Strengthening Cybersecurity: A Guide to Effective Free Quick Wins

In today's rapidly evolving cyber landscape, robust security measures are essential. FalconOps Cybersecurity brings you a comprehensive “quick win” guide outlining free and paid suggestions to bolster your organization's cybersecurity posture.

CISA recently published an extensive guide as a part of their #StopRansomware campaign. This blog seeks to highlight many of the major points that we see in combination with their suggestions. You can find the entire CISA article here.

Top 15 Free Implementations:

Protected Users Group in Active Directory:

This security group in Active Directory, introduced in Windows Server 2012 R2, is designed to manage credential exposure and apply automatic, non-configurable protections to member accounts.

Benefits:

• Prevents caching of plaintext passwords.
• Disables Kerberos DES/RC4 keys and NTLM authentication for these accounts.
• Restricts delegation capabilities, enhancing security against credential theft.

More Information: Protected Users Security Group​​​​​​.

Implement Phishing-Resistant MFA:

Phishing-resistant Multi-Factor Authentication (MFA) employs advanced techniques like biometric authentication and hardware tokens, reducing reliance on human interaction and enhancing security against phishing.

Benefits:

• Protects user accounts from sophisticated phishing attacks.
• Utilizes hardware tokens or biometrics, making it challenging for attackers to impersonate users.

More Information: Phishing-Resistant MFA​​​​​​.

Separate Administrator Accounts from User Accounts:

Using separate accounts for administrative tasks and day-to-day work reduces the risk of granting attackers administrative access through phishing or malware.

Benefits:

• Limit potential damage from compromised user accounts.
• Allows better control and monitoring of administrative activities.

More Information: Separate User and Admin Accounts​​.

Local Administrator Password Solution (LAPS):

Windows LAPS is a feature that automatically manages and rotates passwords for local administrator accounts on Azure Active Directory-joined or Windows Server Active Directory-joined devices.

Benefits:

• Protects against pass-the-hash and lateral-traversal attacks.
• Enhances security for remote help desk scenarios.
• Provides a fine-grained security model for password management.

More Information: Windows LAPS Overview​​.

Implement the Attack Surface Reduction (ASR) Rule for LSASS:

The ASR rule for Local Security Authority Subsystem Service (LSASS) is designed to prevent credential stealing by locking down LSASS, which authenticates users on a Windows computer.

Benefits:

• Protects against credential theft attacks.
• Blocks malware from exploiting LSASS, even on systems where Credential Guard can't be enabled.

More Information: ASR Rules Reference​​​​.

Implement Credential Guard on Windows Systems:

Credential Guard uses virtualization-based security to protect NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications.

Benefits:

• Enhances hardware and virtualization-based security.
• Protects against advanced persistent threats and common credential theft techniques.

More Information: Credential Guard Overview​​

Implement Flagging External Emails in Email Clients:

External email tagging in Exchange Online marks messages from outside domains, helping users to identify potential phishing or spam emails.

Benefits:

• Enhances awareness of external messages.
• Replaces custom implementations for marking external emails.

More Information: Exchange Online External Email Tagging​​.

Enable Common Attachment Filters to Restrict File Types That Commonly Contain Malware:

In Microsoft 365, anti-malware policies can be configured to automatically quarantine messages with attachments known to commonly carry malware.

Benefits:

• Automatically protects against malware transmitted through email attachments.
• Customizable to specific organizational needs.

More Information: Configure Anti-Malware Policies​​.

Implement Domain-based Message Authentication, Reporting, and Conformance (DMARC):

DMARC works with SPF and DKIM to authenticate mail senders and improve protection against spoofing and phishing.

Benefits:

• Enhances email trustworthiness by verifying sender authenticity.
• Helps prevent email spoofing and phishing attacks.

More Information: Use DMARC to Validate Email​​​​​​.

Ensure Macro Scripts are Disabled for Microsoft Office Files Transmitted via Email:

Disabling VBA macros in Office files received via email is a security measure to prevent malware and ransomware infections.

Benefits:

• Reduces the risk of malicious code execution through email attachments.
• Helps prevent common vectors for malware distribution.

More Information: Block Macros from the Internet in Office​​​​​​.

