To the average person who isn’t in the IT space, the world seems like a scary place when news coverage keeps talking about the number of “sophisticated” attacks which are destroying businesses, damaging reputation, and leading to people losing their jobs.
There is a common assumption that the bigger a company gets, the better their IT and cyber measures must be to protect it all. The reality is that for a lot of these companies, they are saddled with technical debt and an internal inability to adopt cloud-native, secure solutions and working practices.
It’s far easier to configure a 300-seat M365 Business Premium tenant to be more resilient to a ransomware attack than a large multinational org.
I’ll go through some of the steps to reduce the likelihood of this kind of attack.
Ingredients & Assumptions
- M365 Business Premium, assigned to all users in the tenant
- You are using Intune to manage devices (Intune and AD are not mutually exclusive)
The typical attack timeline
Ransomware is no accident. It is a script or program that is run on a system either by the attacker directly, or (the easier route), an over-permissioned end-user who has received a malicious file/script usually via email.
We’re going to follow a timeline which represents email delivery of ransomware, and I’ll throw a few tips and pointers on what you need to do to reduce or remove the risks along the way.
The headings indicate each point of the ransomware’s journey, assuming prior protections failed or didn’t exist.
The malicious email is sent to someone in your org
- Ensure Defender for Office 365 is configured with Safe Links & Safe Attachments enabled
- Consider additional rules to send unwanted archive files straight to quarantine
- Enable the common attachments filter
The email got to the inbox
When that user clicks the link:
- Restrict your business browser to MS Edge, and enable SmartScreen, disallow the bypassing of potentially malicious software downloading, enable “ask where to save” option so the user is aware that something is happening
- If you are using Chrome/Firefox/Opera or some other weirdo software, why?*
- Enable the report-message add-in so the more astute users can bring it to your attention
*It’s time to get serious about managing business machines, which means reducing the attack surface of your users’ browsing experience. You can allow Chrome/Firefox, but that’s two more apps to manage, each of which allows easy exfiltration of profiles, saved passwords, and other content back to devices you don’t control. Edge is the most secure browser to use for a Microsoft shop, and it’s the easiest to manage.
The payload is on your device
- Ensure your users are not local admin
- If the payload can’t run as admin, the scope on what it can do is limited to the user’s permission set
- Enable Controlled Folder Access to prevent unwanted apps making changes to system/common directories – audit and use with caution
- Enable Attack Surface Reduction rules
- Configure and deploy AppLocker (AaronLocker is an easier route, if you can call AppLocker of any flavour ‘easy’).
What about my AV?
You would hope and think that AV detection would have stopped ransomware the moment it got onto your device. But If you had AppLocker correctly deployed, this wins at risk mitigation because it isn’t waiting for the file to run to assess the actions – it blocks the process before it knows what it does.
However, AppLocker, or the more recent iteration of this solution, WDAC (or whatever it is called this week) are both extremely hard to get implemented into a company due to the complexity of the rulesets required to not have business impact.
(I’ve tried WDAC a few times, and I find it so complex that I ended up buying ThreatLocker… not a sponsor, but that tool makes application control realistically manageable)
We still need to have Defender there
I’ve written a guide. This will take you though all steps required to implement Defender for Business to Intune managed devices.
Closing Comments
You do not need a scattered stack of third-party tooling to prevent business compromise, do not fall for the hype of “one AI security EDR to rule them all”. The solution to this challenge is a combination of identity, email, and endpoint based security configurations, cross-product and across functional disciplines. Business Premium covers quite a broad area and is very effective when done right.*
Yes you can supplement with other tools to make the manageability or deployment easier, but the fundamentals are not to be lost in vendor jargon and FOMO. This stuff is simpler than you think.
*But what about all my customer tenants? You can use paid solutions like inforcer (full clarity, I work at inforcer), or community tools like CIPP to help you do this at scale.