3MANDIANT Proactive Preparation and Hardening to Protect Against Destructive Attacks
Background
Threat actors leverage destructive malware to destroy data,
eliminate evidence of malicious activity, or manipulate systems
in a way that renders them inoperable. Destructive cyber-
attacks can be a powerful means to achieve strategic or
tactical objectives; however, the risk of reprisal is likely to limit
the frequency of use to very select incidents. Destructive
cyber-attacks can include destructive malware, wipers, or
modified ransomware.
This document provides proactive recommendations for
organizations to prioritize for protecting against a destructive
attack within an environment. The recommendations include
practical and scalable methods that can help protect
organizations from not only destructive attacks, but potential
incidents where a threat actor is attempting to perform
reconnaissance, escalate privileges, laterally move, maintain
access, and achieve their mission. The recommendations are
focused primarily for on-premises security hardening and
defenses, but similar concepts can extend to cloud-based
infrastructures.
The detection opportunities outlined in this document are meant
to act as supplementary monitoring to existing security tools.
Organizations should leverage endpoint and network security
tools as additional preventative and detective measures. These
tools use a broad spectrum of detective capabilities, including
signatures and heuristics, to detect malicious activity with a
reasonable degree of fidelity. The custom detection
opportunities referenced in this document are correlated to
specific threat actor behavior and are meant to trigger on
anomalous activity that is identified by its divergence from
normal patterns. Effective monitoring is dependent on a
thorough understanding of an organization’s unique
environment and usage of pre-established baselines.
Recommendations Summary
Table 1 provides a high-level overview of guidance in this
document with links to the corresponding hardening
recommendations and detection opportunities.
TABLE 1. Overview of Hardening Recommendations and Detection Opportunities.
Focus Area Description Hardening Recommendations Detection Opportunities
Hardening
External
Facing Assets
Protect against the risk of threat
actors exploiting an externally
facing vector or leveraging
existing technology for
unauthorized remote access.
1. Identify, Enumerate, and Harden Externally Facing
Assets
2. Enforce Multifactor Authentication for Externally
Facing Services
1. External Facing Assets and MFA Attempts
Critical Asset
Protections
Protect specic high-value
infrastructure and prepare for
recovery from a destructive
attack.
1. Backup AD and other Critical Assets
2. Conduct Targeted Business Continuity Planning
3. Segment IT and OT Environments
4. Implement Egress Restrictions
5. Protect Virtualization Infrastructure
1. Unauthorized Access to Backups
2. Lateral Movement from IT to OT Networks
3. Unauthorized Egress Traffic
4. Unauthorized Access to Virtualization
Infrastructure
On-Premises
Lateral
Movement
Protections
Protect against a threat actor with
initial access into an environment
from moving laterally to further
expand their scope of access and
persistence.
1. Restrict Communication To/From Endpoints
2. Harden Remote Desktop Protocol (RDP)
3. Disable Administrative/Hidden Shares
4. Harden Windows Remote Management (WinRM)
5. Restrict Common Lateral Movement Tools and Methods
6. Implement Malware Protections on Endpoints
1. SMB and WMI Communications
2. RDP Usage
3. Accessing/Enumerating Administrative or
Hidden Shares
4. WinRM Usage
5. Common Lateral Movement Tools and Methods
6. Tamper Protection Events
Credential
Exposure and
Account
Protections
Protect against the exposure of
privileged credentials to facilitate
privilege escalation.
1. Identify and Reduce the Scope of Privileged Accounts
2. Mitigate the Risk of Noncomputer Accounts with SPNs
3. Limit the Logon Rights for Privileged Accounts
4. Limit the Logon Rights for Service Accounts
5. Use Group Managed Service Accounts (gMSAs)
6. Use Protected Users Group
7. Disable WDigest and Enforce GPO Reprocessing
8. Limit Credential Exposure Through Credential Guard
9. Use Restricted Admin Mode for RDP
10. Implement Windows Defender Remote Credential Guard
11. Harden Local Administrator Accounts
1. Use/Modification of Privileged Accounts/Groups
and GPO Modifications
2. Kerberoasting
3. Privileged Account Logons
4. Service Account Logons
5. Managed Service Account Modifications
6. Modification of the Protected Users Security Group
7. WDigest Authentication Conditions
8. Restricted Admin Mode for RDP
9. Modification of Windows Defender Remote
Credential Guard Settings
10. Remote Logons with Local Accounts