The Base Defense

Absolute security is impossible to achieve—this guiding principle is likely familiar to everyone. However, achieving a minimum level of security is essential. Germany's Federal Office for Information Security (BSI) has now published its first minimum standard for defending against ransomware.

The Role of Standardization

Standardization has become an essential building block in today’s economy. In IT security, the ISO 27001 standard family has long been widely adopted. It serves as the foundation for almost all further (industry-specific) standards, such as TISAX® in the automotive industry. Many companies seek certification to ensure an adequate level of security.

At the same time, organized cybercrime continues to profit from cyberattacks, generating revenue faster than ever. Within a single year, ransomware groups like REvil reportedly earned over $100 million. Not a month passes without another high-profile cyberattack making the news. Victims include global giants like shipping company Maersk, car manufacturer Mercedes-Benz, and even public and political institutions like the German Bundestag. These criminal organizations now employ professional negotiation teams that don’t entertain ransom demands below one million euros.

These developments create a perplexing picture. While more companies are obtaining certifications, successful cyberattacks are steadily increasing. This highlights a critical misconception: obtaining an ISO 27001 certification does not inherently protect against ransomware attacks. While IT experts are well aware of this, many organizations remain under the false impression that certification guarantees a basic level of protection against such threats. Considering the substantial budget required for certification, this assumption is understandable but incorrect. ISO 27001 and 27003 standards are often abstract, with technical guidelines and recommendations provided at a meta level.

BSI’s Minimum Standard

The BSI has now collaborated with its certified Advanced Persistent Threat (APT) response providers to establish a minimum standard comprising 20 specific requirements across various categories. These include phishing protection, client hardening, external access, offline backups, domain protection, log monitoring, patch management, isolating insecure systems, and preparing for worst-case scenarios.

The consensus among these providers is that most attackers are not “top-tier hackers.” While cybercriminals operate methodically, they often exploit weak or poorly implemented security practices. As of 2021, ransomware defense should be a standard capability for any IT security department, and the BSI’s measures are designed around this expectation.

Category 1: Phishing Protection

In almost all ransomware cases, the entry point is a “convincing” phishing email. These messages often mimic legitimate correspondence and appear genuine at first glance. The attackers usually obtain the data for such emails from previously compromised communication providers. Victims, believing the messages to be authentic, open attachments that then infect their systems and networks. Notably, traditional pattern-based antivirus software often fails to detect the malicious code as it is frequently unique to the attack.

Standard 1: Use cloud-based spam filters that don’t rely on patterns but instead identify attacks based on large-scale distribution patterns across multiple organizations. Links and attachments should ideally be redirected to a secure environment.

Standard 2: Configure mail filters to block dangerous attachments, especially outdated Office file formats that have not been standard for over a decade.

Category 2: Client Hardening

Cybercriminals often gain entry via an infected workstation (client) and escalate their attack using Remote Access Trojans (RATs) to move laterally within the network.

Standard 3: Restrict the execution of macros in Office documents downloaded from the internet, email, or external sources.

Standard 4: Prevent attackers from easily moving laterally within your network by avoiding identical local administrator accounts across clients. Use tools like Microsoft’s Local Administrator Password Solution (LAPS) to enforce unique passwords.

Standard 5: Local users should not have administrative privileges on their accounts. If necessary, provide a separate administrator account that is not used for daily tasks.

Standard 6: Implement Microsoft’s Security Baselines for Windows 10. Where exceptions apply, document and address them with compensatory measures.

Category 3: External Access

Standard 7: Implement multi-factor authentication (MFA) for all external administrative interfaces and remote access tools such as RDP, Citrix, or VPNs.

Category 4: Offline Backups

Absolute security is a myth. If attackers breach all defenses, a backup is your best survival strategy.

Standard 8: Maintain a complete IT backup no older than seven days, including servers, databases, and a copy of the Active Directory (AD) or Domain Controller system state.

Standard 9: Ensure backup access rights are configured to prevent attackers with domain admin access from deleting them.

Standard 10: Monitor backup data volumes and respond to anomalies, such as failed or incomplete backups.

Category 5: Domain Protection

Attackers often aim to take control of your domain.

Standard 11: Use separate accounts for user, admin, and domain admin roles, each with unique passwords. Admin passwords must follow strict security rules.

Standard 12: Ensure domain controllers serve only their primary purpose and are patched within two days of updates being released.

Standard 13: Implement logging on all servers and monitor for identity-based attacks using tools like Azure Advanced Threat Protection.

Standard 14: There is an (implemented) concept for secure administration. The aim must be to make it as difficult as possible for attackers to obtain domain admin rights. At best, the Microsoft recommendations for the ‘AD Administrative Environment – ESAE’ are implemented. Alternatively, ‘Red Forest’ concepts or the use of non-domain-joined bastion hosts for domain administration can also be considered.

