How CIS Can Help You Enact Defense-in-Depth in the Cloud

In a previous post, we introduced the concept of defense-in-depth as it relates to cloud security. You might be wondering what implementing a defense-in-depth strategy looks like in practice. In this blog post, we'll walk through a real-world attack scenario – a ransomware attack – and discuss specific CIS security best practices as well as resources and services from our Multi-State and Elections Infrastructure Information Sharing and Analysis Centers (MS- and EI-ISACs) that you can use to take a defense-in-depth approach.

Stage 1: Initial Access

How It Advances a Ransomware Attack

Access key unlockedThis example ransomware attack begins with a cyber threat actor (CTA) sending a phishing link to a user. When clicked, this link redirects the user to a credential harvesting page. This page is designed to mimic legitimate services, such as a Microsoft 365 login page. CTAs often use multiple links to redirect the user to the final landing page. They do this to bypass various email gateways solely based on reputation checks or sandboxes. Additionally, CTAs often utilize legitimate domains to host additional links that lead to these credential harvesting domains. For example, they may leverage a compromised email account to host a file in a file sharing utility that hosts a link.

The credential harvesting page prompts the user to enter their credentials. When the user complies, the page sends their credentials to a server controlled by the CTA. At this point, depending on their objectives, the CTA sells these credentials or uses them to obtain further access into the environment. In the latter case, the CTA may sign into a public-facing virtual private network (VPN) portal using the now compromised credentials. In doing so, they're able to access internal resources where they can begin enumerating the environment through the now established VPN tunnel.

Table 1: Defense-in-Depth Against Initial Access Using CIS Resources

Security Measure or Tool Description
CIS Safeguard 4.9: Configure Trusted DNS Servers on Enterprise Assets You don’t want your enterprise assets to use DNS servers outside of the organization that you don’t trust, as this could advance the attack chain and/or expose you to additional cyber threats.
CIS Safeguard 9.2: Use DNS Filtering Services Block access to known malicious domains.
CIS Safeguard 9.3: Maintain and Enforce Network-Based URL Filters Use blocklists and other filters to prevent an enterprise asset from connecting to known malicious domains or unapproved websites.
CIS Safeguard 9.6: Block Unnecessary File Types Block certain file types from entering your organization’s email gateway, preventing the malicious email from reaching an employee’s inbox.
CIS Safeguard 9.7: Deploy and Maintain Email Server Anti-Malware Protections Attachment scanning, sandboxing, and other protections can help to flag potentially malicious emails.
CIS Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks Help to raise your employees’ familiarity with email-based attacks.
CIS Safeguard 14.6: Train Workforce Members on Recognizing and Reporting Security Incidents Employees will know what to do if they open a suspicious email and click on an attachment/link.
Malicious Code Analysis Platform (MCAP) MCAP is a web-based service that enables members of the MS- and EI-ISACsto submit suspicious files, including executables, DLLs, documents, quarantine files, and archives, for analysis in a controlled and non-public fashion.
Malicious Domain Blocking and Reporting (MDBR)

MDBR prevents IT systems from connecting to harmful web domains. It helps to limit infections related to known malware, ransomware, phishing, and other cyber threats for members of the MS- and EI-ISACs.


Stage 2: Execution

How It Advances a Ransomware Attack

ExecutionOnce a CTA gains access to the environment, they can begin executing additional malware that maintains persistence. They can do this by executing over PowerShell or Scheduled Tasks, for example. A CTA then executes malicious PowerShell to download the next stage of the attack.

Alternatively, CTAs can attempt to maintain persistence via services. For example, they can create a service that will run once the system boots, similar to a scheduled task. They can install additional tools as a service, including SplashTop, Atera, AnyDesk, TeamViewer, and others. These are known as Remote Management and Monitoring (RMM) software.

