deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 05:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #5258 from MicrosoftDocs/master

Browse Source 
Publish 06/07/2021, 10:30 AM
This commit is contained in:
Diana Hanson 2021-06-07 11:42:17 -06:00 committed by GitHub
commit a2cbd67020
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
windows/security/threat-protection/intelligence/ransomware-malware.md
View File

@ -56,58 +56,13 @@ Organizations can be targeted specifically by attackers, or they can be caught i
To provide the best protection against ransomware attacks, Microsoft recommends that you:
1. Use an effective email filtering solution
According to the [Microsoft Security Intelligence Report Volume 24 of 2018](https://clouddamcdnprodep.azureedge.net/gdc/gdc09FrGq/original), spam and phishing emails are still the most common delivery method for ransomware infections. To effectively stop ransomware at its entry point, you must adopt an email security service that ensures all email content and headers entering and leaving the organization are scanned for spam, viruses, and other advanced malware threats.
By adopting an enterprise-grade email protection solution, most cybersecurity threats against an organization will be blocked at ingress and egress.
**HOW:** Use [Exchange Online Protection (EOP)](/microsoft-365/security/office-365-security/exchange-online-protection-overview), the Microsoft 365 and Office 365 cloud-based filtering service that protects your organization' Exchange Online mailboxes against spam, malware, and other email threats.
2. Deploy regular hardware and software systems patching and effective vulnerability management
A vital defense against cybersecurity attacks is the application of security updates and patches as soon as the software publishers release them.
A prominent example of this failure was the WannaCry ransomware events in 2017, one of the largest global cybersecurity attacks in the history of the internet, which used a leaked vulnerability in Windows networking Server Message Block (SMB) protocol, for which Microsoft had released a patch nearly two months before the first publicized incident.
Regular patching and an effective vulnerability management program are important measures to defend against ransomware and other forms of malware.
**HOW:** Use [update channels](/microsoft-365/enterprise/deploy-update-channels-examples) for recommendations on updates for Windows 10 and Microsoft 365 Apps for Enterprise (Windows 10).
3. Use up to date antivirus and an endpoint detection and response (EDR) solutions
While owning an antivirus solution alone does not ensure absolute protection against viruses and other advanced computer threats, ensure that your antivirus solutions are kept up to date with your software publishers.
Attackers invest heavily in the creation of new viruses and exploits, while vendors are left playing catch-up by releasing daily updates to their antivirus database engines.
EDR solutions collect and store large volumes of data from endpoints and provide real-time host-based, file-level monitoring and visibility to systems. The data sets and alerts generated by an EDR solution can help stop advanced threats and are often leveraged for responding to security incidents.
4. Separate administrative and privileged credentials from standard credentials
Separate your system administrative accounts from your standard user accounts to ensure those administrative accounts are not useable across multiple systems. Separating these privileged accounts not only enforces proper access control but also ensures that a compromise of a single standard user account doesnt lead to the compromise of your entire IT infrastructure.
**HOW:** To effectively reduce your credential attack surface, use Microsoft support for [Azure Multi-Factor Authentication (MFA)](/azure/active-directory/authentication/concept-mfa-howitworks) to require stronger authentication for privileged accounts, [Azure Privileged Identity Management (PIM)](/azure/active-directory/privileged-identity-management/) for just-in-time use of privileged accounts, and [Privileged Access Management (PAM)](/microsoft-365/compliance/privileged-access-management-solution-overview) for just-in-time access to Microsoft 365 tasks that need elevated permissions.
5. Implement effective application allowlists
You need to restrict the applications that can run within an IT infrastructure. Application allowlists ensure only applications that have been tested and approved by an organization can run on the systems within the infrastructure. While this can be tedious and presents several IT administrative challenges, this strategy has been proven effective.
**HOW:** For Microsoft 365 apps, use [Azure AD Conditional Access](/azure/active-directory/conditional-access/app-based-conditional-access) to require approved apps.
6. Regularly back up critical systems and files
The ability to recover to a known good state is the most critical strategy of any information security incident plan, especially ransomware. Therefore, to ensure the success of this process, an organization must validate that all its critical systems, applications, and files are regularly backed up and that those backups are regularly tested to ensure they are recoverable. Ransomware is known to encrypt or destroy any file it comes across, and it can often make them unrecoverable; consequently, its of utmost importance that all impacted files can be easily recovered from a good backup stored at a secondary location not impacted by the ransomware attack.
<!--
- Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different storage types, and at least one backup offsite.
- Apply the latest updates to your operating systems and apps.
- Educate your employees so they can identify social engineering and spear-phishing attacks.
- [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). It can stop ransomware from encrypting files and holding the files for ransom.
-->
- [Implement controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). It can stop ransomware from encrypting files and holding the files for ransom.
For more general tips, see [prevent malware infection](prevent-malware-infection.md).