The truth is that money can’t buy security just as it cannot buy happiness. Ransomware has become a cybercriminal’s most profitable enterprise, and something that IT professionals and even the general public now fear. Ransomware is actually pretty simple and unsophisticated code, and at times the damage can stopped with some simple tricks. Best of all, these are FREE!
8. How Does it Get in?
Source: Osterman Research
0%
5%
10%
15%
20%
25%
30%
35%
Email link Email
attachment
Website (non-
social media)
Social Media USB Stick Business
Application
Unknown
21. 1. Disable macros
• Significantly impacts infection chain.
• 31% of ransomware infections came from email attachments,
typically Word document with macros.
• Either:
• Disable All
• Disable macros marked as from the internet
• https://decentsecurity.com/enterprise/#/block-office-macros/
22. 2. Don’t run as admin
• Significantly impacts infection chain.
• Rethink developer and sysadmin privileges.
• Old Rant by Jeff Atwood:
https://blog.codinghorror.com/the-windows-
security-epidemic-dont-run-as-an-administrator/
24. 3. Configure UAC
• UAC elevation requests are passed to the
Antimalware Scan Interface (AMSI).
• https://www.tenforums.com/tutorials/3577-
change-user-account-control-uac-settings-
windows-10-a.html
25. 4. Open scripts in notepad
• .ps1 files do not execute when double-clicked.
• Change the following to open in notepad:
• .bat (often overlooked)
• .vbe and .vbs
• .wsh and wsf
• .js and .jse
• http://www.dankalia.com/tutor/01002/0100201018.htm
26. 5a. EMET
• Enhanced Mitigation Experience Toolkit – New EOL date 2018-08-31.
• Applies security mitigation technologies to running applications:
DEP, SEHOP, Null Page, Heap Spray, EAF, EAF+, Mandatory ASLR, Bottom Up ASLR, Load Lib,
Memory Protection, Caller, Sim Exec Flow, Stack Pivot, ASR
• Provides configuration SSL/TLS certificate pinning.
• Provides ability to block untrusted fonts.
• Group Policy ADM/ADMX files.
• Bundled with recommended protections for a variety of Microsoft and 3rd Party Apps.
• Disable protections on Chrome due to conflicts.
• http://www.zdnet.com/article/emet-your-enterprise-for-peak-windows-security/
27. 5b. Inbuilt protections in Windows 10
• Windows:
• Windows 10, version 1607 and later
• Windows Server 2016
• On for all 64bit processes: DEP, SEHOP and ASLR.
• Configurable protections:
DEP, DEP-ATL Trunk, SEHOP, Mandatory ASLR, Bottom Up ASLR
• Configurable by, well, Group Policy.
• https://technet.microsoft.com/en-us/itpro/windows/keep-secure/override-
mitigation-options-for-app-related-security-policies?f=255&MSPPError=-
2147217396
28. 6. Deploy Chrome and Firefox
• Reduces issues caused by users attempting to install 3rd party browsers.
• Chrome is the leader of the pack, followed by Edge for security.
• Chrome has ADM/ADMX files for Group Policy, Firefox has 3rd party
Group Policy support
• Chrome: http://goo.gl/2QvOT
• Firefox: https://developer.mozilla.org/en-
US/Firefox/Enterprise_deployment
31. 8. Filter common email attacks
• Identify common phrases and syntax in Phishing and
Ransomware emails.
• Quarantine them before they get to your users.
• https://github.com/SwiftOnSecurity/PhishingRegex
32. 9. Enable SPF, DKIM and DMARC
• SPF: Domain owner specifies servers allowed to send
email.
• DKIM: A domain assets responsibility for sending emails.
• DMARC: Combined SPF + DKIM, allows policy assertions
and collection of data.
• https://dmarc.org/presentations/Email-Authentication-
Basics-2015Q2.pdf
33. 9. Enable SPF, DKIM and DMARC
Alexa Top 500 - DMARC Usage
DMARC No DMARC
Source: Detectify
34. 10. Implement SYSMON
Sysmon from Microsoft ( https://technet.microsoft.com/en-us/sysinternals/sysmon )
+
Configuration from Swift on Security ( https://github.com/SwiftOnSecurity/sysmon-config/ )
+
Free SIEM from Gray Log ( https://www.graylog.org/ )
+
Sysmon for Graylog ( https://github.com/ion-storm/Graylog_Sysmon )
=
Awesome Dashboard