Azure Defenses for Ransomware Attack eBook - Key points

The eBook Azure Defenses for Ransomware Attack [PDF]  lays out key Azure native capabilities and defenses for ransomware attacks and guidance on how to proactively leverage these to protect your assets on Azure cloud.

Key points -

Ransomware is a type of malware that infects a computer and restricts a user's access to the infected system or specific files in order to extort them for money.

Ransomware and extortion are a high profit, low-cost business which has a debilitating impact on targeted  organizations, national security, economic security, and public health and safety.

Ransomware will typically exploit the weaknesses or vulnerabilities in your organization's IT systems or infrastructures to succeed. 

The cloud kill chain model explains how attackers attempt to gain access to any of your resources running in the public cloud through a four-step process: exposure, access, lateral movement, and actions.

Azure Defender data shows that without a security tool to quickly notify you of the attack, it takes organizations on average 101 days to discover a breach. Meanwhile, in just 24-48 hours after a breach, the attacker will usually have complete control of the network.

There is a considerable ease of obtaining off-the-shelf malware, Ransomware-as-a-Service (RaaS)

The Federal Bureau of Investigation (FBI) advises victims not to pay ransom but to instead be vigilant and take proactive measures to secure their data before an attack. They contend that paying doesn't guarantee that locked systems and encrypted data will be released again. The FBI says another reason  not to pay is that payments to cyber criminals incentivizes them to continue to attack organizations.

The impact of a ransomware attack on any organization is difficult to quantify accurately. However, depending on the scope and type, the impact is multi-dimensional.

According to Microsoft the global cost  associated with ransomware recovery is projected to exceed S20 billion in 2021.

The two common types of ransomware business models are "Commodity Ransomware" and "Human Operated Ransomware." 

• Commodity ransomware attacks target individuals, are pre-programmed, opportunistic and are unlikely to cause business disruption. 
• Human operated ransomware is sometimes referred to as "big game ransomware," a term that implies cybercriminals select specific networks for their value proposition and then hunt for entry vectors. 

Azure native security capabilities that organizations can leverage to defeat ransomware attack techniques found in both high volume everyday/commodity and sophisticated targeted attacks -

• Native Threat Detection - Azure Defender provides high quality threat detection and response  capabilities, also called Extended Detection and Response - XDR.
• Passwordless and Multi-Factor Authentication - Azure MFA, Azure AD Authenticator App, and Windows Hello provide these capabilities.
• Native Firewall and Network Security - Azure security 'as a service' options like native DDoS attack mitigations, Azure Firewall, Web Application Firewall (WAF), etc help simplify the configuration and implementation of security controls. 

Integrated with Security Center, Azure Defender protects your hybrid data, cloud native services and servers from ransomware and other threats; and integrates with your existing security workflows like your SIEM solution and Microsoft's vast threat intelligence to streamline threat mitigation.

Azure Sentinel - Cloud-native SIEM+SOAR

Azure Security Center is a unified infrastructure security management system. It strengthens the security posture of your data centers and provides advanced threat protection across your hybrid workloads in the cloud whether they're in Azure or not - as well as on premises.

Azure Security Benchmark is Azure's own security control framework based on industry-based

security control frameworks such as NIST SP800-53, CIS Controls v7.1. It provides organizations

guidance on how to configure Azure and Azure services and implement the security controls.

Azure Security Benchmark:

1. Network Security (NS)
2. Identity Management (IM)
3. Privileged Access (PA)
4. Data Protection (DP)
5. Asset Management (AM)
6. Logging and Threat Detection (LT)
7. Incident Response (IR)
8. Posture and Vulnerability Management (PV)
9. Endpoint Security (ES)
10. Backup and Recovery (BR)
11. Governance and Strategy (GS)

Microsoft recommends organizations follow the principles outlined in the Zero Trust strategy.

Microsoft provides extensive resources to help update your incident response processes on the Top Azure Security Best Practices.

Microsoft provides Rapid Ransomware Recovery services. Under this, assistance is provided in all areas such as restoration of identity services, remediation and hardening and with monitoring deployment to help victims of ransomware attacks to return to normal business in the shortest possible timeframe.

Rapid Ransomware Recovery engagements are exclusively delivered by the WW Compromise Recovery Security Practice (CRSPJ, pan of the Azure Cloud & AI Domain.