We could bang on forever about the advantages of our protection: its speed, cutting-edge tech stack, and incredible threat neutralization. But it’s better to just let independent tests speak for themselves. Throughout 2023, Kaspersky participated in (precisely!) 100 independent tests and reviews, with its products being awarded 93 firsts and 94 top-3 finishes — achieving its highest annual result ever. Our protection is unmatched according to independent researchers, and no other security vendor comes even close to such an abundance of awards. (Our protection for home users received the highest award — Product of the Year 2023 — from the independent European testing laboratory AV-Comparatives, as well as first place in the “home” protection segment in independent testing by SE Labs in the fourth quarter of 2023.)

To maximize your protection against cyberthreats, we offer this simple step-by-step guide to transitioning to Kaspersky security solutions.

All three versions of our protection — Kaspersky Standard, Kaspersky Plus, and Kaspersky Premium— use the same stack of security technologies, meaning users of any of these solutions can be confident they’re using the “Product of the Year 2023”.

How to switch to Kaspersky

It’s very simple: just choose one of the three subscription options on our website based on your needs after easily comparing the features of each version. For maximum protection, we recommend subscribing to Kaspersky Premium. In addition to the standard computer protection and optimization tools, it includes:

secure encrypted storage of personal documents
smart home monitoring
online payment protection
data leak checker
identity protection
unlimited super-fast VPN
premium version of our password manager
one-year free use of Kaspersky Safe Kids
other additional features

In addition, Kaspersky Premium ensures maximum protection of your digital identity. We check for leaks (including on the dark web) of your accounts, linked not only to email addresses as in other subscription versions but also to phone numbers — for example, used with online banks and social networks — and we advise on what to do if such a leak occurs. You can add the email addresses and phone numbers of everyone in your family to be checked.

When choosing a subscription, you can also specify the number of devices to protect and whether it’s for one or several years: the latter, of course, comes at a discount.

Upon purchase, we’ll automatically create a My Kaspersky account for you to activate and manage the subscription on different devices running Windows, macOS, Android, or iOS, and send instructions to the email you provided when purchasing.

Preparing for installation

Follow the link in the email to the My Kaspersky website, complete account creation, and log in. In the subscription information window, click “Download” to download the application to your device. For mobile devices, you can also download our applications from one of the app stores — App Store, Google Play, Huawei AppGallery, and others.

Before installing the Kaspersky application, make sure that your device meets the software and hardware requirements (for Windows, macOS, Android, iOS), and remove any other vendors’ incompatible security solutions (Windows and macOS). Many people think that having multiple protection tools on one computer strengthens security, but this is not the case — on the contrary, different programs start conflicting with each other and competing for computer resources, leading to slowdowns and freezes. So, “there can only be one” — and our protection, according to tests, is 100% percent effective against malware.

It’s best to clean up your computer using special utilities, which can be found on the website of the manufacturer of the security solution you’re removing. If you remove it with the built-in tools of the operating system, some traces may remain, leading to conflicts. The easiest way to find the necessary utility is to search the internet for “name_of_removed_program uninstall tool” (for example, here are the uninstallers for Avast, Bitdefender, ESET, McAfee, and Norton).

Installing the application

You’re almost there. Installing the application is straightforward: on a computer, the process takes place in the form of a chat, familiar to anyone who uses messengers. By the way, this allows you to spend the installation time productively — exploring the most interesting Kaspersky features and installing the application on your smartphone using the QR code that will appear on your computer screen. For those who like to study the installation details in advance, here are the links to Kaspersky installation instructions for Windows, macOS, Android, and iOS.

If you downloaded the application for your computer from your My Kaspersky account or for your smartphone using the QR code, after installation it will be automatically activated by the subscription. In very rare cases, you may need to activate the application yourself by logging in to your My Kaspersky account, or by following these simple instructions for Windows, macOS, Android, or iOS.

Dealing with passwords

Among other benefits, owners of Kaspersky Plus and Kaspersky Premium also receive a premium subscription to our password manager. In its personal encrypted storage, you can keep all your passwords, important documents, and tokens for two-factor authentication, synchronizing them across all your devices. Rest assured that no one — not even Kaspersky employees — will have access to them: the AES-encrypted vault is protected by a master password known only to you.