Secure Domain Controllers (If not EntraID only)

Domain Controllers are prime targets for threat actors, especially ransomware actors. Due to their criticality in administering the network, they should be tightly monitored and secured.

Suggestions:

• Ensure that DCs are regularly patched. Apply patches for critical vulnerabilities as soon as possible.
• Use open-source penetration testing tools, such as BloodHound or PingCastle, to verify domain controller security. (we can provide assistance with this, we use these tools and can help you understand them)
• Restrict access to DCs to the Administrators group.
• Configure DC host firewalls to prevent internet access
• Consider disabling or limiting NTLM and WDigest Authentication, if possible

More Information:

• BloodHound
• PingCastle (Paid)

Password Requirements

Utilizing strong, unique passwords increases the difficulty of a threat actor being able to successfully guess passwords or crack them if they are able to gather hashes. 

Suggestions:

• 16 character minimum FOR ALL ACCOUNTS
• Random string OR 5-7 random words separated by a dash

More Information: Use Strong Passwords | CISA‍

External Service Exposure

Do not expose highly targeted services, such as remote desktop protocol, FTP, or SMB on the web as these are commonly used by threat actors as initial access vectors. Essentially, if it is not absolutely critical for the service to be externally facing, restrict all access.

Benefits:

• Minimize external footprint
• Deter threat actors from targeting you

Conduct regular vulnerability scanning 

To identify and address vulnerabilities quickly, you should be conducting regular vulnerability scans from both an internal and external perspective. If you are a government or public entity, you can utilize the Cyber Hygiene Service from CISA to do this against your external networks FOR FREE. 

Benefits:

• Know what vulnerabilities are in your environment
• Trending data overtime to ensure patches are being applied correctly.

More Information: https://www.cisa.gov/cyber-hygiene-services

Server Message Block (SMB) Hardening

SMB is essential to any internal network, but is also highly abused if not configured properly. Below are a few suggestions that will make it increasingly more difficult for threat actors to utilize.

Suggestions:

• Disable Server Message Block (SMB) protocol version 1 and upgrade to version 3 (SMBv3) 
• Require the use of SMBv3.1.1.
• Block unnecessary SMB communications:

• Block external access of SMB to and from organization networks by blocking TCP port 445 inbound and outbound at internet perimeter firewalls. Block TCP ports 137, 138, 139. Note: SMBv2 and later does not use NetBIOS datagrams.
• Continuing to use SMBv2 does not have significant risks and can be used where needed. It is recommended to update it to SMBv3 where feasible.
• Block or limit internal SMB traffic so that communications only occur between systems requiring it. For instance, Windows devices need SMB communications with domain controllers to get group policy, but most Windows workstations do not need to access other Windows workstations.
• Configure Microsoft Windows and Windows Server systems to require Kerberosbased IP Security (IPsec) for lateral SMB communications to prevent malicious actors from accessing communications over SMB by detecting systems that are not members of an organization’s Microsoft Active Directory domains.
• Disable the SMB Server service (“Server”) on Microsoft Windows and Windows Server devices in instances where there is no need to remotely access files or to name pipe application programming interfaces (APIs).

• Consider requiring SMB encryption. To guarantee that SMB 3.1.1 clients always use SMB Encryption

If you have a bit of money to spend…

Endpoint Detection and Response (EDR)

EDR is one of the most effective ways to stop and contain threats. We cannot emphasize enough how important it is to implement an EDR solution to ALL endpoints (workstations and servers) in your environment. If you only take one thing from this blog, it should be to do this. 

While not free by any means, implementing a quality EDR (CrowdStrike, SentinelOne, Microsoft Defender for Office 365, etc) will give you an immense advantage against threat actors. 

We would love to help you do this at a cost-effective price. Contact us to learn more. 

Conclusion

Combining these free suggestions will ensure that your environment deters any threat actor, while also making it more difficult for a threat actor to move laterally. While some powerful cybersecurity measures require investment, numerous effective strategies can be implemented at no cost. 

FalconOps Cybersecurity is dedicated to guiding you through the complexities of cybersecurity, ensuring your organization's digital safety. For personalized security assessments, consultations, and assistance in implementing these measures, do not hesitate to reach out to us.