Defense-in-Depth Against Execution Using CIS Resources

Security Measure or Tool Description
CIS Safeguard 13.2: Deploy a Host-Based Intrusion Detection Solution A Host-Based Intrusion Detection Solution will help enterprises learn when a potential threat is looming on an endpoint or server.
CIS Safeguard 13.7: Deploy a Host-Based Intrusion Prevention Solution Alternatively, a Host-Based Intrusion Prevention Solution will not only detect a potential threat but will also prevent the threat from occurring.
CIS Safeguard 10.7: Use Behavior-Based Anti-Malware Software Not all malware is based on known hash values or signatures. Signature-based anti-malware software will only detect what is known, whereas behavior-based anti-malware software will detect malicious executables based on patterns and behaviors.
CIS Endpoint Security Services (ESS) CIS ESS is a cost-effective solution deployed on endpoint devices to identify, detect, respond to, and remediate security incidents and alerts.


Stage 3: Persistence, Defense Evasion, and Collection

How They Advance a Ransomware Attack

Persistence collectionOnce persistence is established, CTAs may attempt to disable defenses or perform evasion so that they can tamper with existing and present endpoint protection tools, such as Endpoint Detection and Response (EDR) or anti-malware software. At that point, they can create exclusions within these tools or utilize scripts and other techniques to entirely disable the tools themselves.

With endpoint tools disabled or tampered with, CTAs can attempt to run additional tools and perform various techniques with the goal of evading detection. For example, they may attempt to perform credential harvesting. This is commonly done by interacting with LSASS (the service that handles authentication within Windows). Cyber threat actors may attempt to “dump” LSASS by using tools (using Mimikatz, as an example) or natively within Windows (using the Task Manager or Comsvcs). Doing so can allow them to then extract this file, exfiltrate it out of the enterprise’s network, and attempt to crack hashes offline. Due to these being cracked offline, the user would not receive failed password attempts, and the lockout policy would not apply. Additionally, for a more large-scale attempt at credential harvesting, CTAs can dump the NTDS.dit database file, which stores hashes for every user within Active Directory.

Defense-in-Depth Against Persistence, Defense Evasion, and Collection with CIS Resources

Security Measure or Tool Description
CIS Safeguard 4.1: Establish and Maintain a Secure Configuration Process Secure configurations are a linchpin Safeguard that can help defend against a wide array of cyber attacks, as stated in our CIS Community Defense Model v2.0.


Stage 4: Discovery and Lateral Movement

How They Advance a Ransomware Attack

Discovery lateral movementAfter having disabled security tools and evaded detection, CTAs may attempt to further enumerate the environment. This is often done by utilizing dedicated tools such as “ADFind,” Advanced IP Scanner, port scanners, etc. CTAs may also attempt to use Living off the Land (LotL) techniques, such as Net commands, nltest, arp, etc., to enumerate the environment

The cyber threat actors, now having a good understanding of the environment, can then attempt to laterally move around the environment. They commonly do this with Remote Desktop Protocol (RDP) to connect to various systems throughout the environment or with Server Message Block (SMB) to connect through file shares.

Defense-in-Depth Against Lateral Movement and Discovery with CIS Resources

Security Measure or Tool Description
CIS Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts Privileged accounts are a treasure trove for threat actors. Locking down administrator privileges with dedicated administrator accounts will help to reduce the chance of a threat actor to further enumerate an environment.
CIS Safeguard 6.3: Require MFA for Externally-Exposed Applications Multi-factor authentication (MFA) is used during authentication that requires the user to not only provide their credentials but also something they know, have, or are – e.g., a fingerprint or PIN number. This type of authentication can prevent threat actors from gaining unauthorized access if they have compromised credentials.
CIS Safeguard 13.3: Deploy a Network Intrusion Detection Solution A Network Intrusion Detection Solution will help identify potential threats that have branched out to the network.
CIS Safeguard 13.8: Deploy a Network Intrusion Prevention Solution Similar to Safeguard 13.3, a Network Intrusion Prevention Solution will stop a threat from occurring.
Albert Network Monitoring and Management CISoffers network security monitoring services throughAlbert, an NIDS that's specifically designed to generate alerts on threats that matter to SLTTs.


