-to-change-the-default-behavior-of-potentially-malicious-file-extensions/
17
15Restrict program executionResistenceGPOBlock program executions (AppLocker)MediumMediumMediumConfigure & test extensively, white-list or black-list approach?https://technet.microsoft.com/en-us/library/dd759117%28v=ws.11%29.aspxhttp://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx
18
16SysmonDetection3rd Party ToolsDetect Ransomware in an early stage with new Sysmon 5 File/Registry monitoringMediumLowLowhttps://twitter.com/JohnLaTwC/status/799792296883388416
19
17VSSAdmin RenameResistenceBest PracticeRename vssadmin to avoid Ransomware deleting the volume shadow copies on a driveMediumMediumMedium1. Unknown what happens after Microsoft patches that involve vssadmin.exe, 2. backup solutions that make use or expect vssadmin.exehttps://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/
20
18Disable WSHResistenceGPODisable Windows Script Host LowMediumMediumCould affect administrative VBS scripts on workstationshttp://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.html
21
19Folder RedirectionResilienceBest PracticeRedirect e.g. the "Documents" folder to a shared folder on a file server to facilitate backupsMediumLowMedium
22
20Remove Backup Server from Domain ResilienceBest PracticeA ransomware that propagates with domain user rights may infect and encrypt the backup server as well. Prevent this by configuring it as stand-alone serverMediumHighMediumMakes administration more difficult as admins cannot use their Active Directory user account on these systems
23
21MFAResistenceBest PracticeOnly provide remote access via Multi-Factor-Authentication (MFA) to avoid brute force and password spraying attacks on Internet facing services like RDPLowMediumLowEvery second factor works, it doesn't have to be an expensive hardware token. TOTP offers good value for money. Even software certifcates are better than just username & password. https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/https://www.nytimes.com/wirecutter/reviews/best-two-factor-authentication-app/https://www.privacyidea.org/https://github.com/multiOTP/multiOTPCredentialProvider/blob/master/README.mdhttps://guacamole.apache.org/doc/gug/totp-auth.html#guac-totp-config
24
25
Footnotes
26
Complexity
The complexity of implementation also includes the costs of implementation (e.g. simple to implement but costly)
27
Effectiveness
Do not overrate a 'high' in this column as it is a relative effectiveness in comparison to other measures
28
Impact
The effects on business processes, administration or user experience
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101