Batten down the hatches! Looking at ways to enhance protection against ransomware, APTs and other phishing malware

Category: Blog Archive

Can you trust your users to resist the temptation offered by phishing emails? Probably not.

There is always someone Phishing...

Of course, standard Windows Desktop users should be provisioned as Users without Local Admin rights for everyone's’ sakes, but can you even trust yourself not to be caught out? Probably? Almost certainly?

What about other Privileged Users in your organization? If the right phishing bait was sent at just the right (wrong) time, would even the savviest and most cybersecurity-aware user always avoid the trap?

We have all seen plenty of crude phishing emails – poor spelling, not personalized, and easily-spotted fake URLs.

But what if you were targeted by a more sophisticated attack? An attack where the protagonist had done some research on you and crafted their phishing email with finesse? Would you still have your guard up and not click?

While this can never be guaranteed, the risk exists that a Privileged User, maybe even one with Domain Admin Rights, could fall victim to phishing malware.

System Hardening - On Steroids

System hardening measures exist to close-off the huge range of vulnerabilities within Windows that can be exploited. The CIS Benchmarks offer the most comprehensive guidance with a detailed rationale for each vulnerability and remediation advice. Likewise the Microsoft Threats and Countermeasures content covers the same ground but it isn’t always easy to get the clear, prescriptive advice that is needed.

But beyond system hardening measures there is a range of other security measures available that are both hugely beneficial and at the same time very underused. Here is a brief summary of what is on offer (all for free if you are using Enterprise operating system versions)

Enhanced Malware Defenses - Built-in and ready to go

EMET – Microsoft's EMET (Enhanced Mitigation Experience Toolkit) provides a range of technical countermeasures to a variety of Windows vulnerabilities. This stuff really works to eliminate opportunities for malware through use of

  1. DEP (Data Execution Prevention to block memory exploit malware)
  2. ALSR (Address Space Layout Randomization to prevent process hijacking)
  3. SEHOP (Structured Exception Handler Overwrite Protection defends against exception handler exploits, common to many browser exploits)
  4. Certificate Trust (aka Certificate Pinning to prevent Man-In-The-Middle attacks)

EMET is provided as an optional extra and for good reason – it is very good at preventing malware execution but this also means it will often break other applications. As with any hardening measure, test and introduce gradually. The default settings comprise Recommended and Maximum Security with the option to customize.

AppLocker – the latest iteration of Microsoft’s Software Restriction Policy technology is highly effective and not difficult to implement. Rule-based policy for determining who can execute which software installations and programs. The rules are either defined by path, publisher or by an exact file hash.

Set via Group Policy, there are three steps needed.

  1. Enable the Application Identity Service
  2. Configure Rule Enforcement (Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker > Enforcement > Executable Rules)
  3. Create Rules (Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker > Executable Rules, and the equivalent Installer Rules)

The Default Rules essentially restrict Users to only run executables outside of their User Profile path but still allows any Administrator to run anything from anywhere. It is sensible practice to restrict even Admin users to the same policy, but create a ‘Safe Execution’ folder. In this way, an Admin user needs to make a conscious, deliberate decision to run new executables and installers.

UAC – User Account Control - This is a case of 'Take your medicine' – we all hate UAC because it gets in the way for every step of any support task but it is there for our protection. You can disable it – cast off the safety harness and take away the net to walk the tightrope unhindered, but for a safety-first approach, learn to tolerate UAC.

Finally, just for completeness while the focus is on the latest Windows Security Policy extensions, the BitLocker feature set is less about prevention of a breach and more about contingency, providing full drive encryption. Again this is pre-packed with the Professional/Ultimate/Enterprise OS editions.

In summary, there is a range of highly-effective malware protection options provided with contemporary Windows versions which should be considered for operation in conjunction with System Hardening and breach-detection file integrity monitoring technology.

 

 

 

 

Cloud and Container Security
The Most Powerful & Reliable Cybersecurity Products

change tracker gen7r2 logo

Change Tracker Gen 7R2: Complete configuration and system integrity assurance combined with the most comprehensive and intelligent change control solution available.

FAST Cloud logo

Fast Cloud: Leverage the world’s largest whitelist repository to automatically evaluate and verify the authenticity of file changes in real-time with NNT FAST™ (File Approved-Safe Technology)

vulnerability tracker logo

Vulnerability Tracker: The world’s only limitless and unrestricted vulnerability scanning solution with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.

log tracker logo

Log Tracker: Comprehensive and easy to use security information & event log management with intelligent & self-learning correlation technology to highlight potentially harmful activity in seconds

Contact Us

Corporate Headquarters

Netwrix
6160 Warren Parkway, Suite 100
Frisco, Texas, 75034

Phone 1: 1-949-407-5125

Phone 2: 888-638-9749 (toll-free)


[email protected]
 

United Kingdom

Netwrix
5 New Street Square
London EC4A 3TW

Phone: +44 (0) 203 588 3023


 [email protected]
Information
SC Magazine Cybersecurity 500 CSGEA Winners 2021 CIS benchmarking SEWP Now Certified IBM Security
Copyright 2024, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.