{"id":8451,"date":"2023-11-13T09:08:55","date_gmt":"2023-11-13T17:08:55","guid":{"rendered":"https:\/\/www.microsoft.com\/insidetrack\/blog\/?p=8451"},"modified":"2023-11-13T09:39:45","modified_gmt":"2023-11-13T17:39:45","slug":"sharing-how-microsoft-protects-against-ransomware","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/insidetrack\/blog\/sharing-how-microsoft-protects-against-ransomware\/","title":{"rendered":"Sharing how Microsoft protects against ransomware"},"content":{"rendered":"

\"MicrosoftAnyone can fall victim to ransomware.<\/p>\n

As cybercriminals shift from wide-net approaches to focus on precision attacks against high-dollar targets, there is extra pressure for companies and governments to evaluate and defend themselves against ransomware attacks.<\/p>\n

This is why Microsoft is driving new priorities to protect our company, our people, and our customers.\u00a0We launched our Ransomware Elimination Program (REP)\u2014a multi-stakeholder effort built upon Zero Trust<\/a>\u2014to better understand our risk profile and deploy additional controls, processes, and practices to improve resiliency against intrusion.<\/p>\n

This allowed us to weave our many different ransomware systems and processes into a single agile framework that we use to holistically guard against attacks.<\/p>\n

It\u2019s made a big difference for us\u2014we\u2019re now better able to analyze our systems, understand capabilities, and innovate on some of the solutions we rely on to stay safe.<\/p>\n

[Read blog two in our ransomware series: Why Microsoft uses a playbook to guard against ransomware.<\/a> | Read blog three in our ransomware series: Building an anti-ransomware program at Microsoft focused on an Optimal Ransomware Resiliency State.<\/a> | Learn more about human-operated ransomware.<\/a> |\u00a0Discover how Microsoft\u2019s Zero Trust effort keeps the company secure.<\/a>]<\/em><\/p>\n

A new threat emerges<\/h2>\n

Ransomware today is a large and profitable business where technically skilled human operators work in unison to exploit high-value targets. Healthcare, government, utilities, businesses, and universities have all been victimized by gangs of hackers. It wasn\u2019t always this way, though.<\/p>\n

Historically, ransomware was a commodity effort, meaning attacks were automated and spread like a virus. Phishers spammed as many accounts as possible with the hopes of infecting a device with malware. Once inside the device, the ransomware encrypts files and folders, holding it hostage. Cybercriminals then extort the victim, selling restored access to the device.<\/p>\n

By contrast, today\u2019s human-operated ransomware<\/a> attacks are a well-researched and coordinated effort to gain access to cloud and on-premises infrastructures. Cybercriminals work with intention, adapting and exploiting the environment as they move laterally in search of high-value business resources. And unlike commodity efforts, which can be cleaned up with malware remediation, human-operated ransomware poses a continuous threat.\u00a0Left unchecked, the threat and costs associated will continue to grow.<\/p>\n

The elimination of ransomware presents several challenges, with some of the most effective methods being out of our control. We can\u2019t limit or remove motive; bad actors will always try to exploit others for gain. We can\u2019t lock down the means either as hackers rely on the same tools and skills that developers utilize to bring good into this world.<\/p>\n

What we can<\/em> do is limit the opportunity and make it harder for ransomware to disrupt our lives.<\/p>\n

Addressing the challenge with simple questions<\/h2>\n
\"Patton
Carmichael Patton is a principal program manager on Microsoft\u2019s internal enterprise security team.<\/figcaption><\/figure>\n

Faced with addressing increasingly common attacks, we, the company\u2019s internal enterprise security team, asked ourselves some basic questions, including, \u201cHow protected and resilient would we be if we were attacked,\u201d and \u201cHow do we evolve past protecting against ransomware and aspire to a bigger goal of eliminating ransomware threats?\u201d<\/p>\n

Our foundation of Zero Trust<\/a> provides a solid base to build upon. It ensures devices are registered, users are who they say they are, and verifies that devices are healthy and current. However, when it comes to ransomware, we realized there were opportunities to add additional controls and gain more stability across our systems.<\/p>\n

We started investigating ourselves, looking for areas to improve, gaps to close, and ways to reduce risk.<\/p>\n

We looked at everything. We looked at the tools, policies, and processes we have and made sure they were up and running. We checked configurations and adjusted settings to get the best outcomes. If we found a gap in place, we set out to fix it.<\/p>\n

Put another way, we asked simple questions like, \u201cWhat can we do, what should we do, and what can\u2019t we do?\u201d<\/p>\n

Eliminating ransomware from the inside out<\/h2>\n

All that questioning led us to the conclusion that we needed to centralize our efforts.<\/p>\n

Instead of each engineering or service group managing the threat on their own, we\u2019d use a holistic, cohesive approach spanning devices and services. We developed a playbook, a way to test ransomware scenarios and build out a set of best practices for response, recovery, and remediation.<\/a> We shifted our focus to catching human-operated ransomware in earlier stages, where it is less likely to cause real damage.<\/p>\n

And, because human-operated ransomware is always changing, we knew this would need to be an ongoing effort. That\u2019s why we created the Ransomware Elimination Program (REP).<\/p>\n

The REP team drives the effort to boost resiliency across our company and for our customers. Within REP, we work towards creating an optimal ransomware resiliency state where Zero Trust is employed, Windows 11 is deployed, and tools like Microsoft Defender for Endpoint are configured with network and tamper protection in place.<\/p>\n

Simplified, REP is about defining a requirement and building out implementations of core protections, pervasive backups, and comprehensive alerts across all our enterprise assets including identities, devices, services, and data stores.<\/p>\n

It\u2019s a perpetual alignment exercise in getting security information and event management (SIEM) up for the security operating center (SOC), enabling protections in Office 365, controlling standard and conditional access, and always asking, \u201cWhat can we do, what should we do, and what can\u2019t we do?\u201d<\/p>\n

Because Microsoft products are so pervasive across the planet, they\u2019re also a main target for ransomware attacks. We want to make attacks against Windows, Microsoft Azure, and our other products as insurmountable as possible.<\/p>\n

Making ransomware a top priority<\/h2>\n

REP\u2019s most important impact is that it makes it harder for cyber criminals to commit ransomware attacks. We do this by incorporating industry trends and feedback from customers and continuing to build out our own security research and threat intelligence. At the same time, our increased resiliency\u2013\u2013the ability to respond, recover, and remediate\u2014diminishes the likelihood of attackers receiving any kind of reward.<\/p>\n

Because we have centralized the response through the program, we\u2019re also able to prioritize our efforts. Having the core practice of Zero Trust in place goes a long way toward making this possible. Evaluating our weaknesses and gaps is a constant project, but we\u2019re also able to take the learnings we\u2019ve gathered from these exercises and share it with our product and service teams to create better protections for the enterprise and the customer.<\/p>\n

Ransomware is constantly evolving, and its elimination requires a holistic and cohesive approach. REP is an essential part of the front-line defense that protects devices against attacks.<\/p>\n

\"Key<\/p>\n