Applies To: ThreatSync+ NDR
This feature is only available to participants in the ThreatSync+ NDR Beta program.
The ThreatSync+ NDR Ransomware Prevention Defense Goal Report is based on recommendations from the Cybersecurity and Infrastructure Security Agency (CISA) guidelines on ransomware prevention. CISA, through the expertise of the global cybersecurity community, has identified the types of controls that can indicate potential ransomware. For more information about CISA, go to Cybersecurity and Infrastructure Security Agency.
ThreatSync+ NDR is uniquely positioned to monitor and generate alerts on these important vulnerabilities and threat indicators. The Ransomware Prevention Defense Goal Report presents a summary of the controls ThreatSync+ NDR monitors to help you prevent the spread of ransomware. Each control is based on a ThreatSync+ NDR policy.
The Ransomware Prevention Defense Goal Report provides you with a network defense overview and shows whether you are in compliance with the objectives and controls for a specified time period. You can generate this report for up to a six month time period.
Network Defense Overview
The Network Defense Overview section provides a snapshot of your overall network defense. You can view your threat score, threat score history, and how many objectives and controls are compliant or not compliant.
The Ransomware Prevention threat score represents your potential exposure to ransomware in your network. This threat score is an aggregation of the threat scores for each of the controls presented in the report. The Ransomware Prevention defense goal is a collection of defense objectives, each organized around a specific prevention area. Each defense objective consists of a set of controls that we recommend you enable and monitor to help prevent ransomware attacks.
Threat Score
The overall threat score shows the highest value recorded in the report period.
Threat Score History
The Threat Score History chart shows the defense goal threat score for each day in the report period.
Objectives and Controls
The objective and control summary charts show the proportion of objectives and controls that are compliant, violated, or that have insufficient data to evaluate.
Top Network Threats
The Top Network Threats section lists the three highest-risk controls covered in the report. This section shows your top threats with control details, remediation suggestions, alert history, and whether your network is compliant.
To view more information about a specific control, click the control name to go to the Objective and Control Detail sections.
Objective and Control Details
The Objective and Control Detail sections show additional detail for each defense objective included in the report. Each section includes the name of a defense objective, its compliance status, and the controls configured to be included in the objective.
For each control listed, you can see the purpose of the control, the threat score associated with violations of the control, a short remediation recommendation, and a chart with an alert history count.
Control Violation Detail and Remediation
For controls that were violated in the report period, the report provides a detailed description of the control and remediation recommendations.
Ransomware Prevention Defense Goal Report Controls
This section explains the intended use of the policies in the Ransomware Prevention Defense Goal Report and includes suggestions on how to modify zones to make sure you only receive alerts for genuine, actionable activity. For more information on how to create custom zones to configure your controls, go to Manage ThreatSync+ NDR Zones.
For information about how to configure objectives and network defense controls, go to Manage Network Defense Goals.
To learn more about the objectives and controls in the Ransomware Prevention Defense Goal Report, go to these sections:
- Abusive, Suspicious, or Malicious Site Access
- Activity on Unsecured Ports
- Command and Control Detection
- Disruption in Scheduled Backups
- SMB Leakage
- Unauthorized Remote Access
- Unnecessary or Unexpected Port Activity
- Unusual Active Directory Activity
- Unusual Activity to or from High-Value Network Segments
Abusive, Suspicious, or Malicious Site Access
The controls in this objective detect activity to sites identified as abusive, suspicious, or malicious.
Activity from Blocked Countries
This control generates alerts for traffic that enters your network from countries in the Prohibited Countries zone. To lower your exposure to ransomware and other network attacks, if you do not have a business use case that requires communication with a specific country, you might choose to configure your firewall to block traffic from that country. To generate alerts for this traffic, edit the Prohibited Countries zone to match the list of countries that you configure your firewall to block.
Activity to Blocked Countries
This control generates alerts for traffic from your network to countries in the Prohibited Countries zone. To lower your exposure to ransomware and other network attacks, if you do not have a business use case that requires communication with a specific country, you might choose to configure your firewall to block traffic to that country. To generate alerts for this traffic, edit the Prohibited Countries zone to match the list of countries that you configure your firewall to block.
Activity on Unsecured Ports
This objective contains controls for several well-known ports associated with protocols commonly used in attacks. There are valid business use cases for each of these protocols, so ThreatSync+ NDR provides several different controls. For each of these protocols, you can configure ThreatSync+ NDR to generate alerts for inbound, internal, and outbound traffic. To avoid a large number of alerts, we recommend that you configure zones that contain only the assets you expect not to use these protocols.
