While it's certainly wise to make the initial fixes to strengthen your defenses, these actions need to be applied on a regular basis
A new report on how to protect your networks from attack can be a helpful document that covers a lot of different bases within the cybersecurity landscape. The report, Proactive Preparation and Hardening to Protect Against Destructive Attacks, was written by several cybersecurity analysts “based on front-line expertise with helping organizations prepare, contain, eradicate, and recover from potentially destructive threat actors and incidents,” in the words of the authors.
It contains hundreds of tips for protecting Windows deployments, including command-line strings, adjusting various group policy parameters, and other very practical tips that could indicate potential compromised systems.
While reading the report is sobering because of its enormity of vision, that same vision is also tremendously useful and can serve as a blueprint for how IT and security managers can prepare for the inevitable attack, no matter if you're the size of General Motors or the corner flower shop. The report covers several specific areas that require strengthening.
Active Directory hardening and backups
Organizations should verify that backups (recommended are system state backups, and the report shows the commands to initiate and verify such backups) for domain controllers and critical assets are available and protected against unauthorized access or modification. The report also has loads of suggestions on malware “tells” that security managers can look for, such as unauthorized users accessing backup media or shadow copies being deleted (a common event that precedes a ransomware attack).
Network segmentation
Organizations should have both physical and logical separation between IT domains and operational technology processes and controls. This means having separate AD forests and network segments, along with IP protocols and ports that could bridge the divide between the two domains. One common indication of potential compromise is where a failed login is attempted across domains, whereby an attacker is attempting to reuse credentials to move around your infrastructure.
Disable administrative access wherever possible
Auditing and limiting this access is another security mechanism, since many organizations have created far too many accounts with a wide collection of permissions. The report suggests using registry key modifications, stopping certain service accounts (or using group policies to get this under control), and provides the necessary commands to track and lock down these accounts, along with detecting and preventing abuses of other privileged accounts.
Further reading:
Why SMBs should include access revocation in their employee separation process
Avast finds employees connecting personal devices to SMB networks
RDP hardening
As we wrote about earlier this year, the Remote Desktop Protocol (RDP) can be a major way for attackers to enter your networks. Organizations should periodically scan their public IP address ranges to ensure that all systems do not have any open ports 445 and 3389. The link above has other suggestions to lock down this vulnerability, and the report also has additional proactive measures, such as using network-level authentication settings in group policies and using RDP’s restricted admin mode.
We suggest reading through the full report to explore the full collection of tips and research that it contains. Before you get overwhelmed, though, you should realize that the report shows how you need to be making these changes and looking for possible compromised systems on a regular basis after you've implement these "hardening" activities.
Many organizations don't have regular follow ups to see if changes to their network infrastructure or securing the accounts of former employees are actually done. While it's certainly wise to make the initial fixes to strengthen your defenses, these actions need to be applied on a regular basis.