You can install Kaspersky Password Manager on your computer during the installation of Kaspersky Plus or Kaspersky Premium, or separately by downloading it from My Kaspersky or app stores. You won’t have to remember and manually enter all your passwords into Kaspersky Password Manager — we’ve developed a mechanism to transfer passwords from browsers and other password managers. Brief instructions for importing data for the most popular OS — Windows — are provided below, and detailed ones for all operating systems are available on the support website (for Windows, macOS, Android, and iOS).

Importing passwords from browsers

Open the main window of Kaspersky Password Manager and click the gear icon at the bottom of the window.
Go to Settings, then to Import and export.
In the Import from browser block, select the browser you want to import data from, and click Import.

Importing passwords from other password managers

First, you’ll need to export data from another password manager to a CSV file. Instructions for this can be found on the manufacturer’s website (for example, here are the instructions for Avast Passwords, KeePass, LastPass, and 1Password).
Open the main window of Kaspersky Password Manager and click the gear icon at the bottom of the window.
Go to Settings, then to Import and export.
Click Import in the Import from password managers block, and specify the CSV file you want to import data from.

In addition to passwords, you can also transfer all your two-factor authentication tokens from Google Authenticator (Android, iOS) to Kaspersky Password Manager. To do this, simply export all your tokens from Google Authenticator into one big QR code and scan it with Kaspersky Password Manager on your mobile device.

The tokens are synchronized across all your devices, so you won’t have to look for your smartphone every time you need to enter a 2FA code on your computer — you can generate it right in the desktop version of Kaspersky Password Manager. And even if something happens to your smartphone, you won’t lose access to sites protected by two-factor authentication — you can always generate the code on your computer or restore the tokens from the cloud.

Checklist for switching to Kaspersky

Choose one of the three solutions for home use: Kaspersky Standard, Kaspersky Plus, or Kaspersky Premium.
Count how many devices you need to protect, and purchase the corresponding subscription from the Kaspersky website, a partner, or an app store.
Remove old security solutions using tools from the respective manufacturer.
Install the Kaspersky application and Kaspersky Password Manager, as well as any other applications you want from the subscription.
Make sure the applications are activated automatically, or activate them manually (Windows, macOS, Android, iOS).
Import passwords from other programs.
Explore your My Kaspersky account to find plenty of useful and interesting features there.
Enjoy your life with peace of mind.

Kaspersky official blog – ​Read More

Unknown actors implanted malicious code into the versions 5.6.0 and 5.6.1 of the open source compression tools set XZ Utils. To make matters worse, Trojanized utilities managed to find their way into several popular builds of Linux released this March, so this incident could be regarded as a supply chain attack. This vulnerability has been assigned the number CVE-2024-3094.

What makes this malicious implant so dangerous?

Initially, various researchers claimed that this backdoor allowed attackers to bypass the sshd (the OpenSSH server process) authentication, and remotely gain unauthorized access to the operating system. However, judging by the latest information, this vulnerability should not be classified as an “authentication bypass”, but as a “remote code execution” (RCE). The backdoor intercepts the RSA_public_decrypt function, verifies the host’s signature using the fixed key Ed448 and, if verified successfully, executes malicious code passed by the host via the system() function, leaving no traces in the sshd logs.

Which Linux distributions contain malicious utilities and which are safe?

It is known that XZ Utils versions 5.6.0 and 5.6.1 were included in the March builds of the following Linux distributions:

Kali Linux, but according to the official blog, only those that were available between March 26 and March 29 (the blog also contains instructions for checking for vulnerable versions of utilities);
openSUSE Tumbleweed and openSUSE MicroOS, available from March 7 to March 28;
Fedora 41, Fedora Rawhide and Fedora Linux 40 beta;
Debian (testing, unstable and experimental distributions only);
Arch Linux – container images available from February 29 to March 29. However, the website archlinux.org states that due to the implementation peculiarities this attack vector will not work in Arch Linux, but they still strongly recommend updating the system.

According to official information, Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise, openSUSE Leap, Debian Stable are not vulnerable. As for other distributions it is advised to check them for the presence of Trojanized versions of XZ Utils manually.

How did the malicious code was implanted into the XZ Utils?

Apparently, it was the usual case of control transfer. The person who initially maintained the XZ Libs project on GitHub passed control of the repository to the account, which has been contributing to a number of repositories related to data compression for several years. And at some point, new maintainer implanted a backdoor to the project code.

How to stay safe?

The US Cybersecurity and Infrastructure Security Agency (CISA) recommends anyone who installed or updated affected operating systems in March to downgrade XZ Utils to an earlier version (for example, version 5.4.6) immediately. And also to start hunting for malicious activity.

