![\"Microsoft](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/ms-digital-technical-stories-300x112.png\")
As a part of our journey to reduce our ransomware risk internally here at Microsoft, we\u2019ve identified five principles that we believe every enterprise should follow to make themselves more secure from these attacks. We call these our Foundational Five of Ransomware.<\/p>\n
While we use Microsoft products to secure our systems, infrastructure, data, and identities, the Foundational Five are product agnostic and can be scaled to meet the needs and requirements of organizations of any size. This is especially important for smaller organizations, with 70 percent of encounters with human-operated ransomware happening in organizations with fewer than 500 employees, according to the Microsoft Digital Defense Report 2023<\/a>.<\/p>\n <\/p>\n It\u2019s a well-known fact that today\u2019s threat actors don\u2019t break in, they sign in. Whether done through illicitly acquired credentials, brute force attacks, or phishing, inadequate protective measures for authentication are like leaving the front door wide open for attackers to walk through.<\/p>\n Microsoft Incident Response observed that 21 percent of customers who experienced ransomware didn\u2019t have MFA or didn\u2019t mandate MFA for privileged accounts, while 37 percent didn\u2019t have advanced MFA protection mechanisms enabled.<\/p>\n \u20142023 Microsoft Digital Defense Report<\/p>\n<\/blockquote>\n The growth in password-based identity attacks on Microsoft Entra is startling, with a 10-fold increase observed between 2022 and 2023. While the use of multi-factor authentication (MFA) adds an extra layer of security, threat actors are increasingly turning to techniques such as MFA bombing to catch unwitting users off guard. Earlier in 2023, we observed 6,000 MFA fatigue attempts per day on customer identities. This is why we strongly advise using phishing-resistant MFA.<\/p>\n Phishing-resistant MFA differs from traditional MFA by binding the token to the legitimate user\u2019s device. Windows Hello for Business and FIDO2 services, like physical tokens and Passkey, are examples of technologies that can be used for added protection. When combined with conditional access policies and step-up authentication, this can be an effective method to protect users who have access to sensitive resources or high-risk roles.<\/p>\n Microsoft Incident Response observed that 21 percent of customers who experienced ransomware didn\u2019t have MFA or didn\u2019t mandate MFA for privileged accounts, while 37 percent didn\u2019t have advanced MFA protection mechanisms enabled.<\/p>\n Phishing-resistant MFA with conditional access can help prevent:<\/p>\n What we use:<\/p>\n Microsoft has observed that approximately 16 percent of human-operated ransomware activity involved both encryption and exfiltration, while 13 percent used exfiltration exclusively.<\/p>\n \u20142023 Microsoft Digital Defense Report<\/p>\n<\/blockquote>\n Much of the Foundational Five is about setting up preventative measures to secure your organization. But in the event of a successful breach, it\u2019s important that your data remains secure and accessible. For many organizations that have suffered a ransomware attack the biggest costs associated are restoring business continuity, including access to the files and resources vital to your organization.<\/p>\n Setting up automatic cloud backup and file-syncing is one of the simplest ways to help achieve this, and arguably delivers the biggest bang for the buck in a ransomware prevention strategy. Active automatic backups can thwart common ransomware tactics including the disabling of system recovery capabilities and the deletion of , which are essential for business continuity. In some cases, it might be effective in preventing the exfiltration of documents, which can be used for data dumping, or double and triple extortion.<\/p>\n \u201cMicrosoft has observed that approximately 16 percent of human-operated ransomware activity involved both encryption and exfiltration, while 13 percent used exfiltration exclusively,\u201d states the 2023 Microsoft Digital Defense Report.<\/p>\n We recommend at a minimum setting up automatic cloud backup and file-syncing on all user devices for key folders such as Desktop, Documents, and other locations where user data and business-critical data are stored.<\/p>\n Automatic cloud backup and file-syncing protects people from:<\/p>\n What we use:<\/p>\n As there are always new and evolving cyber-risks, it\u2019s a continual effort to create an environment that\u2019s protected from ransomware by proactive measures. And while it might not be possible to guarantee an environment entirely free of threats and risks, it\u2019s something worth striving towards.