| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | AA | AB | AC | AD | AE | AF | AG | AH | AI | ||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2 | No | Measure | Category | Type | Description | Complexity* | Effectiveness* | Impact* | Possible Issues | Link 1 | Link 2 | Link 3 | Link 4 | Link 5 | ||||||||||||||||||||||
3 | 1 | Backup and Restore Process | Resilience | Recovery | Make sure to have adequate backup processes on place and frequently test a restore of these backups ("Schrödinger's backup - it is both existent and non-existent until you've tried a restore") | Medium | High | Low | http://windows.microsoft.com/en-us/windows/back-up-restore-faq#1TC=windows-7 | |||||||||||||||||||||||||||
4 | 2 | Windows Defender Ransomware Protection | Protection | GPO | Windows Defender includes a security feature called "Ransomware Protection" that allows you to enable various protections against ransomware infections. This feature is disabled by default in Windows 10. It can be activated via GPO and has the name "Controlled Folder Access". (see the links) | Low | High | Low | https://www.windowscentral.com/how-enable-controlled-folder-access-windows-10-fall-creators-update | https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/controlled-folders | https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders | |||||||||||||||||||||||||
5 | 3 | Block Macros | Resistence | GPO | Disable macros in Office files downloaded from the Internet. This can be configured to work in two different modes: A.) Open downloaded documents in 'Protected View' B.) Open downloaded documents and block all macros | Low | High | Medium | Critical business processes that depend on macros (they exist, it's sad, but yes) | https://www.404techsupport.com/2016/04/office2016-macro-group-policy/?utm_source=dlvr.it&utm_medium=twitter | https://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6?ui=en-US&rs=en-US&ad=US | |||||||||||||||||||||||||
6 | 4 | Block Windows Binary Access to Internet | Resistence | GPO | Use Windows Firwall policies to block binaries access to the so called "Remote Scope". These binaries include powershell.exe, bitsadmin.exe, certutil.exe, regsrv32.exe, mshta.exe, msbuild.exe, hh.exe, makecab.exe, ieexec.exe, extract.exe, expand.exe (see the links for details) | Medium | High | Low | PowerShell and other scripted tools that pull updates from the Internet | https://medium.com/@dimitrismargaritis/prevent-legitimate-windows-executables-to-be-used-to-gain-initial-foothold-in-your-infrastructure-39771cd6ec90 | ||||||||||||||||||||||||||
7 | 5 | Filter Attachments Level 1 | Resistence | Mail Gateway | Filter the following attachments on your mail gateway: .386, .ace, .acm, .acv, .ade, .adp, .adt, .ani, .app, .arc, .arj, .asd, .asp, .avb, .ax, .bas, .bat, .boo, .btm, .cab, .cbt, .cdr, .cer, .chm, .cla, .cmd, .cnv, .com, .cpl, .crt, .csc, .csh, .css, .dll, .dmg, .drv, .dvb, .email, .exe, .fon, .fxp, .gms, .gvb, .hlp, .ht, .hta, .htlp, .htt, .inf, .ini, .ins, .iso, .isp, .its, .jar, .job, .js, .jse, .ksh, .lib, .lnk, .maf, .mam, .maq, .mar, .mat, .mau, .mav, .maw, .mch, .mda, .mde, .mdt, .mdw, .mdz, .mht, .mhtm, .mhtml, .mpd, .mpt, .msc, .msi, .mso (except oledata.mso), .msp, .mst, .nws, .obd, .obj, .obt, .obz, .ocx, .ops, .ovl, .ovr, .pcd, .pci, .perl, .pgm, .pif, .pl, .pot, .prf, .prg, .ps1, .pub, .pwz, .qpw, .reg, .sbf, .scf, .scr, .sct, .sfx, .sfx, .sh, .shb, .shs, .shtml, .shw, .smm, .svg, .sys, .td0, .tlb, .tmp, .torrent, .tsk, .tsp, .tt6, .url, .vb, .vbe, .vbs, .vbx, .vom, .vsmacro, .vss, .vst, .vsw, .vwp, .vxd, .vxe, .wbk, .wbt, .wIz, .wk, .wml, .wms, .wpc, .wpd, .ws, .wsc, .wsf, .wsh | Low | Medium | Low | Unknown if one of the extensions is used by business applications. They shouldn't - at least not from incoming emails. | |||||||||||||||||||||||||||
8 | 6 | Filter Attachments Level 2 | Resistence | Mail Gateway | Filter the following attachments on your mail gateway: (Filter expression of Level 1 plus) .doc, .docx, .xls, .xlsx, .rtf, .docm, .xlsm, .pptm, .bin, .one | Medium | High | High | Office Communication with old versions of Microsoft Office files (.doc, .xls) | |||||||||||||||||||||||||||
9 | 7 | Use Web Proxies | Resistence | Best Practice | Most malware isn't proxy-aware and tries to connect directly to their C2 or web host that holds the next stage. | Low | High | Medium | It's a change in your architecture that could lead to all kinds of issues. | |||||||||||||||||||||||||||
