✔ Pentester/recovering sysadmin ✔ Self-proclaimed Ethical Threat ✔ Active Directory Security Connoisseur ✔ Offensive stuff — securit360.com ✔ Host Cyber Threat POV — offsec.blog ✔ SWAG — swag.ethicalthreat.com 📩 By subscribing, you’ll get exclusive access to industry insights, actionable tips for securing your environments, behind-the-scenes content from my pentests, and updates from someone who keeps a pulse on the ever-changing cyber threat landscape.
Can your business survive a ransomware attack?
|
Downtime is decided months before the attack. Ethical Threat Insight: Surviving a Ransomware Attack A DC‑area Reddit thread described days of disruption after a hospital system was reportedly hit by Rhysida ransomware. How much was the ransom? ~$3 million USD at the time of the incident. 😲 It’s a painful, real‑world reminder: your ability to operate “offline” is the difference between chaos and continuity. The time to have a plan and to prepare is before the proverbial SHTF. 6 ways to prepare for surviving a ransomware attack: 1) Kill easy remote‑access abuse If you don’t use it, disable or restrict Windows Quick Assist org‑wide. It’s been used in social‑engineering playbooks to land ransomware after a “fake IT support” call. You can use tools like AppLocker, WDAC, MagicSword or ThreatLocker for this. Disclaimer: The folks at MagicSword are my friends and they have graciously allowed me to offer 25% off for people I refer to them. Super great product, that meaningfully defends against ransomware attacks. Go check them out and tell them I sent you. 2) Intune tip: uninstall or block the Store app (ID: 9P7BP5VNWKX5) Also enforce policies that prevent launch. Test this on a pilot group first, of course. 3) Prove you can function without the internet Pick one business unit (e.g., HR, accounting). Pull the WAN cable for 60 minutes. Can they reach critical apps on the intranet? Can staff log in, print, and access files locally? Identify and document gaps and fix them this ASAP. Good examples on why you should do this in the incident I mentioned above. 4) Make “minimum viable operations” real Pre‑stage downtime kits: paper documents, and “how to” one‑pagers for when systems and the internet are down. Keep an offline, physical copy of IR plans, contacts and vendor phone numbers. 5) Contain fast, then communicate faster Have pre‑approved IR playbooks ready to go (single‑click host containment, AD account disable, API keys rotation, etc.). Publish a company‑wide “How to verify IT” script (shared secret, callback number on badge/back of laptop). This can help mitigate voice phishing/social engineering scams. 6) Backups don’t count until you restore Test your restore capabilities on a regular basis. Write down the exact steps, who owns them, and document the time it takes to recover. I promise you, this one is super important. Bonus) Looking for more advice on how to defend against ransomware? Here's 3 podcast episodes I know you will get value from. 🎤Defending Against Ransomware Pt 1 🎤Defending Against Ransomware Pt 2 🎤What to do Minute 1 When IR Arrives As the saying goes, the time to have the map is before you enter the woods. If your IR plan exists in a document on your computer, you don’t have a plan. Physical copies will save your business. It pays to be prepared. PS - here's a funny programmer meme. All the best
"Spirit of a hacker heart of a defender" |
Spencer Alessi
✔ Pentester/recovering sysadmin ✔ Self-proclaimed Ethical Threat ✔ Active Directory Security Connoisseur ✔ Offensive stuff — securit360.com ✔ Host Cyber Threat POV — offsec.blog ✔ SWAG — swag.ethicalthreat.com 📩 By subscribing, you’ll get exclusive access to industry insights, actionable tips for securing your environments, behind-the-scenes content from my pentests, and updates from someone who keeps a pulse on the ever-changing cyber threat landscape.
Security applied blindly is just another outage waiting to happen. Ethical Threat Insight: Active Directory Security Mistakes Active Directory is the backbone of your network, and attackers know it just as well (if not better) than most admins. A staggering amount of breaches don’t require fancy exploits. They rely on common misconfigurations, they count on IT admins not doing the hard things that need to be done to secure an AD environment. These are some of the most frequent (and dangerous)...
Who you choose to test your environment matters just as much as what they test. Ethical Threat Insight: Internal Pentest Report Red Flags If you know a little bit about me, you know internal pentesting is kind of my thing. I’ve done more than 120 internal pentests in the last 5 years. What I have come to realize is that not all internal pentests are created equal, especially when it comes to reporting. Most internal pentest reports look impressive at first glance, but after you dig into them...
Attackers thrive on easy targets, don’t be one. Ethical Threat Insight: How insecurely installed 3rd-party software can hurt you Single, high-value action to do today: audit any recently installed third-party Windows software for who can write files where it installs…then lock it down. Why that matters: attackers don’t need complex exploits if they can abuse commonly overlooked issues. Like insecure software installs and writable system locations. Fixing those stops a huge class of easy...