Unsecured Internal FTP/TFTP Traffic
This control generates alerts for File Transfer Protocol (FTP) and Trivial File Transfer Protocol (TFTP) traffic flows between assets inside your network. FTP and TFTP are not secure file transfer protocols, and attackers use them to connect to and exfiltrate files. FTP and TFTP can also be used to load scripted attacks.
Unsecured Inbound Web Server Activity
This control generates alerts for traffic flows from the Internet that communicate with assets in your network through port 80. There are several known attacks that target web servers on port 80. Because HTTP and other web traffic is such a critical service, attackers know that port 80 is likely to be open. We recommend that you create a zone for the assets in your network that you expect to have two-way web traffic with the Internet and apply this control to the rest of your network.
Unsecured Inbound TCP Traffic
This control generates alerts for TCP flows that originate on the Internet destined for assets in your network. Several known attacks use web traffic. Because TCP and other common protocols have many legitimate uses, attackers know associated ports are likely to be open. We recommend you create a zone for the assets in your network that you expect to have two-way web traffic with the Internet and apply this control to the rest of your network.
Unsecured Internal IRC Traffic
This control generates alerts for IRC traffic within your network. IRC is a plain text protocol, so anyone can read the contents of the packets. This can be used for asset discovery. Botnets often use IRC because it supports broadcast communication. It is unlikely that IRC has a valid business use case in your network, and we recommend you close the ports that it runs on (ports 194 and 6667).
Unsecured Inbound UDP Traffic
This control generates alerts for UDP flows that originate on the Internet destined for assets in your network. A wide variety of known attacks use web traffic. Because UDP and other common protocols have many legitimate uses, attackers know associated ports are likely to be open. We recommend you create a zone for the assets in your network that you expect to have two-way web traffic with the Internet and apply this control to the rest of your network.
Unsecured Internal Telnet Traffic
This control generates alerts for Telnet traffic between assets within your network. Telnet is less secure than SSH, and with Telnet access, there are many ways to escalate an attack. This is a sensitive control, and if you receive too many alerts, consider changes to the zones where this policy is applied to more accurately reflect the devices you expect to use Telnet.
Unsecured Outbound FTP/TFTP Traffic
This control generates alerts for FTP and TFTP flows that originate from a device in your network destined for the Internet. FTP and TFTP are not secure file transfer protocols, and attackers use them to connect to and exfiltrate files. FTP and TFTP can also be used to load scripted attacks.
Unsecured Internal SNMP Traffic
This control generates alerts for SNMP traffic between assets in your network. It is a plain text protocol used for network asset management and discovery. It was designed before the Internet was widespread, and provides an opportunity for hackers to obtain information about your network and the assets it contains. If you use SNMP within your network, you can create a zone for assets you expect to communicate with the Internet and apply this control to the rest of your network.
Unsecured Inbound FTP/TFTP Traffic
This control generates alerts for FTP and TFTP flows between a device on the Internet and an asset within your network. FTP and TFTP are not secure file transfer protocols, and attackers use them to connect to and exfiltrate files. FTP and TFTP can also be used to load scripted attacks.
Unsecured Outbound Telnet Traffic
This control generates alerts for Telnet traffic from devices within your network to the Internet. Telnet is less secure than SSH, and with Telnet access, there are many ways to escalate an attack. External access through remote administration protocol is very rarely a legitimate use case, and we recommend you disable Telnet on resources that do not require it. If you have legitimate external administration activity, only allow it through a VPN or similar secure channel. This enables you to block all incoming activity on these ports (3389 and 22) at your firewall and make sure that this type of access is not allowed.
Unsecured Inbound IRC Traffic
This control generates alerts for IRC traffic from an address on the Internet to an asset in your network. IRC is a plain text protocol, so anyone can read the contents of the packets. This can be used for asset discovery. Botnets often use IRC because it supports broadcast communication. It is unlikely that IRC has a valid business use case in your network, and we suggest you close the ports that it runs on - 194 and 6667.
Unsecured Inbound Telnet Traffic
This control generates alerts for Telnet traffic from devices on the Internet to assets within your network. Telnet is less secure than SSH, and with Telnet access, there are many ways to escalate an attack. External access through remote administration protocol is very rarely a legitimate use case, and we recommend you disable Telnet on resources that do not require it. If you have legitimate external administration activity, only allow it through a VPN or similar secure channel. This enables you to block all incoming activity on these ports (3389 and 22) at your firewall and make sure that this type of access is never allowed.
