Protecting Exposed Environments

Organizations sometimes face a heightened threat landscape where known/existing threats are
amplified, and new or newly discovered threat vectors emerge. These times reinforce the need to
focus on ongoing security investment and applying well known best practices. This document
focuses on a few key topics that are relevant to such events.

Good security practices always apply, particularly in situations of increased threats. Elevated risk
calls for increased focus on preventive measures, monitoring, and validation of recovery capabilities
in the face of worst-case scenarios.

The paper isn’t a complete list of all measures but can give you some ideas how to address situations
of heightened risk. The measures and the scenarios would have to be adapted to your current
business situation and your assessment of your threat landscape.

All in all, it makes sense to apply and think along the Zero Trust principles:

• Assume Breach
• Verify Explicitly
• Use Least Privilege Access

The document is kept current here: https://www.linkedin.com/smart-links/AQGbMjRe-br2bA Page 1

Threat Scenarios
In case of increased threat (physical as well as on the Internet), these scenarios of concern often
come to the top of organization’s priority lists. You can use this list as a reference and adapt it to
your business, your current threat situation, and your risk exposure:

- Ransomware and destructive attacks are often top of mind. In the past we have seen different
incidents caused by ransomware with significant impact. Sometimes they are spread
automatically (like NotPetya), but more often they are targeted and manually operated by
human criminals (Human Operated Ransomware). For guidance see below.
- Physical loss of infrastructure: This scenario can be triggered by different causes and should be
covered in your Business Continuity Plans including leveraging availability zones in different
regions or backups outside some logical and physical areas.
- Loss of connectivity: Loss of network connectivity within a region as well across regions. This
loss can be temporary or long-term (e.g. a country decides to cut down communication).
- Loss of possession of your infrastructure: Infrastructure falling into the wrong hands and thus
delivering physical access to your infrastructure to the perpetrator.
- Physical threat to high-value human assets: A physical threat to administrators or any person
with high privileges be accounted for. Countermeasures may encompass something like an
“alert button” or trying to detect unusual behavior.
- Malicious Insider: This threat is not directly connected to times of increased threats, however
there is a high probability that a perpetrator is trying to gain access to sensitive information to
prepare for a next move not only physically in the area of conflict but also in other regions.
- Hacktivist attacks: Changes in the threat landscape often lead hacktivist groups to take the
position of the “morally right”. This is not new, but such groups typically get bigger support
(technically as well as on social media) especially during stressful times like natural disasters
and wars.
- Disinformation campaigns: When the threat landscape changes, so does the way information
flows and the way information is manipulated and controlled.

The document is kept current here: https://www.linkedin.com/smart-links/AQGbMjRe-br2bA Page 2

Possible Measures
The following prioritization of the measures must be adapted to your current architecture, current
security maturity as well as your risk and threat assessment. A brief overview can be taken from
here: Rapidly modernize your security infrastructure | Microsoft Docs

Phase One - Immediate actions

Immediate actions, which we feel that you should implement now, within the next 24 to 48 hours.

User/Identities
→ As a minimum baseline in protecting identities, enable multifactor authentication.
- For Azure Active Directory: Enable Azure AD Multi-Factor Authentication | Microsoft Docs.
- As a minimum, require MFA for all users who are assigned to any of Global Administrators,
Privileged Role Admin, Exchange Admin, SharePoint Admin and Domain Admins. To find the
accounts with access in these groups, you can use the PowerShell API here.
→ Protect your admin accounts.
- Define a minimum of two emergency access accounts: Manage emergency access admin
accounts - Azure AD | Microsoft Docs
- We recommend that you start using Azure AD Privileged Identity Management (PIM) in your
Azure AD production environment Plan a Privileged Identity Management deployment -
Azure AD | Microsoft Docs. After you start using PIM, you'll receive notification email
messages for privileged access role changes. PIM also lets you grant just-in-time access to
your administrators.
- In isolated environments: Use MIM PAM Privileged Access Management for Active Directory
Domain Services | Microsoft Docs. Ensure privileged admin accounts are not mail enabled,
are unable to browse the internet and are using hardened devices. See: Why are privileged
access devices important | Microsoft Docs

