Removing 24x7 administrator rights to break the attack chain
Summary
The article discusses how attackers typically spread ransomware by first compromising an employee workstation, extracting administrator credentials, and then using those credentials for lateral movement. It highlights that the widespread presence of 24x7 administrator rights on employee workstations significantly facilitates this attack chain.
IFF Assessment
This is good news for defenders as it provides a clear, actionable strategy to disrupt common attack chains by reducing the impact of initial compromises.
Defender Context
Defenders should prioritize reviewing and reducing standing administrator privileges on endpoints, implementing just-in-time (JIT) or just-enough-administration (JEA) models. This approach directly counters a primary method used by ransomware to spread laterally and escalate privileges within an environment.