<\/p>\n Creating a threat- and risk-free environment starts with ensuring that the devices joining your network are healthy, and that controls are put in place to ensure vulnerabilities and threats are managed. We ensure this through the comprehensive use of endpoint detection and response (EDR) and our device management policy for all devices and operating systems. Our device health policy includes mandatory encryption, antimalware, tamper protection, specific mandatory hardware configurations, and minimum operating system version requirements. Devices that aren’t patched, updated, or properly configured are frequently exploited by threat actors and are vulnerable to cyberattacks. These devices aren\u2019t allowed on our network\u2014no exceptions permitted.<\/p>\n Threat- and risk-free environments protect against:<\/p>\n What we use:<\/p>\n The standards and policies an organization uses to protect against ransomware are only as good as the degree of adherence. This is where security posture management can help drive down the risk of a successful ransomware attack.<\/p>\n The monitoring of cloud-based systems and infrastructures creates visibility and improves control over policies and configurations. It highlights risks and misconfigurations, such as insecure secrets and keys, potential points of data exposure, and data flows and resources containing sensitive and shadow data to be discovered and remediated. Increasingly, remediation can be automated when triggered by security events.<\/p>\n Strong posture management can protect against:<\/p>\n What we use:<\/p>\n Least privileged access (LPA) involves limiting access to only what\u2019s necessary to perform the intended function. This includes concepts such as removing admin from a workstation, limiting access to on-premises and cloud environments, and restricting access to critical services to only specific administrative roles. It\u2019s a way of reducing the cyber-attack surface, stopping the spread of malicious activity. Additionally, LPA helps to prevent privilege creep, which happens when users accumulate unnecessary access to accounts over time.<\/p>\n LPA can help prevent ransomware attacks by limiting the access rights of users and devices to only the resources they need to perform their tasks. Should a user or device be compromised by ransomware, the impact and spread of the infection is minimized. Ransomware often relies on exploiting vulnerabilities or stealing credentials to gain access to sensitive data and systems. By applying the principle of least privilege, organizations can reduce the attack surface and the potential damage of ransomware attacks.<\/p>\n We recommend applying LPA over the entire technology stack as it ensures complete protection of all parts including devices, users, applications, systems, and data. Comprehensive application will require a solution that can manage and secure privileged credentials and controls.<\/p>\n When applied to the entire stack, LPA protects against:<\/p>\n What we use:<\/p>\n The Foundational Five are an excellent starting point to defending your enterprise against ransomware. However, it\u2019s just the beginning of a broader, more involved strategy against cybercrime.<\/p>\n If your organization doesn\u2019t already have one, consider developing a ransomware incident response playbook<\/a> and pressure-test its efficacy with table-top exercises or attack simulations. Incident response preparedness has an outsized effect on business continuity and recovery.<\/p>\n Additionally, as phishing is a common starting point for ransomware threat actors, consider frequent phishing simulations, and education and awareness training for employees on topics including business email compromise and vendor email compromise\u2014both of which are on the rise.<\/p>\n![\"The](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2024\/03\/10579-Ransomware-Graphic-300x169.png\")
Our Foundational Five are:<\/h3>\n
\n
![\"1.\"](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2024\/02\/1-icon-50x50-1.png\"){kind=icon}
Modern authentication with phishing-resistant multi-factor authentication<\/h2>\n\n
![\"\"](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2024\/03\/10579-Icon-13-29x25-1.png\"){kind=icon}
Windows Hello for Business<\/strong> enhances multifactor authentication by offering secure sign-in capabilities and enabling a passwordless experience.<\/p>\n![\"\"](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2024\/03\/10579-_Icon_11-32x35-1.png\"){kind=icon}
Authenticator app<\/strong> is a secure and encrypted application that facilitates multifactor authentication to safeguard access to accounts and services.<\/p>\n![\"\"](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2024\/03\/10579_Icon_12-32x35-1.png\"){kind=icon}