The document is kept current here: https://www.linkedin.com/smart-links/AQGbMjRe-br2bA Page 3

Devices and Servers
→ Patch all systems with known exploited vulnerabilities.
Monitoring / Incident Response
→ Ensure that all the alerts sent by your cloud provider and your national CERT are acted upon.
- Microsoft delivers Nation State Notifications (NSNs) to Global Admins via phone call and
email. Please ensure the contact details (phone and e-mail) for Global Admins are accurate
and up to date.
- For alerts in Azure please ensure:
- Defender for Cloud (free version as well):
▪ Configure contact use this script from GitHub – the owner role email
address is important. Best practice is to add a mailing list with the
relevant roles to monitor and triage.
▪ Defender Alerts – monitor Dashboard
▪ Defender Recommendations – monitor Dashboard
- Use Service Health Dashboard
▪ Watch the Security advisories specific to your subscriptions - Dashboard
▪ And one can configure Health Alerts
- Watch the Azure Status Page - Azure status
- Make sure Azure AD Technical contact information is filled in
→ Ensure that your incident response knows how to open tickets with your suppliers’ support
organizations.
- In the case you have a support contract with Microsoft, ensure your incident response team
knows how to open Sev A tickets.
→ Check whether all the contact information in your response plans as well as incident-related
contracts (e.g. Incident Response Retainers) are still up-to-date!
Disaster Recovery/Business Continuity
→ Validate your backups.
- A few tips to be found in the Ransomware guidance: Azure backup and restore plan to
protect against ransomware | Microsoft Docs
- For Microsoft 365: Deploy ransomware protection for your Microsoft 365 tenant | Microsoft
Docs
→ Check access to your backups without the availability of your Domain Controllers.

The document is kept current here: https://www.linkedin.com/smart-links/AQGbMjRe-br2bA Page 4

Phase Two
Once you have implemented the measures above, over the following days, focus on these measures:

User/Identities
→ Raise the awareness of your employees for the increased risk of malicious e-mails or malicious
messages in any form.
→ If you expect a physical threat to people (e.g. they might get threatened to log in), monitor for
malicious behavior of exposed accounts. Establish processes to report back to security in case
of such events (in-band or out-of-band).
- Pro-actively remove all privileges from users with increased risk.
- For Microsoft, think about leveraging Microsoft Insider Risk Management: Insider risk
management in Microsoft 365 - Microsoft 365 Compliance | Microsoft Docs
→ Separate local machine admin accounts from productivity workers and require elevation.
→ Randomize the local admin passwords.
- For Microsoft: Download Local Administrator Password Solution (LAPS) from Official
Microsoft Download Center
→ Start the work to disable legacy authentication protocols.
- For Microsoft: New tools to block legacy authentication in your organization - Microsoft Tech
Community.
Devices / Servers
→ Secure and manage systems with up-to-date patching.
- For Azure: Manage updates and patches for your VMs in Azure Automation | Microsoft Docs
- To manage operating system updates for your non-Azure machines Use Update
Management in Azure Automation to manage operating system updates for Azure Arc-
enabled servers - Cloud Adoption Framework | Microsoft Docs
- To get access to the extended security updates for SQL Server 2008/2012 Know your options
for SQL Server 2012 and Windows Server 2012 End of Support - Microsoft SQL Server Blog
→ Use antimalware and workload protection tools.
- For Microsoft Defender AV: Turn on Microsoft Defender Antivirus | Microsoft Docs
- For Microsoft Defender for Endpoint: Configure Microsoft Defender for Endpoint in
Microsoft Intune | Microsoft Docs
Monitoring / Incident Response
→ Prepare to reach out to your employees through alternative solutions (text messages, portals
etc.).
→ Increase monitoring of activities coming from/going to the area with increased threats.
→ Review all authentication activity for remote access infrastructure.