10 | 8 | Block Executable Downloads / Splash Screens | Resistence | Best Practice | When using a web proxy, block executable downloads. Alternatively just block executable downloads from all domains classified as "unknown" or "unclassified". A more moderate approach would be to show a splash page for every new (unknown) domain. | Low | High | Medium | This could be an issue if you don't have a sound software management and every workstations pulls updates directly from the Internet instead of a local software distribution server | |||||||||||||||||||||||||||
11 | 9 | Enforce UAC Prompt | Resistence | GPO | Enforce administrative users to confirm an action that requires elevated rights | Low | Medium | Low | Administrator's resentment | https://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx | ||||||||||||||||||||||||||
12 | 10 | Remove Admin Privileges | Resistence | Best Practice | Remove and restrict administrative rights whenever possible. Malware can only modify files that users have write access to. | Medium | Medium | Medium | Higher administrative costs | |||||||||||||||||||||||||||
13 | 11 | Restrict Workstation Communication | Resistence | Best Practice | Activate the Windows Firewall to restrict workstation to workstation communication. This reduces the impact of a single infected machine as it cannot spread from workstation to workstation using the extracted credentials. | Medium | Low | Low | https://medium.com/@cryps1s/endpoint-isolation-with-the-windows-firewall-462a795f4cfb | |||||||||||||||||||||||||||
14 | 12 | Sandboxing Email Input | Protection | Advanced Malware Protection | Using sandbox that opens email attachments and removes attachments based on behavior analysis | Medium | High | - | ||||||||||||||||||||||||||||
15 | 13 | Execution Prevention | Resistence | 3rd Party Tools | Software that allows to control the execution of processes - sometimes integrated in Antivirus software Free: AntiHook, ProcessGuard, System Safety Monitor | Medium | Medium | - | ||||||||||||||||||||||||||||
16 | 14 | Change Default "Open With" to Notepad | Resistence | GPO | Force extensions primarily used for infections to open up in Notepad rather than Windows Script Host or Internet Explorer | Low | Medium | Medium | Some extensions will have legitimate uses, e.g., .vbs for logon scripts. | https://bluesoul.me/2016/05/12/use-gpo-to-change-the-default-behavior-of-potentially-malicious-file-extensions/ | ||||||||||||||||||||||||||
17 | 15 | Restrict program execution | Resistence | GPO | Block program executions (AppLocker) | Medium | Medium | Medium | Configure & test extensively, white-list or black-list approach? | https://technet.microsoft.com/en-us/library/dd759117%28v=ws.11%29.aspx | http://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx | |||||||||||||||||||||||||
18 | 16 | Sysmon | Detection | 3rd Party Tools | Detect Ransomware in an early stage with new Sysmon 5 File/Registry monitoring | Medium | Low | Low | https://twitter.com/JohnLaTwC/status/799792296883388416 | |||||||||||||||||||||||||||
19 | 17 | VSSAdmin Rename | Resistence | Best Practice | Rename vssadmin to avoid Ransomware deleting the volume shadow copies on a drive | Medium | Medium | Medium | 1. Unknown what happens after Microsoft patches that involve vssadmin.exe, 2. backup solutions that make use or expect vssadmin.exe | https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/ | ||||||||||||||||||||||||||
20 | 18 | Disable WSH | Resistence | GPO | Disable Windows Script Host | Low | Medium | Medium | Could affect administrative VBS scripts on workstations | http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.html | ||||||||||||||||||||||||||
21 | 19 | Folder Redirection | Resilience | Best Practice | Redirect e.g. the "Documents" folder to a shared folder on a file server to facilitate backups | Medium | Low | Medium | ||||||||||||||||||||||||||||
22 | 20 | Remove Backup Server from Domain | Resilience | Best Practice | A ransomware that propagates with domain user rights may infect and encrypt the backup server as well. Prevent this by configuring it as stand-alone server | Medium | High | Medium | Makes administration more difficult as admins cannot use their Active Directory user account on these systems | |||||||||||||||||||||||||||