Unsecured Outbound IRC Traffic
This control generates alerts for IRC traffic from an address in your network to the Internet. IRC is a plain text protocol, so anyone can read the contents of the packets. This can be used for asset discovery. Botnets often use IRC because it supports broadcast communication. It is unlikely that IRC has a valid business use case in your network, and we suggest you close the ports that it runs on (ports 194 and 6667).
Unsecured Outbound Simple Network Management Protocol (SNMP) Traffic
This control alerts on Simple Network Management Protocol (SNMP) traffic destined for the public Internet from assets in your network. SNMP is a plain text protocol used for network asset management and discovery. It was designed before the public Internet was widespread, and offers an opportunity for hackers to obtain information about your network and the assets it contains. We recommend that you close UDP ports 161, 162, and any other ports configured to run SNMP in your network, on your firewall to make sure that attackers cannot use SNMP to get a foothold in your network.
Unsecured Inbound SNMP Traffic
This control generates alerts on Simple Network Management Protocol (SNMP) traffic from the public Internet destined to assets in your network. SNMP is a plain text protocol used for network asset management and discovery. It was designed before the public Internet was widespread, and offers a perfect opportunity for hackers to obtain information about your network and the assets it contains. We recommend that you close UDP ports 161, 162, and any other ports configured to run SNMP in your network, on your firewall to make sure that attackers cannot use SNMP to get a foothold in your network.
Unsecured Internal Web Server Activity
This control generates alerts on traffic flows between assets within your network on port 80. A wide variety of known attacks target web servers on port 80. Because HTTP and other web traffic is critical, attackers know that port 80 is likely to be open. We recommend that you create a zone for the assets in your network that you expect to have two-way web traffic with the external Internet and apply this control to the rest of your network.
Command and Control Detection
Command and control is the phase of an attack when an agent or a script establishes connection with the server of an attacker to get further instructions. The controls in this section highlight activity patterns that are commonly associated with command and control.
Anomalous Activity to Blocked Countries
This control generates alerts for an unusual volume of traffic from your network to a country in the Prohibited Countries zone. To lower your exposure to ransomware and other network attacks, if you do not have a business use case that requires communication with a specific country, you might choose to configure your firewall to block traffic to that country. To generate alerts for this traffic, edit the Prohibited Countries zone to match the list of countries that you configure your firewall to block.
Beaconing Through Web API
Attackers often use social media and consumer file sharing services, such as Dropbox, to host command and control scripts and store exfiltrated data. Setting up dummy accounts that serve instructions in response to command and control accounts on well-known and trusted sites shields attackers from being added to a blocklist. To determine whether a compromised asset is running a script that periodically checks a consumer website for command and control updates, ThreatSync+ NDR baselines the social media and file sharing activity on your network and generates alerts for new and unusual activity.
Unauthorized Outbound SSH
This control generates alerts for any SSH session from your network destined for an external device. An SSH session destined to an external IP address can indicate that an internal resource is compromised and reaching out to the public IP address of an attacker to receive further instructions. You can add exceptions to this control for assets you expect to have SSH traffic with external resources.
Unexpected DNS Resolution Server
This control generates alerts for traffic flows with a new DNS server. Attackers can insert a few bytes of payload into a DNS request, and use it to send command and control instructions or for data exfiltration. Connections with a new DNS resolution server can indicate that your DNS requests were redirected to communicate with the computer of an attacker.
Suspected Data Exfiltration through DNS
This control generates alerts for an unusual volume of DNS traffic. Attackers can insert a few bytes of payload into a DNS request, and use it to send command and control instructions or for data exfiltration. A spike in DNS traffic can indicate that a compromised account or asset is communicating with a threat actor outside your network.
Disruption in Scheduled Backups
An important part of a ransomware attack involves the deletion and disruption of backups. If you have a valid, up-to-date backup, there is no reason for you to pay an attacker to decrypt valuable files.
External Backup Server Disruption
This control generates alerts when periodic back up processes to an external resource stop or are disrupted.
Internal Backup Server Disruption
This control generates alerts when periodic back up processes to an internal resource stop or are disrupted.
SMB Leakage
This objective detects outbound SMB traffic, which is a vulnerable file-sharing protocol often used in attacks.
Outbound SMB Traffic
This control detects outbound SMB traffic, which is a vulnerable file-sharing protocol often used in attacks. In 2017, a flaw in SMBv1 that allowed an attacker to execute code on a remote machine was used as part of a ransomware attack that affected almost 200,000 Windows devices worldwide. CISA recommends you disable SMBv1 and block all versions of SMB at the network boundary. ThreatSync+ NDR helps you to enforce this recommendation by alert generation for outbound SMB traffic.
