Full Report
Explore lessons learned from over two years of Talos IR pre-ransomware engagements, highlighting the key security measures, indicators and recommendations that have proven effective in stopping ransomware attacks before they begin.
Analysis Summary
# Best Practices: Preventing Ransomware Deployment Based on Talos Incident Response Findings
## Overview
These best practices are derived from retrospective analysis of pre-ransomware incidents handled by Cisco Talos Incident Response (Talos IR). They focus on actionable security measures credited with deterring ransomware deployment by interrupting the adversary's attack chain before encryption occurs. The primary focus areas are rapid response, endpoint visibility, credential security, and hardening remote access.
## Key Recommendations
### Immediate Actions
1. **Rapid Security Solution Alert Actioning:** Configure security solutions (EDR/MDR) to prioritize and automate response to alerts, aiming for actioning within two hours of detection to cut short the initial attack phases.
2. **Engage Incident Response Swiftly:** Establish an agreement or process to engage specialized Incident Response (IR) services (like Talos IR) within 1-2 days of observing suspicious adversary activity, leveraging external expertise for campaign correlation and proactive threat intelligence.
3. **Restrict Remote Access Software Execution:** Immediately review and configure endpoint controls to prevent the unauthorized execution or installation of common remote access tools identified in attacks (e.g., AnyDesk, Atera, Microsoft Quick Assist, Splashtop).
### Short-term Improvements (1-3 months)
1. **Mandate Multi-Factor Authentication (MFA):** Require MFA enforcement on *all* critical services, specifically including remote access solutions and Identity Access Management (IAM) services. Actively monitor for signs of MFA misuse or bypass attempts.
2. **Implement Enhanced Endpoint Logging (Sysmon):** Deploy and configure Microsoft Sysmon across all relevant endpoints to gain rich, detailed visibility into system activity, which is crucial for detecting pre-ransomware actions like credential dumping and process execution.
3. **Secure Credential Stores:** Prioritize hardening the primary targets for credential dumping: domain controller registry, SAM hive, LSASS memory, and the NTDS.DIT file. Implement protections to prevent direct access or dumping from these locations (e.g., hardening against Mimikatz).
### Long-term Strategy (3+ months)
1. **Establish Robust Backup Strategy:** Ensure backups are stored **offline** and immutable. This minimizes the risk that discovery or encryption activities by an adversary will corrupt the ability to restore systems.
2. **Implement Meaningful Network Segmentation:** Design and deploy network segmentation to severely limit lateral movement capabilities. Critical assets, especially Domain Controllers, must be isolated and prevented from direct internet connectivity unless absolutely necessary for core functions.
3. **Maintain Comprehensive Patch Management:** Establish a rigorous, automated process to ensure all operating systems and third-party software are patched up to date to remove vulnerabilities often exploited post-initial access.
4. **Conduct Targeted Security Training:** Intensify end-user cybersecurity training, focusing specifically on methods adversaries use to gain initial access or escalate privileges, including training on social engineering tactics, MFA fatigue attacks, and actor-in-the-middle token phishing.
## Implementation Guidance
### For Small Organizations
- **Focus on Basics:** Prioritize immediate patching, MFA on all external access points (VPN, O365), and ensuring backups are verified and physically disconnected/offline.
- **Leverage Managed Services:** If internal expertise is limited, prioritize subscribing to robust Managed Detection and Response (MDR) services that offer rapid, automated alert-actioning capabilities, mimicking the swift response observed in successful engagements.
### For Medium Organizations
- **Visibility Over Size:** Rapidly deploy Sysmon/EDR logging tools across the environment to achieve the necessary visibility to spot credential harvesting and discovery commands (e.g., `netscan`, `nltest`).
- **Audit Remote Services:** Conduct a comprehensive audit of all Remote Desktop Protocol (RDP), PsExec, and PowerShell usage. Restrict these to specific, vetted administrators and implement just-in-time access where possible.
### For Large Enterprises
- **Automated Response Chains:** Integrate EDR/XDR alerts directly into Security Orchestration, Automation, and Response (SOAR) platforms to execute pre-approved containment actions (e.g., host isolation, process termination) within minutes, not hours.
- **Strict Firewall Policy Enforcement:** Define and enforce granular firewall rules based on the principle of least privilege, specifically blocking outbound protocols that adversaries commonly use for Command and Control (C2) or data exfiltration, if they are not explicitly required for business operations.
- **Domain Hardening:** Implement comprehensive Tiering Models (Tier 0, 1, 2) to strictly limit administrative access to Domain Controllers and credential stores, preventing common enumeration and credential dumping techniques.
## Configuration Examples
* **Firewall/Proxy Configuration:** Implement outbound allow-listing for C2 and exfiltration protocols, blocking known suspicious default ports and protocols where administrative oversight is weak.
* **Endpoint Security Configuration:** Configure EDR/Antivirus solutions using **Application Control/Whitelisting** features to permit only known, verified benign applications to execute, explicitly preventing installation of unexpected or unauthorized remote tools.
## Compliance Alignment
- **NIST CSF (Identify/Protect):** Focus on Asset Management (identifying all endpoints), Risk Assessment (analyzing common TTPs), and Access Control (MFA, segmentation).
- **CIS Controls (Control 3, 4, 5):** Control 3 (Data Protection - offline backups), Control 4 (Secure Configuration - OS/software patching), and Control 5 (Account Management - MFA).
- **ISO 27001 (A.12 Operational Procedures):** Focus on managing technical vulnerabilities through timely patching and implementing operational security measures (logging/monitoring).
## Common Pitfalls to Avoid
- **Delayed Response:** Failing to act on security alerts within the crucial 2-hour window, allowing adversaries time to escalate privileges and establish persistence.
- **Disabling Security Tools:** Allowing an adversary to disable or compromise Endpoint Detection and Response (EDR) or anti-virus solutions, which severely limits visibility during the pre-encryption stages.
- **Ignoring Remote Access Risks:** Over-relying on standard tools (RDP, PsExec) without strong governance, MFA, or logging, as these are frequently abused for lateral movement and task automation.
- **Trusting Online Backups:** Relying solely on network-accessible or continuously synchronized backups, which are susceptible to being encrypted or deleted alongside production data.
## Resources
- **Security Framework:** NIST Cybersecurity Framework (CSF)
- **Configuration Benchmarks:** CIS Critical Security Controls (CIS Controls)
- **Threat Intelligence:** Consult vendor resources on current ransomware TTPs, specifically for known Indicators of Compromise (IOCs) associated with credential dumping tools like Mimikatz.