Azure Sentinel is a cloud SIEM and SOAR. It is therefore used for the supervision of a customer environment, from which it...
Protection of institutions against cyber attacks as recommended by NÚKIB
This article is primarily targeted at Czech state institutions and is based on recommendations of the Czech authority. However, the guidance and recommendations provided below can be applied to any organization.
The National Cyber and Information Security Agency published a warning against cyber threats targeting Czech state institutions and hospitals in particular. NÚKIB assesses this threat as high.
Activate phishing protection in Office 365
Office 365 offers advanced phishing protection within Office 365 Advanced Threat Protection.
In the Security & Compliance portal you can edit the default anti-phishing policy or create a new one. Under Threat Management – Policy, select Anti-phishing and edit the default policy or create a new one.
In Users to protect, select the users you want to explicitly protect against impersonation. Here, you should select users that are of some importance to your organization and could therefore most likely be targeted by attackers who impersonate those users. This is typically the management of an organization or IT department – CEO, CFO, CTO, CISO, etc.
Under Domains to protect, enable protection for all domains that you own. Optionally, you can explicitly set protection for external domains that are of some importance to your organization, such as key vendors or partners.
In the Actions section, you should choose to quarantine all emails detected as a domain or user impersonation.
Next, enable mailbox intelligence.
In the last step, you can optionally add trusted senders.
Next, enable antispoofing protection and set the policy as aggressive.
Report Message button in Outlook
The Report Message button allows users to report suspicious messages that can be analyzed by administrators in the Submissions section of the Security & Compliance Center.
In Services & add-ins, click Deploy add-in and in the Store, find the Report Message add-in. In Assigned users, select Everyone, and Deployment method select Fixed. Just click through the rest of the wizard.
Safe Attachments for advanced attachment protection
Safe Attachments is advanced attachment protection in Office 365 ATP. In the background of the service is done so-called detonation, where attachments in emails are executed and monitored what the attachments do. It detects if the attachments try to change any files, start services, stop services, connect to the Internet and download other files, exploit known bugs, etc. It is a very effective method of protection against zero-day vulnerabilities.
In the Security & Compliance Center, go to Threat Management – Policy and select Safe attachments. Check Turn on ATP for SharePoint, OneDrive, and Microsoft Teams at the top to protect users from malicious files in cloud services.
Create a new safe attachment policy that blocks malware-containing attachments and applies to all of your domains.
Safe Links for advanced link protection
Office 365 Safe Links is an advanced link protection service. Links in emails are replaced by a proxy address of the service that scans the target page for malicious code when it is clicked in real time.
In the Security & Compliance Center, go to Threat Management – Policy and select Safe Links. In the default organization-wide policy, check the use of safe links in Office 365 applications and prohibit users from clicking on the original URL.
Next, create a new Safe Links user policy to enable Safe Links. Next, enable integration with Teams, enable real-time scanning, and do not allow users to click through to the original URL. Apply the policy to all domains in your organization.
Advanced malware protection in Office 365
In the Security & Compliance Center, go to Threat Management – Policy and select Anti-malware. Modify the policy to allow Common attachment types filter and Malware zero-hour auto purge. In the Common attachment types filter, leave the default types of blocked files and verify or add at least the following – .exe, .msi, .bat, .cmd, .jar, .vbs, .ps1, .ps2.
Microsoft Defender Advanced Threat Protection
Microsoft Defender Advanced Protection is a highly advanced corporate security product based on free Windows Defender.
You need to create a workspace before you deploy Defender ATP. It is then possible to start onboarding computers and servers to Defender ATP. Onboarding is possible through Intune, Group Policy, System Center Configuration Manager or PowerShell script.
Within the recommended protection configuration, you should enable / enforce the following:
- SmartScreen for Edge
- SmartScreen for apps and files
- Malicious site access
- Unverified file download
- Real-Time monitoring
- Behavior monitoring
- Network Inspection System
- Cloud-delivered Protection
- Attack Surface Reduction Rules (ASR) and block:
- Office apps/macros creating executable content
- Office apps launching child processes
- Win32 imports from Office macro code
- Obfuscated js/vbs/ps/macro code
- js/vbs executing payload downloaded from Internet (no exceptions)
- Executables that don’t meet a prevalence, age, or trusted list criteria
- Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)
- Advanced Ransomware Protection
- Network Protection
- Tamper Protection
Enable file blocking in Microsoft Defender ATP
First, enable the Allow or block file feature in the Defender ATP. Go to Defender Security Center and go to Settings – Advanced features. Activate Allow or block file here.
Creating indicators for blocking hash files provided by NÚKIB
In its document, NÚKIB published a hash of seven files that should be blocked.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 | File type: Win32 EXE MD5 28e1786bd652942f0be31080a9452389 SHA-1 44cb931ee16f1f6e3b408035efcd795d8aa0c9be SHA-256 7aa996ff7551362f42ba31d4cd92d255a49735518b3f4dc33283fdd5c5a61b42 File type: Win32 EXE MD5 e20ee9bbbd1ebe131f973fe3706ca799 SHA-1 4e92e5cbe9092f94b4f4951893b5d9ca304d292c SHA-256 f632b6e822d69fb54b41f83a357ff65d8bfc67bc3e304e88bf4d9f0c4aedc224 File type: Win32 EXE MD5 9dbbfa81fe433b24b3f3b7809be2cc7f SHA-1 b87405ff26a1ab2a03f3803518f306cf906ab47f SHA-256 dfbcce38214fdde0b8c80771cfdec499fc086735c8e7e25293e7292fc7993b4c File type: Win32 EXE MD5 7def1c942eea4c2024164cd5b7970ec8 SHA-1 b2f4288577bf8f8f06a487b17163d74ebe46ab43 SHA-256 c3f11936fe43d62982160a876cc000f906cb34bb589f4e76e54d0a5589b2fdb9 File type: Win32 EXE MD5 e6ccc960ae38768664e8cf40c74a9902 SHA-1 d29cbc92744db7dc5bb8b7a8de6e3fa2c75b9dcd SHA-256 b780e24e14885c6ab836aae84747aa0d975017f5fc5b7f031d51c7469793eabe File type: Win32 EXE MD5 b1349ca048b6b09f2b8224367fda4950 SHA-1 44fac7dd4b9b1ccc61af4859c8104dd507e82e2d SHA-256 c46c3d2bea1e42b628d6988063d247918f3f8b69b5a1c376028a2a0cadd53986 File type: Win32 EXE MD5 0d7dbda706e0048aca27f133d4fc7c51 SHA-1 1ed9dc8be0f925a5c23e6b516062744931697c78 SHA-256 ac6b3f9e0848590e1b933182f1b206c00f24c3aa0aa6c62ca57682eff044d079 |
Add the above hashes to the Defender Security Center – Settings – Indicators.