The document is kept current here: https://www.linkedin.com/smart-links/AQGbMjRe-br2bA Page 5

Disaster Recovery/Business Continuity
→ Prepare your databases for Disaster Recovery.
- Deploy a disaster recovery replica in Azure for your on-premises SQL Server High availability,
disaster recovery, business continuity - SQL Server on Azure VMs | Microsoft Docs. If you
have Software Assurance, no additional cost occurs.
- Install free SQL Server IaaS Agent extension to automate backups and patching for your SQL
Server running in Azure: What is the SQL Server IaaS Agent extension? (Windows) - SQL
Server on Azure VMs | Microsoft Docs
→ Ensure the integrity and readiness of your backups and recovery site.
- For Azure Backup Azure Backup Documentation - Azure Backup | Microsoft Docs
- For Azure Site Recovery Azure Site Recovery documentation | Microsoft Docs
→ Be prepared to block all traffic to/from areas with increased threats.
- Use AAD CA to block by IPv4 or by country: Conditional Access - Block access by location -
Azure Active Directory | Microsoft Docs
- Apply these WAF geo-rules: Azure Web Application Firewall (WAF) Geomatch custom rules |
Microsoft Docs
- Block by geo in Microsoft Defender for Endpoint
→ Enable logging of key functions. Even if you do not monitor them immediately, you might need
them for forensic purposes later.
- For Azure: Azure security logging and auditing | Microsoft Docs

The document is kept current here: https://www.linkedin.com/smart-links/AQGbMjRe-br2bA Page 6

Phase Three
All the measures below are important and should be investigated and prioritized according to your
assessment. To stress this point again here: The measures here are all good security practice and
basically not “optional”. At best, you already have implemented them over the last months...

User/Identities
→ Increase protection against phishing attacks and the like by protecting your incoming mails.
- For Defender for Office 365 start here: Microsoft Defender for Office 365 service description
- Service Descriptions | Microsoft Docs
→ Apply least privilege access and secure the most sensitive and privileged credentials, knowing
that this is not a simple task.
- For Azure Active Directory: Plan a Privileged Identity Management deployment - Azure AD |
Microsoft Docs
→ If possible, disable legacy authentication. Use your authentication point to monitor first to
assess the impact but there is a chance (depending on the hygiene in your environment) that
blocking legacy authentication “only” disables non-business-critical applications.
- General: New tools to block legacy authentication in your organization - Microsoft Tech
Community
- For Azure Active Directory: Block legacy authentication - Azure Active Directory | Microsoft
Docs; For Exchange: Disabling Legacy Authentication in Exchange Server 2019 - Microsoft
Tech Community
→ Monitor for suspicious identity activity especially in areas of increased threats.
- For Active Directory: Microsoft Defender for Identity documentation | Microsoft Docs
Devices/Servers
→ Use endpoint/server-based technology to reduce the attack surface.
- For Defender for Endpoint: Understand and use attack surface reduction (ASR) | Microsoft
Docs
- In a general context: Demystifying attack surface reduction rules Part 1, Part 2, Part 3 and
Part 4.
→ Discover and remediate vulnerabilities to reduce threat exposure.
- Defender for servers (includes Defender for Endpoint) View findings from vulnerability
assessment solutions in Microsoft Defender for Cloud | Microsoft Docs
- Microsoft 365 Defender Security recommendations by threat and vulnerability management
| Microsoft Docs
→ Isolate legacy systems from externally as well as internally to protect against lateral
movements. You might want to leverage technologies like Network Access Control, IPsec
authentication and others.
→ Ensure that your inventory of physical and virtual assets is up to date.
- For Azure: GitHub - Azure Resource Inventory

The document is kept current here: https://www.linkedin.com/smart-links/AQGbMjRe-br2bA Page 7