Stage 5: Exfiltration and Impact

How They Advance a Ransomware Attack

Exfiltration impactOnce they've enumerated the environment so that they understand where critical systems and data are, CTAs may attempt to exfiltrate this data utilizing archiving software, such as WinRAR, and uploading these to file sharing sites, such as Mega or Anonfiles.

The impact can likely be ransomware and double, or even triple, extortion. This includes encrypted data, exfiltrated data, and potential distributed denial-of-service (DDoS) attacks. Additionally, the threat actor will target backup servers to prevent restoral efforts as well as virtualized environments, such as VMware ESXi.

Defense-in-Depth Against Exfiltration and Impact with CIS Resources

Security Measure or Tool Description
CIS Safeguard 11.2: Perform Automated Backups If all other controls fail, backups will be your lifeboat.
CIS Safeguard 11.3: Protect Recovery Data In addition to having backups, it's important to ensure that they are protected. This means encrypting your backups (not to be confused with a cyber threat actor encrypting your backups).
CIS Safeguard 11.4: Establish and Maintain an Isolated Instance of Recovery Data Another layer of data recovery is making sure that threat actors cannot access your data. This means isolating your recovery data from the rest of the network so that they are still accessible and able to be used to recover from an incident.
CIS Safeguard 11.5: Test Data Recovery A backup that is tested is one that can be relied upon. Testing your backups ensures that when disaster strikes, your enterprise is able to recover successfully from an incident if backups are needed.


Where to Take Your Defense-in-Depth Strategy from Here

As demonstrated above, defense-in-depth can strengthen your security posture against ransomware and other cyber threats. The key is to lay out those defenses so that one naturally leads into another along the attack chain. At first glance, you might not know where to start. Fortunately, our CIS security best practices remove the guesswork from implementing defense-in-depth. In particular, the CIS Controls give you actionable steps by which you can protect your organization at each of the steps identified above. If you're an SLTT, joining the MS- and/or EI-ISAC can help you gain access to tools that you can incorporate into your defense-in-depth posture – all at no cost to you.

Did you know that CIS security best practices can also help you fulfill your compliance requirements? Check out our video below to learn more.



Between the CIS Controls and MS- and EI-ISAC services, you have everything you need to implement defense-in-depth to protect yourself against a ransomware attack. Ready to start enacting defense-in-depth in your enterprise?


About the Author

Valecia Stocchetti
Information Security Audit Manager

Headshot of Valecia StocchettiValecia Stocchetti is the Information Security Audit Manager at the Center for Internet Security, Inc. (CIS®), where she evaluates and manages the control implementation within CIS and measures compliance to internal standards and best practices. Previously, she was a Sr. Cybersecurity Engineer on the CIS Controls team, where she worked with various attack models and other datasets, including MITRE ATT&CK, to help validate and prioritize the CIS Controls. There, she led and contributed to multiple projects, including the CIS Community Defense Model (CDM), the CIS Cost of Cyber Defense: IG1, and Blueprint for Ransomware Defense. Stocchetti also led the Computer Incident Response Team (CIRT) at the Multi-State and Elections Infrastructure Information Sharing and Analysis Centers (MS- and EI-ISACs), spearheading multiple forensic investigations and incident response engagements for the MS- and EI-ISAC’s U.S. State, Local, Tribal, and Territorial (SLTT) community.

Stocchetti came to CIS from the eCommerce field, where she worked complex financial fraud cases. She holds multiple certifications, including GIAC Certified Forensic Examiner (GCFE), GIAC Certified Forensic Analyst (GCFA), and GIAC Security Essentials Certification (GSEC). Stocchetti earned her Bachelor of Science degree in Digital Forensics from the University at Albany, State University of New York. She is currently pursuing a master’s degree in information security at Champlain College.