Can Information Protection help us against Ransomware?

-

We have many useful tools against ransomware in Microsoft 365, but can Information Protection be one of them? My good friend Olav Tvedt took up this question the other day, and the inititial answer is no. But the again, it can also be yes, in a way. This is not something I have tested, but it is an interesting theory. Encryption will not stop ransomware from re-encrypting the data, but there is another thing it can do, that might have helped quite a few of the victims lately. 

One of the awesome things about Information Protection is the way it protects data with the use of AAD authentication. We allow or deny people the access rights to a piece of information by their AAD accounts. And this is where we get a useful tool against ransomware. Not the attack itself, but what has been done to victims lately, where they have been threatened with getting sensitive data released to the dark web after the attack. For some this can be devastating, and this is where Information Protection can help us. 

Disclaimer: This would only work if the data thieves would not be able to decrypt the data before they are caught. This is where our logging works in our favor. For the eager admins who pay attention through logs, MCAS and more, it would be very visible if someone did mass de-cryptions etc. 

How can it help?

As mentioned over, Information Protection encrypts data and allows people access, based on their AAD mail-enabled user account. When we are exposed to a ransomware attack, the attackers will have access to an account as well (or more) and one of the first things we do is make sure user accounts are secured, maybe by changing passwords, enforcing MFA and other tools. If we have protected our sensitive data, this also means that the attackers will no longer have access to the data when we remove access to the users. To make sure of this we use a couple of pretty cool features in Information Protection:


 Picture 1 - To make this work, we of course need to encrypt our info. 

The first of the two, is also the less restricted one in a way, but in another way if we look away from ransomeware it can be more restricted, in the way that we will loose access to the data after a while, and would need to re-share them if we want others to still have access to the data. Also, see how it says a number of days after the label has been applied, not after someone has opened it. Useful in many cases, but certainly not in all.

Picture 2 - Set access to a specific data, or a number of days after the label is applied.

Using this option would stop people from being able to access the data after a data or number of days, but may not be the perfect option for our use case. For data that is not very sensitive, it might still be enough. 

The second option is for our most sensitive data. It makes sure we need to verify our credentials with AAD everytime we open the data. In this case it would be completely useless for our data thieves if they got their hands on it. 

Picture 3 - Never allow offline access = Always authenticate. 

This might be a little disruptive for people who want to read the data offline for instance, but for our most sensitive data, it might still be worth it? 

I will repeat that I have not had the chance to test this myself, but the theory is that this would be a useful tool against data thieves and ransomware actors. If you have had experience with this, please let me know in the comments.


Comments

  1. Markus JohnsenMay 21, 2021 at 10:36 AM

    Interesting points, and definitely something to consider when taking measures to reduce data leakage and increasing protection against ransomware!

    ReplyDelete

Post a Comment

Popular posts from this blog

Do not Forward and the protection of attachments

-
Image
Maybe I am the only one who has misunderstood this, but if not, this may be useful for you. I've been wrong about this for a while, and since it is not a feature we have used, I didn't really look into it until today. I always thought that using Do not Forward in a label would make sure attachments where given the same DNF rights.  Unfortunately I was shown the error of my ways by one of my customers today, when I answered (with some confidence) that, yes: Attachments get the same protection. He then replied that he was able to do all kinds of things with the attachment, and I started to look into it more closely. Microsoft has many great articles about protecting information, and this article is no exception. I guess you just have to read it carefully. They say:  “When the Do Not Forward option is applied to an email, the email is encrypted and recipients must be authenticated. Then, the recipients cannot forward it, print it, or copy from it . For example, in the Outlook cli
Read more

Using Do not Forward or Encrypt Only as the results of a Sensitivity Label

-
Image
Do not Forward and Encrypt Only can be found in Outlook by default for all who uses Office 365 E3 or equivalent/higher. And as many know, they can also be used in a Sensitivity label. But what are the consequenses of using these, instead of creating our own encryption settings within the label? This is what we will be looking at today.  As many know, we can use these two in Outlook, as long as we have the proper license. They are well hidden away under Options, and can look a little like this:    EO and DNF in Outlook.  I've covered these in earlier blogposts , but lets just quickly go through them again here: " Encrypt/Encrypt-Only " option makes sure the email is encrypted and recipients must be authenticated, but then they have all usage rights except Save As, Export and Full Control (Basically means no restriction except that they cannot remove the protection). When the Do Not Forward option is applied to an email, the email is encrypted and recipients must be au
Read more