If you have installed a distribution with a vulnerable version of XZ Utils, it also makes sense to change all credentials which could potentially be stolen from the system by the threat actors.

You can detect the presence of a vulnerability using the Yara rule for CVE-2024-3094.

Kaspersky official blog – ​Read More

Imagine getting a call or message from your immediate senior — or maybe even the head honcho of the whole company. They warn you about a nasty situation brewing. It spells fines or some other financial woes for the company, big trouble for your department, and possible dismissal for you personally! Cold sweat trickles down your spine, but there’s still a chance to save the day! You’ll have to hustle and do a few things you don’t usually do, but everything should be alright…

First – hold your horses and take a few deep breaths. There’s a 99% chance this whole “emergency” is completely made up and the person on the line is a scammer. But how do you recognize such an attack and protect yourself?

Anatomy of the attack

These schemes come in dozens of flavors. Scammers may describe various issues faced by your company depending on the particular country, cite involvement of regulators, police, or major business partners, and then suggest all manner of ways to “solve the problem” with your help. Yet there are a number of key points — crucial psychological footholds — without which the attack is next to impossible to carry out. These can be used to recognize the attack for what it is.

The superior’s authority, or simple trust in someone you know. Most people by now have developed a resistance to odd requests from strangers — be it a police officer who’s decided to reach out through instant messaging, or a bank employee personally concerned about your wellbeing. This scheme is different: the person approaching the victim appears to be someone you know to some extent — and a fairly important person at that. Scammers often choose a C-level manager’s profile as bait. First, they have authority; second, chances are the victim knows the person, but not well enough to spot the inevitable differences in speech or writing style. However, there are variations on this scheme where the scammers impersonate a coworker from a relevant department (such as accounting or legal) whom you may not know personally.
Redirection to an external party. In the most primitive cases, the “coworker” or “manager” who reaches out to you is also the person you get a request about money from. Most often though, after the initial contact, the “boss” suggests you discuss the details of the matter with an external contractor who’s about to reach out. Depending on the scheme’s specifics, this “assigned person” may be introduced as a law enforcement or tax officer, bank employee, auditor or similar; i.e., not someone the victim knows. The “boss” will ask you to provide the “designated person” with all the assistance they’ll need and without delay. That said, the most elaborate schemes, such as the one with $25 million stolen following a deepfake video conference, may have the scammers pose as company employees throughout.
A request has to be urgent, so as not to give the victim time to stop and analyze the situation. “The audit is tomorrow”, “the partner’s just arrived”, “the amount gets charged this afternoon”… long story short, you have to act right now. Scammers will often conduct this part of the conversation by phone, telling the victim not to hang up until the money is transferred.
Absolute secrecy. To prevent anyone from interfering with the fraud, the “boss” early on warns the victim that discussing the incident with anyone is strictly forbidden as disclosure would lead to disastrous consequences. The fraudster might say that they’ve no one else to trust, or that some of the other employees are criminals or disloyal to the company. They will generally try to keep the victim from talking to anyone until their demands are met.

Objectives of the attack

Depending on the victim’s position and level of income, an attack may pursue different goals. If the victim is authorized by the company to execute financial transactions, the scammers will try to talk them into making an urgent secret payment to a vendor such as a law firm for assistance in solving problems — or just transferring the company’s money to a “safe” account.

Employees who don’t deal with the company’s money can be targeted by attacks that seek to obtain company data such as passwords to internal systems, or their own funds. Scammers may come up with dozens of backstories, ranging from an accounting data leak that jeopardizes the victim’s account, to a need to keep the company’s cash gap closed until an audit is done. In the latter case, the victim is asked to use their own money in some way: transfer it to another account, pay for gift cards or vouchers, or withdraw it and give it to a “trusted person”. For greater persuasiveness, the scammers may promise the victim generous compensation for their expenses and effort — only later.

Convincing level of detail

Social media posts and numerous data leaks have made it much easier for fraudsters to launch carefully prepared, personalized attacks. They can: find the full names of the victim, their immediate senior, the CEO, and employees in the relevant departments (such as accounting), along with the exact department names; and find pictures of these individuals to create convincing instant messaging profiles and, if needed, even voice samples to create audio deepfakes. If there’s big money at stake, the scammers may invest significant time in making the charade as convincing as can be. In some previous cases, attackers even knew the locations of company departments inside buildings and the positions of individual employees’ desks.

