1/ If you are walking into work today worried about how to defend against the cyber threat posed by Iran, @jepayneMSFT ‘s tweet still holds as true as ever: focus on defending against Emotet and the ransomware attacks being launched from it
2/ A security improvement programme focused on defending against Emotet, with only 3-6 months of sustained effort could significantly improve your company's ability to defend against destructive ransomware attacks and more sophisticated attacks
3/ How could you do this? Use recent examples of catastrophic ransomware attacks to tell a story to senior leadership justifying the urgency of improving security now; pull together a team of your best people from your security and IT teams; get a whiteboard and people in a room;
4/ Build an action plan of what you can achieve over the next 30/60/90 days; focus on tasks which will have a direct impact on rapidly reducing risk and increasing difficulty to an attacker; execute at pace with sprints, ensure accountability, be open to changing plans
5/ Get senior leadership buy-in to drive rapid change in the IT environment; get a Red Team to work collaboratively with you to help you identify vulnerabilities, validate these have fixed these and demonstrate the impact you are making
6/ Why do this now? Recent examples show that it is only a matter of time before ransomware will cripple your business if you haven’t implemented fundamental security controls. Implementing these controls are challenging but achievable
7/ How can you make an impact both against state-sponsored attacks and Emotet? There is currently a significant convergence between the tools and techniques of cyber crime groups, red teams and many state sponsored attackers - this is a great opportunity to exploit this
8/ Where to start? focus on the basics: make it more difficult for an attacker to phish an employee, run malware on a workation, gain administrator privileges and get the access required to move laterally around your environment
9/ Worth having a look at some of the cool Emotet honeypot work @GossiTheDog is doing - some great insights here; map out the kill chains of these attacks (with MITRE ATT&CK) and work out the key controls you can apply at each stage to prevent and detect an attackers actions
10/ Key areas of focus - prevent malicious payloads being delivered via phishing; restrict what can be executed on endpoints (inc. scripts); upgrade endpoints to Windows 10 and use built-in security features; segment endpoints away from the corporate network
11/ protect domain admin accounts; lock down accounts in local admin groups and set strong passwords on default local admin accounts; set strong passwords on service accounts; patch internal RCE vulnerabilities; uplift detection and response capabilities (try EDR); test backups
12/ Also whilst not strictly related, this deserves it’s own tweet: make sure you have deployed multi-factor authentication on all your externally accessible services (this is achievable even in large orgs in < 90 days by mobilising significant resources)
13/ Get in touch if you want to chat more about how to get this off the ground, gain support and build momentum - more than happy to chat