Outbound NetBIOS Traffic
This control generates alerts for NetBIOS traffic between assets in your network and the Internet. Because SMB relies on NetBIOS to communicate with devices that do not support direct hosting of SMB, this control can indicate external SMB traffic.
Unauthorized Remote Access
The controls in this objective identify communication outside your network that uses commonly exploited remote administration protocols such as Remote Desktop Protocol (RDP) and Secure Shell (SSH), as well as connections initiated by new external domains.
Connection from New External Domain to Internal
This control generates alerts for two-way communication initiated by a new device on the Internet. To avoid too many alerts, if you expect an asset to send resources to the Internet, you can add it to an exception zone.
RDP Connection from New External Host
This control generates alerts for two-way RDP communication initiated by a new external host. RDP is an administrative protocol. Earlier versions of the protocol are not secure, and it is a very common entry point for attackers. Remote administration protocols can give attackers access to resources on your network, and can be easily used to move laterally or gain administrative privileges. External access through remote administration protocol is rarely a legitimate use case, and we recommend you disable RDP on resources that do not require it. If you have legitimate external administration activity, only allow it through a VPN or similar secure channel. This enables you to block all incoming activity on these ports (3389 and 22) at your firewall to make sure that this type of access is never allowed.
SSH Attempts from External to Internal
This control generates alerts when an external device tries to connect to an asset in your network that uses SSH. Remote administration protocols can give attackers access to resources on your network, and can be easily used to move laterally or gain administrative privileges. External access through remote administration protocol is rarely a legitimate use case, and we recommend you disable SSH on resources that do not require it. If you have legitimate external administration activity, only allow it through a VPN or similar secure channel. This enables you to block all incoming activity on these ports (3389 and 22) at your firewall and make sure that this type of access is never allowed.
RDP Attempts from External to Internal
This control generates alerts when an external device tries to use RDP to connect to an asset in your network. RDP is an administrative protocol. Earlier versions of this protocol are not secure, and it is a very common entry point for attackers. Remote administration protocols can give attackers access to resources on your network, and can be easily used to move laterally or gain administrative privileges. External access through remote administration protocol is rarely a legitimate use case, and we recommend you disable RDP on resources that do not require it. If you have legitimate external administration activity, only allow it through a VPN or similar secure channel. This enables you to block all incoming activity on these ports (3389 and 22) at your firewall and make sure that this type of access is never allowed.
Unnecessary or Unexpected Port Activity
This objective generates alerts for traffic that use ports associated with risky or vulnerable protocols, as well as traffic initiated from outside your network.
Traffic on High Ports Crossing Network Boundary
This control generates alerts for traffic on high ports between an asset inside your network and an asset on the Internet. Because many peer-to-peer protocols use random high UDP ports for data transfer, traffic on high ports can indicate peer-to-peer activity. Because peer-to-peer protocols are high-trust file sharing protocols, they can easily be used to transfer ransomware or exfiltrate critical files. ThreatSync+ NDR provides policies that flag traffic on high ports within your network as well as traffic that crosses network boundaries. The default cutoff for high ports is 32768.
Many video conferencing and voice protocols also use this high port to high port model. If you want to use this policy to find unauthorized peer-to-peer file transfers, such as BitTorrent activity, you can define zone exclusions for the voice and video services that are authorized in your environment.
Unexpected Inbound Connection
ThreatSync+ NDR flags any unexpected connection that is initiated outside your network. If traffic is initiated by an outside actor, it might be an attempt by an attacker to gain access to resources on your network. Almost all legitimate north-south traffic is initiated by users within your network. This is a sensitive control and is best used on high-value assets. If you have resources that you expect to respond to external connection requests, you can create exceptions to this policy.
NetBIOS North-South Traffic Crossing Network Boundary
This control generates alerts for NetBIOS-NS traffic between a device inside your network and a device on the Internet. NetBIOS is a local area network name resolution protocol that was designed with strong trust assumptions in the early stages of the Internet when DNS queries were more difficult. It is a protocol that enables you to ask your neighbor for the IP address of a resource rather than looking it up through DNS. CISA identifies NetBIOS as a possible amplification attack vector. It can also be used in man-in-the-middle attacks to harvest credentials of a user. Because DNS queries have become much faster in the past 40 years, it is usually not necessary to keep NetBIOS-NS enabled. To learn how to disable NetBIOS on Windows computers, go to the Microsoft documentation.