Category 6: Log Monitoring

Statistically speaking, in 2020 it still took an attacker around three to four hours on average to gain domain admin rights. Cyber criminals have now become much faster. They are not only faster, but also more focussed and targeted. The group behind the encryption Trojan ‘RYUK’ is probably a record-breaker. Two hours after the user clicked on the link in a phishing email, the group already had domain admin rights. After five hours, the network was already encrypted. In the vast majority of cases, traces of the attack could be found in the log files following the attack – but these were often not recognised as such.

Standard 15: The attackers must connect to your network. These connections are so-called command & control connections (C2 connections). Your firewall must therefore recognise, filter and log such possible C2 addresses. Connections that regularly transfer small amounts of data (e.g. every minute) should also be logged by the firewall as suspicious – the same applies to the transfer of very large amounts of data.

Standard 16: Security-relevant log files are checked twice a day – throughout the year. These include, in particular, the firewall logs, the spam and malware protection logs, the domain controller and the backup system. This evaluation can also be simplified and automated by using an automatic evaluation system (e.g. Graylog, Splunk, Qradar, etc.).

Category 7: Patch Management

Standard 17: Microsoft Windows systems (servers and clients) should be updated to the latest patch level no later than two days after the release of security-critical updates.

Category 8: Isolation of unsafe systems

The problem of asymmetry is known in all security trades. Attackers or threats only need to find one vulnerable system or weak point – the defender, on the other hand, must secure all weak points.

Standard 19: Systems and applications that cannot fulfil the minimum requirements (see #2,3,5,17,18) or have insecure protocols (e.g. SMBv1) must be isolated from the network and moved to a separate network segment separated from their own network by a firewall. These segments only have restricted access to the Internet (via whitelist) and connections to the rest of the network are limited to a minimum (destination IP/port combinations).

Category 9: Preparations for emergencies

Not all threats are visible and can be controlled in advance. An attacker can overcome all barriers at any time. You should be prepared for this eventuality.

Standard 20: You should have your own incident response team for such cases. Alternatively, you should have established contact with an external response consultant. A corresponding list of qualified APT response service providers can be viewed at the BSI. Ideally, you already have a crisis manual for such cases and an emergency whitelist for Internet access at hand.

Conclusion

These 20 listed measures represent a minimum standard for defence against today’s ransomware attacks. Admittedly, many of the measures are expensive, difficult to implement quickly and certainly somewhat less convenient for IT admins to manage. However, there is always the identical dilemma of weighing up the risks. How great might the damage be if, after a successful ransomware attack, you are faced with an infected domain, deleted and unusable back-ups and encrypted servers?

It is also clear that the measures mentioned above represent a minimum standard that applies today. The technical and administrative possibilities of cyber criminals are developing rapidly. So anyone who cannot withstand today’s current attacks will be more or less helpless in the face of tomorrow’s attacks. Furthermore, ransomware attacks are not the only threat to companies and their IT infrastructure. In addition to these, it is also necessary to arm oneself against business email compromise, payment diversion, fake presidents or machinations such as industrial espionage or state-sponsored actors. So there really is enough to do in most IT departments in our economy to arm themselves against the current and emerging threats in cyberspace.

Lukas Sökefeld

Cyber Security Consultant
Lukas Sökefeld deals with the latest developments on the subject of AI and cyber security on a daily basis and advises our customers online and on site.

Jetzt weiterlesen!

Cyber Security, Management Consulting, Security Consulting

Security 2025: The top trends that no company can ignore

The security landscape is changing rapidly. To stay protected in the future, companies must focus on trends like OSINT, robotics, and Zero Trust by 2025. This article outlines the five key developments that you can’t ignore and a groundbreaking technology that could transform security.

Uncategorized

Deepfakes: More Than Just a Digital Facelift – A Cybersecurity Threat

I recently came across an interesting article by BlackBerry titled "Deepfakes and Digital Deception." It painted a vivid picture of the rising threat of deepfakes in the cybersecurity landscape. While deepfakes can be entertaining, their potential for malicious use is what truly caught my attention. The article effectively highlights how deepfakes, fueled by advancements in generative AI, are becoming increasingly sophisticated and accessible. This ease of creation, coupled with the persuasive power of deepfakes, makes them a potent tool for cybercriminals.

Uncategorized

EU Cyber Resilience Act: Everything you need to know

The EU Cyber Resilience Act (CRA) is a pioneering step towards greater cyber security for digital products in the European Union. This regulation defines binding security standards and protects consumers and companies from increasing cyber threats. In this article, you will learn everything you need to know about the CRA, its scope of application, the requirements and how companies can prepare themselves.

Alternativ zum Formular können Sie uns auch eine E-Mail an info@concepture.de senden.

Instead of the form, you can also send us an email to info@concepture.de.