Newsletter Series: The Cybersecurity Kill Chain
Month 7: Phase 7 – Actions on Objectives

This month’s letter will be a little different, and a little longer. With the number of incidents over this past summer increasing greatly affecting both multinationals as well as local businesses, I wanted to give more of a visual into what it looks like when attackers put their plans into action. Additionally, I wanted to give a brief overview of what we do in response to these events and what everyone can do to both blunt the impact of any breach, as well as what we can all do to keep networks secure.

1. At-a-Glance (non-technical)

Attackers “finish” by moving money, stealing data or breaking operations. You blunt the impact by:   

Command and Control is the bridge between the attacker and their victim. It allows the attacker to:

  • Blocking payout paths (no external auto-forwarding; tight finance approvals).
  • Restricting admin power (PIM/just-in-time roles; MFA; legacy auth blocked).
  • Protecting backups (immutability + tested restores).
  • Stopping ransomware behaviors (ASR rules, app allow-listing, tamper protection).

  **If suspicious activity appears: follow the First 24 Hours playbook below.

2. What Phase 7 looks like in your environment

Financial fraud & BEC

  • Sudden inbox rulesauto-forwarding, or vendor bank-detail change requests.
  • Look-alike domains and urgent payment instructions.

  Data theft & extortion

  • Bulk mailbox export/eDiscovery jobs, SharePoint/OneDrive mass downloads.
  • OAuth apps with broad scopes or odd cloud storage sync.

  Disruption / ransomware

  • Shadow copy deletionvolume-wide encryption, tools like rclone, 7z, bitsadmin, cipher.
  • Policy tampering: Conditional Access edits, role changes, MFA method changes on VIPs.

3. Controls – prioritized checklist T

Tier 0 - Critical (do first)

  • Disable external auto-forwarding org-wide; alert on new forwarding rules.
  • MFA everywhereblock legacy auth; require compliant/registered devices for admin actions.
  • PIM for admins (time-bound roles, approval, no standing Global Admin).
  • Immutable backups (object lock / write-once) for servers, M365, and key SaaS.
  • AV Tamper Protection on; set ransomware-focused ASR rules to Block.

  Tier 1 - High

  • Admin consent workflow for OAuth apps; revoke unused/over-scoped grants.
  • Controlled Folder Access and App Control/allow-listing for servers and finance endpoints.
  • DKIM/DMARC/SPF enforced; external sender tagging and impersonation protection active.
  • Break-glass accounts: long secrets, out-of-band storage, quarterly test.

  Tier 2 - Medium

  • DLP policies (email + cloud storage) and auto-labeling where licensed.
  • Session controls for risky/unsanctioned apps.
  • Quarterly tabletop for invoice fraud + mailbox rule scenario.

4. 30 to 60-minute quick wins (this month)

  • Sweep forwarding: report, remove, and alert on external forwarding & suspicious rules.
  • Admin surface snapshot: list all admin roles → migrate to PIM; remove standing rights.
  • OAuth audit: export app consents; remove unused; require admin approval.
  • Immutability verification: confirm object lock and retention on primary backup repositories.
  • ASR in Block: enable core ransomware TTP rules; track Detections→Blocks→Allow-list.

5. First 24 Hours (mini playbook)

  1. Triage scope - What identities, systems, and data were touched? Preserve logs/screens.
  2. Cut command paths - Block C2 domains/IPs; kill sessions; revoke refresh tokens.
  3. Contain identities - Force sign-out, reset passwords/keys, require MFA re-registration.
  4. Stabilize backups - Verify immutability; restrict backup console access; export configs.
  5. Finance comms - Out-of-band briefing; hold payments pending verification.
  6. Evidence & notice - Start time-stamped incident notes; engage legal/insurance as required.

6. Staff corner (past into all-hands or payroll email)

“If you get a payment/bank-change request or a rush invoice, stop and call the known contact using a number you already have. Don’t reply to the email or use numbers in the message. If your mailbox starts acting oddly (missing mail, new ‘rules’), tell IT immediately.”

7. FAQ (executive-friendly)

Q: We already have backups-why ‘immutable’?
A: Attackers target backups first. Immutability prevents edits/deletes for a set time, so you can restore.

Q: Can’t we just block strange apps?
A: Yes-require admin approval for OAuth. Review consents monthly; remove anything unused or over-scoped.

Q: What single change reduces wire-fraud risk the most?
A: No external auto-forwarding + finance call-back verification for any payment/bank change.

8. Recommended next steps (this cycle)

  1. Enforce no external auto-forwarding; enable auto-alerts on new rules.
  2. Verify immutability and run a 30-minute restore drill.
  3. Turn on ASR ransomware rules in Block; review exceptions weekly until steady.
  4. Run a 20-minute invoice-fraud tabletop with finance & leadership.

NetCenter Technologies
Empowering Businesses Through Cybersecurity