Monitoring / Incident Response
→ Verify your cyber incident response plans are up to date and review, update, and practice your
playbooks.
- Incident response overview | Microsoft Docs
- Incident response playbooks | Microsoft Docs
→ Verify, update, and test your Business Continuity Plans to reflect a potentially changed threat
landscape.
→ Prepare your teams – conduct training and exercises, maybe even at short notice.
→ Check if anything can be automated to reduce the burden to the teams.
- For Microsoft Sentinel: Automate threat response with playbooks in Microsoft Sentinel |
Microsoft Docs
- For Microsoft 365 Defender: Automated investigation and response in Microsoft 365
Defender | Microsoft Docs)
→ Enable logging of key functions and monitor these logs. You might consider taking a risk-based
approach to the alerts you get in case you get overwhelmed.
- For Azure: Azure security logging and auditing | Microsoft Docs
→ Review alerts you already get in your different portals – especially if you are using different
products from multiple vendors.
- For Defender for Cloud start here: Microsoft Defender for Cloud - an introduction |
Microsoft Docs
- To add on-premise and other cloud machines: Connect your non-Azure machines to
Microsoft Defender for Cloud | Microsoft Docs
- For Microsoft 365 Defender start here: Microsoft 365 Defender | Microsoft Docs
→ Review your ransomware protection plans.
- Microsoft has very clear guidance to prepare for these events including a detailed
downloadable plan with teams and technology – https://aka.ms/ransomware
- A guide to combatting human-operated ransomware: Part 1 - Microsoft Security Blog
- A guide to combatting human-operated ransomware: Part 2 - Microsoft Security Blog

The document is kept current here: https://www.linkedin.com/smart-links/AQGbMjRe-br2bA Page 8

Disaster Recovery/Business Continuity
→ Move a copy of the backup outside the area of increased threats depending on your regulatory
requirements – check with your in-house legal teams.
→ Prepare to securely destroy part of the remote infrastructure (e.g. through deletion of keys or
physical deletion of assets).
- For Windows: BitLocker (Windows 10) - Windows security | Microsoft Docs
- For Office 365: Get ready to destroy your customer managed keys: Encryption for Skype,
OneDrive, SharePoint, and Exchange - Microsoft Service Assurance | Microsoft Docs
→ Prepare the move of critical workloads to another region outside the areas with increased
threats.
- For Azure: Move Azure resources across regions - Azure Solution Ideas | Microsoft Docs
→ Prepare to lift and shift on-prem workloads in the areas with increased threats into the cloud
and – where necessary – outside the region.
- For Azure: Azure Migrate documentation | Microsoft Docs
- If you're already using Azure Site Recovery Migrate on-premises machines with Azure
Migrate - Azure Site Recovery | Microsoft Docs
→ Ensure that you set up (and tested) your availability zones spreading to infrastructure outside
areas with increased threats.
- For Azure start here: Azure regions and availability zones | Microsoft Docs
→ Review and implement best practices to secure databases.
- For Microsoft SQL Server security best practices - SQL Server | Microsoft Docs
→ Check if you can automate management and governance to reduce the burden to the teams:
- Start with inventory across on-premises and cloud Govern your portfolio of hybrid and
multicloud workloads - Cloud Adoption Framework | Microsoft Docs
→ Establish direct private connection from your on-premises network to cloud provider.
- For Microsoft Azure and Microsoft 365 Azure ExpressRoute Overview: Connect over a
private connection | Microsoft Docs
→ Prepare to increase the DDOS protection of your infrastructure.
- For Azure start here: Azure DDoS Protection Standard documentation | Microsoft Docs
→ Understand and protect your data.
- For Microsoft: Introduction to Azure Purview - Azure Purview | Microsoft Docs and
Introduction to Azure Purview - Azure Purview | Microsoft Docs
IoT/OT
→ Check and implement baseline IoT security recommendations.
- For Azure IoT Security recommendations for Azure IoT | Microsoft Docs
→ Increase the monitoring of your IoT/OT devices and especially look for outbound traffic to
known Command and Control servers.
- For Microsoft Sentinel and Microsoft Defender for IoT: Enabling IoT/OT Threat Monitoring in
Your SOC with Microsoft Sentinel

The document is kept current here: https://www.linkedin.com/smart-links/AQGbMjRe-br2bA Page 9