Entra ID<\/strong> serves as a comprehensive identity and access management solution.<\/p>\nSecure Service Edge<\/strong> functions as a unified security point for protecting data and users across all network traffic.<\/p>\n![\"\"](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2024\/03\/10579_Icon_14-31x13-1.png\"){kind=spacer}
FIDO keys<\/strong> offer a form of hardware-based authentication that is resistant to phishing and other forms of account compromise.<\/p>\n![\"2.\"](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2024\/02\/2-icon-50x50-1.png\"){kind=icon}
Automatic cloud backup and file-syncing for user and business-critical data<\/h2>\n\n
![\"\"](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2024\/03\/10579_Icon_9-45x25-1.png\"){kind=icon}
OneDrive for Business<\/strong> is used for cloud-based device backups, ensuring data recovery in case of device compromise.<\/p>\n![\"\"](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2024\/03\/10579_Icon_10-42x35-1.png\"){kind=icon}
Azure Backup Center<\/strong> (also known as Azure Cloud Backup) is used for the automated backup of Azure infrastructure and data, providing a reliable disaster recovery solution.<\/p>\n![\"3.\"](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2024\/02\/3-icon-50x50-1.png\"){kind=icon}
Threat- and risk-free environments<\/h2>\n\n
![\"\"](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2024\/03\/10579_Icon_7-37x35-1.png\"){kind=icon}
Microsoft Entra Privileged Identity Management<\/strong> is used for managing and monitoring privileged roles within our organization.<\/p>\n![\"\"](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2024\/03\/10579_Icon_6-38x35-1.png\"){kind=icon}
Microsoft Defender for Cloud<\/strong> offers comprehensive protection across cloud services to secure infrastructure and data.<\/p>\n![\"\"](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2024\/03\/10579_Icon_8-37x35-1.png\"){kind=icon}
Microsoft Defender for Endpoint<\/strong> provides advanced threat defense and post-breach detection for endpoints.<\/p>\n![\"\"](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2024\/03\/10579_Icon_5-32x35-1.png\"){kind=icon}
Microsoft Entra Identity Protection<\/strong> uses automated responses to detected identity risks, safeguarding user identities within the organization.<\/p>\n![\"4.\"](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2024\/02\/4-icon-50x50-1.png\"){kind=icon}
Posture management for compliance and the health of devices, services, and assets<\/h2>\n\n
Microsoft Defender for Endpoint<\/strong> provides advanced protection for enterprise endpoints with threat prevention, detection, and response capabilities.<\/p>\nMicrosoft Defender for Cloud<\/strong> secures cloud services by safeguarding infrastructure and data against threats.<\/p>\n![\"\"](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2024\/03\/10579_Icon_4-32x35-1.png\"){kind=icon}
Azure Policy<\/strong> enforces organizational standards and monitors compliance, providing automated remediation for policy violations.<\/p>\n![\"5.\"](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2024\/02\/5-icon-50x50-1.png\"){kind=icon}
Least privileged access applied to the entire technology stack<\/h2>\n\n
![\"\"](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2024\/03\/10579_Icon_3-35x35-1.png\"){kind=icon}
Entra PIM <\/strong>manages roles and permissions, ensuring just-in-time access to critical resources in line with LPA.<\/p>\n![\"\"](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2024\/03\/10579_Icon_2x39x35.png\"){kind=icon}
Intune <\/strong>protects least privilege by enabling organizations to run users as standard while elevating privileges only when necessary.<\/p>\n![\"\"](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2024\/03\/10579_Icon_1-38x35-1.png\"){kind=icon}
Entra Conditional Access within Microsoft Entra<\/strong> secures resource access by enforcing rules based on user location, device status, and sign-in behavior.<\/p>\nBuilding an even stronger foundation<\/h2>\n
![\"Key](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/key-takeaways-300x74.png\")
\nHere are some suggestions for getting started with the Foundational Five of ransomware elimination at your company:<\/p>\n\n
![\"Related](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/related_links-300x81.png\")
<\/p>\n\n
![\"Try](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/07\/OKR_Try_it_out-300x68.png\")
\nStrengthen your security posture with Microsoft Azure.<\/a><\/p>\n
![\"We'd](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/Customer-Survey-580x85-1.png\")