Security Firm @SophosXOps published another report, this one on incidents at small and medium-sized businesses by @thepacketrat and Anna Szalay. One of the things I always look for in these reports are easy #cybersecurity wins -- and this report has a bunch of them.
First off - take a look at this chart: Top 15 dual-use tools. Imagine the pain you can cause threat actors by blocking the use of these tools and disrupting their playbooks!
The free service from portmap.io is being abused to support malware C2 communications. If you don’t use it, I suggest blocking *.portmap.io via DNS, NGFW and/or web proxy.
I’ve never heard of the MSP-focused bluetrait.io but add it to the list of legitimate services that get abused. If you don’t use this RMM service, I suggest blocking it via DNS, NGFW or Web security proxy. #cybersecurity
There’s been a #Microsoft#outage going on all day today resulting in email and other M365 services including Teams being unavailable. Microsoft says they’ve rolled back the code change that caused the problem so things should start working again soon. Check on MO1020913 in the Microsoft Admin Portal for details.
If you help maintain #cybersecurity on a business network you should absolutely block Telegram—there’s nothing good there. If you have a web security proxy like Netskope or Zscaler, or an NGFW, block it there. You can also block it via DNS. Blocking these domains should do the job:
If you can completely disable device code flows using Conditional Access, you should do so. If you cannot, at least limit which user IDs can use them. If you allow any users to use device code flows, use the #KQL provided to hunt for abuse.
This tactic of sending unsolicited messages and calls via Teams has an easy solution—only allow specific external domains to communicate with your end users. Review your Teams logs, see which domains your users are communicating with, add them to the allow list and enable the control. Make your end users open up a support ticket for future domain adds so you can vet them.
Forget about Zero Trust and apply best practice security configurations. Let the marketing people and the CISO worry about whether something is “zero trust” or not. #Cybersecurity
@horse@merill that's the traditional CyberArk model -- have a handful of highly privileged accounts that authorized users can check out and use for a limited period of time (or use them via a privileged session manager connection through a CA RDP proxy). I've never liked that approach because it makes it harder to correlate administrative actions to a person.
@Melody LOL “Most of the expats who want to move to the village are Catholics….” Why not move to Italy? They could live in Rome, right next to Vatican City? Are they worried the Pope isn’t Christian enough?