23 | 21 | MFA | Resistence | Best Practice | Only provide remote access via Multi-Factor-Authentication (MFA) to avoid brute force and password spraying attacks on Internet facing services like RDP | Low | Medium | Low | Every second factor works, it doesn't have to be an expensive hardware token. TOTP offers good value for money. Even software certifcates are better than just username & password. | https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/ | https://www.nytimes.com/wirecutter/reviews/best-two-factor-authentication-app/ | https://www.privacyidea.org/ | https://github.com/multiOTP/multiOTPCredentialProvider/blob/master/README.md | https://guacamole.apache.org/doc/gug/totp-auth.html#guac-totp-config | ||||||||||||||||||||||
24 | ||||||||||||||||||||||||||||||||||||
25 | Footnotes | |||||||||||||||||||||||||||||||||||
26 | Complexity | The complexity of implementation also includes the costs of implementation (e.g. simple to implement but costly) | ||||||||||||||||||||||||||||||||||
27 | Effectiveness | Do not overrate a 'high' in this column as it is a relative effectiveness in comparison to other measures | ||||||||||||||||||||||||||||||||||
28 | Impact | The effects on business processes, administration or user experience | ||||||||||||||||||||||||||||||||||
29 | ||||||||||||||||||||||||||||||||||||
30 | ||||||||||||||||||||||||||||||||||||
31 | ||||||||||||||||||||||||||||||||||||
32 | ||||||||||||||||||||||||||||||||||||
33 | ||||||||||||||||||||||||||||||||||||
34 | ||||||||||||||||||||||||||||||||||||
35 | ||||||||||||||||||||||||||||||||||||
36 | ||||||||||||||||||||||||||||||||||||
37 | ||||||||||||||||||||||||||||||||||||
38 | ||||||||||||||||||||||||||||||||||||
39 | ||||||||||||||||||||||||||||||||||||
40 | ||||||||||||||||||||||||||||||||||||
41 | ||||||||||||||||||||||||||||||||||||
42 | ||||||||||||||||||||||||||||||||||||
43 | ||||||||||||||||||||||||||||||||||||
44 | ||||||||||||||||||||||||||||||||||||
45 | ||||||||||||||||||||||||||||||||||||
46 | ||||||||||||||||||||||||||||||||||||
47 | ||||||||||||||||||||||||||||||||||||
48 | ||||||||||||||||||||||||||||||||||||
49 | ||||||||||||||||||||||||||||||||||||
50 | ||||||||||||||||||||||||||||||||||||
51 | ||||||||||||||||||||||||||||||||||||
52 | ||||||||||||||||||||||||||||||||||||
53 | ||||||||||||||||||||||||||||||||||||
54 | ||||||||||||||||||||||||||||||||||||
55 | ||||||||||||||||||||||||||||||||||||
56 | ||||||||||||||||||||||||||||||||||||
57 | ||||||||||||||||||||||||||||||||||||
58 | ||||||||||||||||||||||||||||||||||||
59 | ||||||||||||||||||||||||||||||||||||
60 | ||||||||||||||||||||||||||||||||||||
61 | ||||||||||||||||||||||||||||||||||||
62 | ||||||||||||||||||||||||||||||||||||
63 | ||||||||||||||||||||||||||||||||||||
64 | ||||||||||||||||||||||||||||||||||||
65 | ||||||||||||||||||||||||||||||||||||
66 | ||||||||||||||||||||||||||||||||||||
67 | ||||||||||||||||||||||||||||||||||||
68 | ||||||||||||||||||||||||||||||||||||
69 | ||||||||||||||||||||||||||||||||||||
70 | ||||||||||||||||||||||||||||||||||||
71 | ||||||||||||||||||||||||||||||||||||
72 | ||||||||||||||||||||||||||||||||||||
73 | ||||||||||||||||||||||||||||||||||||
74 | ||||||||||||||||||||||||||||||||||||
75 | ||||||||||||||||||||||||||||||||||||
76 | ||||||||||||||||||||||||||||||||||||
77 | ||||||||||||||||||||||||||||||||||||
78 | ||||||||||||||||||||||||||||||||||||
79 | ||||||||||||||||||||||||||||||||||||
80 | ||||||||||||||||||||||||||||||||||||
81 | ||||||||||||||||||||||||||||||||||||
82 | ||||||||||||||||||||||||||||||||||||
83 | ||||||||||||||||||||||||||||||||||||
84 | ||||||||||||||||||||||||||||||||||||
85 | ||||||||||||||||||||||||||||||||||||
86 | ||||||||||||||||||||||||||||||||||||
87 | ||||||||||||||||||||||||||||||||||||
88 | ||||||||||||||||||||||||||||||||||||
89 | ||||||||||||||||||||||||||||||||||||
90 | ||||||||||||||||||||||||||||||||||||
91 | ||||||||||||||||||||||||||||||||||||
92 | ||||||||||||||||||||||||||||||||||||
93 | ||||||||||||||||||||||||||||||||||||
94 | ||||||||||||||||||||||||||||||||||||
95 | ||||||||||||||||||||||||||||||||||||
96 | ||||||||||||||||||||||||||||||||||||
97 | ||||||||||||||||||||||||||||||||||||
98 | ||||||||||||||||||||||||||||||||||||
99 | ||||||||||||||||||||||||||||||||||||
100 | ||||||||||||||||||||||||||||||||||||
101 |