[IncludeSecurity]

CEO of a pentesting company here, I've participated in or supervised close to ~2k tests of applications and networks.

Sadly I have to report what you state is possible, but not plausible in today's modern heterogenous enterprise.

If I had a static environment with no new software or business processes, then NO PROBLEM. I can lock it down in every kinda way and it stays locked down to a known baseline.

Add to that new biz processes and now I have interconnection internally and externally which make detection and prevention difficult. Things are much more difficult now.

Add to that new software, ever changing dev env, OS updates, firmware updates, software version updates, dev env dependency updates, now you're talking near impossible to keep up.

And that's the state we're in today. There are some generic mostly effective controls that if implemented correctly can stop most advanced attackers (the so called "20 security controls") https://www.yumpu.com/en/document/read/6582321/20-critical-s...

But even in spite of that, any major nation state had an arsenal of "capabilities" that allow them to dominate most cyber warfare area of operations in the civilian sector. US can do it, UK, Israel, China, Russia, probably even India and others!

Against nation states, there is no stopping nation states in the civ sector, despite what every F500 company's CSO wants you to believe.....sad but true.

[bink]

Those are all reasons why a network/company cannot be 100% invulnerable to hacks, but it doesn't answer the question of if a company can be be significantly more resistant to ransomware. My answer to that question is "absolutely".

These ransomware attacks are so devastating in no small part due to decisions Microsoft made many years ago. Combining authentication, remote administration, file sharing, printing, event monitoring, security policy updates, and the kitchen sink into Windows Networking. An attacker compromises a single Windows machine and has leeway to attack critical servers across the network. If real segmentation of services were reasonably possible in a Windows environment a single credential couldn't be used to hop between systems and encrypt file services everywhere. Not to say some segmentation isn't possible in these environments but the skills and hours needed to accomplish it are far beyond what most companies have available.

And that doesn't even begin to cover the Exchange/Outlook dominance and poor security choices that lead to the higher rate of success for phishing attacks.

[easterncalculus]

>These ransomware attacks are so devastating in no small part due to decisions Microsoft made many years ago.

This is true for almost all types of malware these days, especially when it comes to privilege separation/escalation attacks. All of your observations about segmentation/AD are true here.

As for ransomware specifically, a lot can be done to stop most ransomware, especially small-time stuff. Unlike most malware ransomware is intentionally loud, and performs the same generic actions of enumerating and encrypting files, which makes detecting and stopping most samples with heuristics much more effective than a lot of people would admit: https://www.youtube.com/watch?v=3pH13DxClag

A lot has happened with ransomware in the past five years, but a lot really hasn't - this stuff still works, and would have an effect against the big RaaS strains that people are talking about today.