Microsoft and McAfee headline newly-formed 'Ransomware Task Force'

A group made up of 19 security firms, tech companies, and non-profits, headlined by big names such as Microsoft and McAfee, have announced on Monday plans to form a new coalition to deal with the rising threat of ransomware.

Named the Ransomware Task Force (RTF), the new group will focus on assessing existing technical solutions that provide protections during a ransomware attack.

The RTF will commission expert papers on the topic, engage stakeholders across industries, identify gaps in current solutions, and then work on a common roadmap to have issues addressed among all members.

The end result should be a standardized framework for dealing with ransomware attacks across verticals, one based on an industry consensus rather than individual advice received from lone contractors.

The 19 initial founding members reflect the RTF’s dedication to putting together a diverse team of experts:

  • Aspen Digital (policy maker group)
  • Citrix (networking equipment vendor)
  • The Cyber Threat Alliance (cybersecurity industry sharing group)
  • Cybereason (security firm)
  • The CyberPeace Institute (non-profit dedicated to help victims of cyberattacks)
  • The Cybersecurity Coalition (policy maker group)
  • The Global Cyber Alliance (non-profit dedicated to reducing cyber risk)
  • The Institute for Security and Technology (policy maker group)
  • McAfee (security firm)
  • Microsoft (security firm)
  • Rapid7 (security firm)
  • Resilience (cyberinsurance provider)
  • SecurityScorecard (compliance and risk management)
  • Shadowserver Foundation (non-profit security organization)
  • Stratigos Security (cybersecurity consulting)
  • Team Cymru (threat intelligence)
  • Third Way (think tank)
  • UT Austin Stauss Center (research group)
  • Venable LLP (law firm)

Currently, ransomware is neither the most widespread form of malware nor the type of cyber-attack that causes the largest financial losses to companies each year. That title goes to BEC scams, according to the FBI.

Nevertheless, ransomware is still a major threat and one that has been trending up, with ransom demands growing from quarter to quarter.

“This crime transcends sectors and requires bringing all affected stakeholders to the table to synthesize a clear framework of actionable solutions, which is why IST and our coalition of partners are launching this Task Force for a two-to-three month sprint,” the Institute for Security and Technology said on Monday.

The Ransomware Task Force website, including full membership details and leadership roles, will be launched next month, in January 2021, followed by a two-to-three month sprint to get the task force off the ground.

This article was written by Catalin Cimpanu and originally appeared in ZDNet.


That being said, if you do not want to go that route then you need one of the following workarounds:

Workaround one:

Use the App Password.

Microsoft has come up with an alternative solution to the “don’t allow ActiveSync” option.

Microsoft’s workaround is called an App Password.  This is a special system generated password that a user can create in their Azure AD Security portal that would be used with an application that only supports legacy authentication such as our friend ActiveSync.  This password would be used instead of the user’s regular password and would satisfy the MFA requirement.

While this method works, it tends to be a bit challenging as the process is not very intuitive.  For one, the password prompt dialog doesn’t specify that it is looking for the App Password so very often a user will continuously try their regular password until:

  • They lock their account
  • The lightbulb goes off and they realize it wants the App Password and hopefully, they have it handy or know how to login to the security portal and create a new one
  • They open a support case

Or even worse, since this password is not generated by the user and is a random string, it is more prone to being jotted down on a sticky note or saved in an insecure text file somewhere which negates any positive security measures that are being put in place.

Workaround two:

Only require Azure MFA for applications that support modern authentication and bypass it for applications that don’t.

Typically when you are rolling out MFA, you would just enable it for a user in the MFA portal.  At that point, any access attempt made by that user for any application will require MFA (or an app password for legacy apps).  This is the standard deployment scenario.

The alternative approach is rather than categorically require MFA for a user, we create a conditional access policy that requires MFA for applications that support modern authentication (cloud apps) for the user.  This essentially will exclude apps that do not support modern authentication from requiring MFA.

This can be accomplished by:

  • Don’t enable MFA for the user in the MFA portal.
  • Create a conditional access policy with the following attributes:

    Assignments

    1. Include users in the scope of your test
    2. Include all cloud apps
    3. Include any location. Note that here is where you can exclude an IP whitelist created in the MFA portal by clicking on the exclude tab and selecting ‘MFA Trusted IPs’

Access controls:

  1. Grant access
    • Require multi-factor authentication

What this accomplishes is:

  • If an application identifies itself as supporting modern authentication… we will require MFA.
  • If an application does not identify itself as supporting modern authentication… we will not require MFA.

It should be noted again that this approach is less secure and would also allow other legacy clients such as older versions of Outlook (prior to 2016) to bypass MFA.

MDS recommends hardening your security posture by enforcing a managed application, however, if allowing ActiveSync without using an App Password is a requirement of your organization, then this is how you can accomplish it.

Take Back Your Day

Learn how the latest technologies can free up your time so you can focus on your business

Share This