-
Notifications
You must be signed in to change notification settings - Fork 104
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
1b755c7
commit 512717f
Showing
3 changed files
with
53 additions
and
37 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| # Apply defense-in-depth principles | ||
| - by using multiple layers of security to ensure comprehensive analysis and detection of possible intrusions. | ||
|
|
||
| # Resources | ||
| - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-193a?mc_cid=78cd2ac95a&mc_eid=UNIQID |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,37 +1,42 @@ | ||
| - [Endpoint Segmentation](#endpoint-segmentation) | ||
| - [Threat Intelligence-Based Blocking](#threat-intelligence-based-blocking) | ||
| - [Services](#services) | ||
| - [Remote Desktop Protocol](#remote-desktop-protocol) | ||
| - [Maintain Network Documentation](#maintain-network-documentation) | ||
| - [Resources](#resources) | ||
|
|
||
| # Endpoint Segmentation | ||
| Implement and ensure robust network segmentation between networks and functions to reduce the spread of the ransomware. Define a demilitarized zone that eliminates unregulated communication between networks. | ||
| - Endpoints should NOT be allowed to communicate with each other unless absolutely necessary. This peer-level communication can be controlled via [Private VLANs](https://en.wikipedia.org/wiki/Private_VLAN) (AKA port isolation) on switches. | ||
| - Generally, it is best to limit the following scenarios | ||
| - Workstation-to-workstation communication | ||
| - Server-to-server communication | ||
| - Server-to-workstation communication | ||
| - At a minimum, consider restrict the following ports where possible | ||
| - Server Message Block (SMB) (TCP/445, TCP/135, TCP/139) | ||
| - Remote Desktop Protocol (RDP) (TCP/3389) | ||
| - Windows Remote Management (WinRM) (TCP/80, TCP/5985, TCP/5986) | ||
| - Windows Management Instrumentation (WMI) (Dynamic/DCOM) | ||
|
|
||
| # Threat Intelligence-Based Blocking | ||
| Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses. | ||
| - Ideally performed automatically with a curated threat intelligence feed, but also allowing for management of a manual block/allowlist. | ||
|
|
||
| # Services | ||
| ## Remote Desktop Protocol | ||
| - RDP was designed to be used internally and should never be exposed to the Internet. Instead, expose VPN to the Internet and make RDP accessible internally only. | ||
| - After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources and require multi-factor authentication. | ||
|
|
||
| # Maintain Network Documentation | ||
| Develop/update network maps to ensure a full accounting of all equipment that is connected to the network. | ||
| - Remove any equipment from networks that is not required to conduct operations to reduce the attack surface malicious actors can exploit. | ||
|
|
||
|
|
||
| # Resources | ||
| - Mandiant Whitepaper: Ransomware Protection and Containment Strategies | ||
| - https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/wp-ransomware-protection-and-containment-strategies.pdf | ||
| - [Endpoint Segmentation](#endpoint-segmentation) | ||
| - [Threat Intelligence-Based Blocking](#threat-intelligence-based-blocking) | ||
| - [Services](#services) | ||
| - [Remote Desktop Protocol](#remote-desktop-protocol) | ||
| - [Maintain Network Documentation](#maintain-network-documentation) | ||
| - [](#) | ||
| - [Resources](#resources) | ||
|
|
||
| # Endpoint Segmentation | ||
| Implement and ensure robust network segmentation between networks and functions to reduce the spread of the ransomware. Define a demilitarized zone that eliminates unregulated communication between networks. | ||
| - Endpoints should NOT be allowed to communicate with each other unless absolutely necessary. This peer-level communication can be controlled via [Private VLANs](https://en.wikipedia.org/wiki/Private_VLAN) (AKA port isolation) on switches. | ||
| - Generally, it is best to limit the following scenarios | ||
| - Workstation-to-workstation communication | ||
| - Server-to-server communication | ||
| - Server-to-workstation communication | ||
| - At a minimum, consider restrict the following ports where possible | ||
| - Server Message Block (SMB) (TCP/445, TCP/135, TCP/139) | ||
| - Remote Desktop Protocol (RDP) (TCP/3389) | ||
| - Windows Remote Management (WinRM) (TCP/80, TCP/5985, TCP/5986) | ||
| - Windows Management Instrumentation (WMI) (Dynamic/DCOM) | ||
|
|
||
| # Threat Intelligence-Based Blocking | ||
| Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses. | ||
| - Ideally performed automatically with a curated threat intelligence feed, but also allowing for management of a manual block/allowlist. | ||
|
|
||
| # Services | ||
| ## Remote Desktop Protocol | ||
| - RDP was designed to be used internally and should never be exposed to the Internet. Instead, expose VPN to the Internet and make RDP accessible internally only. | ||
| - After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources and require multi-factor authentication. | ||
|
|
||
| # Maintain Network Documentation | ||
| Develop/update network maps to ensure a full accounting of all equipment that is connected to the network. | ||
| - Remove any equipment from networks that is not required to conduct operations to reduce the attack surface malicious actors can exploit. | ||
|
|
||
| # | ||
| Establish baselines of network traffic, application execution, and account authentication. | ||
| Use these baselines to enforce an “allowlist” philosophy rather than denying known-bad IOCs. Ensure monitoring and detection tools and procedures are primarily behavior-based, rather than IOC-centric. | ||
|
|
||
| # Resources | ||
| - Mandiant Whitepaper: Ransomware Protection and Containment Strategies | ||
| - https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/wp-ransomware-protection-and-containment-strategies.pdf | ||
| - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-193a?mc_cid=78cd2ac95a&mc_eid=UNIQID |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| # Eliminate default passwords | ||
| # Work with security information and event management (SIEM) and security orchestration, automation, and response (SOAR) providers | ||
| - in conjunction with customers - to understand how response teams use logs to investigate incidents. | ||
|
|
||
| # Resources | ||
| - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-193a?mc_cid=78cd2ac95a&mc_eid=UNIQID |