Link-Local Multicast Name Resolution (LLMNR) Traffic Crossing Network Boundary
This control generates alerts for LLMNR traffic between a device inside your network and a device on the Internet. LLMNR is a local area network name resolution protocol that was designed with strong trust assumptions in the early stages of the Internet when DNS queries were more difficult. It can be used in man-in-the middle attacks and asset discovery. Because DNS queries have become much faster in the last 40 years, it is not necessary to keep the ports these protocols run on open.
Internal NetBIOS-NS Traffic
This control generates alerts for NetBIOS-NS traffic between devices that are both inside your network. NetBIOS is a local area network name resolution protocol that was designed with strong trust assumptions in the early stages of the Internet when DNS queries were more difficult. It is a protocol that enables you to ask your neighbor for the IP address of a resource rather than looking it up through DNS. CISA identifies NetBIOS as a possible amplification attack vector. It can also be used in man-in-the-middle attacks to harvest the credentials of a user. Because DNS queries have become much faster in the last 40 years, it is usually not necessary to keep NetBIOS-NS enabled. To learn how to disable NetBIOS on Windows computers, go to the Microsoft documentation.
Internal Traffic on High Ports
This control generates alerts for traffic on high ports between a device inside your network and a device on the Internet. Because many peer-to-peer protocols use random high UDP ports for data transfer, traffic on high ports indicate peer-to-peer activity. Because peer-to-peer protocols are high-trust file-sharing protocols, they can easily be used to transfer ransomware or exfiltrate critical files. ThreatSync+ NDR provides policies that flag traffic on high ports within your network as well as traffic that crosses network boundaries. The default cutoff for high ports is 32768.
Internal LLMNR Traffic
This control generates alerts for LLMNR traffic between assets inside your network. LLMNR is a local area network name resolution protocol that was designed with strong trust assumptions in the early stages of the Internet when DNS queries were more difficult. It can be used in man-in-the middle attacks and asset discovery. Because DNS queries have become much faster in the last 40 years, it is not necessary to keep the ports these protocols run on open.
Unusual Active Directory Activity
Unusual Active Directory (AD) activity can involve critical changes such as creation, deletion, permission, and other changes made to your users, groups, organizational units, or devices.
Active Directory to External
Your Active Directory server is the gateway to your network. If an attacker compromises your Active Directory server, they can get access to any resource that Active Directory controls. This control generates alerts when there is communication between Active Directory and an external actor on any port other than:
- 53 — Used for DNS
- 80 — Used for HTTP
- 123 — Used for NTP
- 443 — Used for HTTPS
Unusual Activity to or from High-Value Network Segments
It is not uncommon to store your most critical files and data on one or several high-value assets. ThreatSync+ NDR enables you to tag these assets, and provides controls to generate alerts for unusual or suspicious traffic to or from them.
Critical Asset to or from Facebook
This control generates alerts for any traffic destined to Facebook that comes from a critical asset in your network. Use of a critical asset to browse the Internet is a very risky activity and suggests that security controls are not in place. This could also be an indicator of command and control scripts beaconing to fake Facebook accounts to receive further instructions after an asset is compromised.
Internal Telnet Traffic to Critical Assets
This control generates alerts for Telnet traffic between critical assets and other devices within your network. Even if you plan to use Telnet in your network, you might want to generate alerts on unencrypted Telnet traffic destined for a critical asset. Telnet is less secure than SSH and with Telnet access, attackers have many ways to escalate an attack.
Unusual Connection Count from Critical Assets to External
This control generates alerts on a spike of connections between a critical asset in your network and the Internet. An unusual connection count between a critical asset and the Internet could indicate attack activity or data exfiltration. This is a sensitive control, but it enables you to monitor your high-value assets closely.
Unusually High Activity from Critical Assets to External
This control generates alerts on a spike in activity between a critical asset in your network and the Internet. An unusual activity rate could indicate attack activity or data exfiltration. This is a sensitive control, but it enables you to monitor your high-value assets closely.
Activity Between Development and Production
If you configure development and production zones in ThreatSync+ NDR, you can enable this control to alert you when development systems communicate with production. Because developers might temporarily expose development resources to security risks while testing, your development environment is likely more vulnerable than your production environment. Communication between these zones could indicate that an attacker has gained control of a development resource and is attempting to move laterally.
Connection to New Domain from Critical Asset
This control generates alerts for connections between critical assets in your network. An unusual activity rate could indicate attack activity or data exfiltration. This is a sensitive control, but it enables you to monitor your high-value assets closely.
ThreatSync+ NDR Executive Summary Report