SIEM

• Endpoint Segmentation
• Threat Intelligence-Based Blocking
• Services
  • Remote Desktop Protocol
• Maintain Network Documentation
• Resources

Endpoint Segmentation

Implement and ensure robust network segmentation between networks and functions to reduce the spread of the ransomware. Define a demilitarized zone that eliminates unregulated communication between networks.

• Endpoints should NOT be allowed to communicate with each other unless absolutely necessary. This peer-level communication can be controlled via Private VLANs (AKA port isolation) on switches.
• Generally, it is best to limit the following scenarios
  • Workstation-to-workstation communication
  • Server-to-server communication
  • Server-to-workstation communication
  • At a minimum, consider restrict the following ports where possible
    • Server Message Block (SMB) (TCP/445, TCP/135, TCP/139)
    • Remote Desktop Protocol (RDP) (TCP/3389)
    • Windows Remote Management (WinRM) (TCP/80, TCP/5985, TCP/5986)
    • Windows Management Instrumentation (WMI) (Dynamic/DCOM)

Threat Intelligence-Based Blocking

Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses.

• Ideally performed automatically with a curated threat intelligence feed, but also allowing for management of a manual block/allowlist.

Services

Remote Desktop Protocol

• RDP was designed to be used internally and should never be exposed to the Internet. Instead, expose VPN to the Internet and make RDP accessible internally only.
  • After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources and require multi-factor authentication.

Maintain Network Documentation

Develop/update network maps to ensure a full accounting of all equipment that is connected to the network.

• Remove any equipment from networks that is not required to conduct operations to reduce the attack surface malicious actors can exploit.

# Establish baselines of network traffic, application execution, and account authentication. Use these baselines to enforce an “allowlist” philosophy rather than denying known-bad IOCs. Ensure monitoring and detection tools and procedures are primarily behavior-based, rather than IOC-centric.

Resources

• Mandiant Whitepaper: Ransomware Protection and Containment Strategies
  • https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/wp-ransomware-protection-and-containment-strategies.pdf
  • https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-193a?mc_cid=78cd2ac95a&mc_eid=UNIQID

This site is open source. Improve this page.