Technical side of the attack

Sophisticated schemes like this nearly always include a phone call from the scammers; however, the initial “call from the boss” may also come in the form of an email or instant message. In simpler versions of the attack, the scammers just create a new instant messaging or email account with the manager’s name, while in more sophisticated cases they hack their corporate email or personal accounts. This is called a BEC (business email compromise) attack.

As for phone calls, scammers often use number spoofing services or obtain an illegal copy of the SIM card — the victim’s caller ID then displays the company’s general phone number or even their boss’s own.

Malicious actors may use deepfake voice generators, so a familiar voice on the other end of the line can’t guarantee the caller’s authenticity. Schemes like these may even use video calling where the caller’s face is also a deepfake.

Protecting yourself against scammers

First and foremost, attentiveness and courage to verify the information despite the scammers’ threats are two things that can protect you against this kind of attack.

Take it slow, and don’t panic. The scammers aim to knock you off balance. Keep calm and double-check all the facts. Even if the other party insists you don’t hang up the phone, you can always pretend that the call dropped. This will buy you some time to do more fact-checking.

Pay attention to the sender’s address, phone, and user name. If you’re used to corresponding with your boss by email, but then you suddenly get an instant message in their name from an unfamiliar number, it’s time to prick up your ears. If you’ve always talked on an instant messaging app and you get a new message but there’s no history, this means someone’s using a newly created account, which is a major red flag. Unfortunately, cybercriminals sometimes use fake email addresses that are hard to tell from the real ones, or hacked email or instant messaging accounts. All of this makes detecting forgery much more difficult.

Pay attention to small details. If a person you know approaches you with an odd request, is there anything about the situation that tells you that the person may be an impostor? Do their emails look slightly unusual? Are they using uncharacteristic figures of speech? Do you usually address each other by first names, but they’re using a formal form of address? Try asking them something only the real person could know.

Raise a red flag if you get an unusual request. If your boss or coworker is urgently asking you to do something unusual — and to keep it a secret to boot — this is nearly always a sign of a scam. Therefore, it’s critical that you verify the information you get and confirm the other party’s identity. The least you can do is contact that person using a different channel of communication. Talking in person is best, but if this isn’t a possibility, call their office or home number that you’ve got down in your phone book, or punch in that number manually; don’t just dial the last incoming number — to avoid circling back to the scammers. Use any other channels of communication available. The cell number that called you — even if it’s your boss or coworker’s real number you’ve gotten saved in your phone book — might have been compromised through SIM swapping or simple phone theft.

Check with your coworkers. Despite being asked to “keep it all confidential”, depending on the nature of the request, it doesn’t hurt to verify the information with your coworkers. If you get what appears to be a message from someone in accounting, contact other people in the same department.

Warn your coworkers and law enforcement. If you receive such a message, it means scammers are targeting your organization and coworkers. If their tricks don’t work on you, they’ll try the next department. Warn your coworkers, warn security, and report the attempted scam to the police.

Kaspersky official blog – ​Read More

Episode 340 of the Transatlantic Cable podcast kicks off with news that the EU is investigating Meta, Apple and Google for “uncompetitive practices.” Additionally, the US government has gone ahead and levelled a lawsuit against Apple, for what they see as “monopoly” behaviour with their hardware.

To wrap up, the team discuss two stories, the first around China and UK government hacking concerns and how age-verification for adult sites could actually be a bad thing in the long run.

If you liked what you heard, please consider subscribing.

Apple, Meta and Google to be investigated by the EU
US sues Apple for illegal monopoly over smartphones
Beijing behind cyberattacks on UK MPs and peers, deputy PM to warn
The Dangers of Age Verification

Kaspersky official blog – ​Read More

Should serious-minded attackers choose namely your company to target, they’d certainly be looking to gain a long-term, persistent presence in your infrastructure. Some would deploy high-end malware to achieve this – but others prefer not to. Many, in fact, prefer to attack companies by exploiting vulnerabilities, stolen credential, and legitimate programs that are already in the system. This technique – known as Living off the Land (LotL) – has many advantages from an attacker’s point of view:

Malicious activity blends in with everyday network and administrative activities.
Tools already installed on computers are less likely to trigger endpoint protection (EPP).
There’s no need to spend time and resources on developing one’s own malicious tools.
Such activity doesn’t produce obvious indicators of compromise (IoC), making it hard to trace malicious activity and compare attacks across organizations.
Many companies fail to collect and store information about network monitoring and day-to-day network activity in sufficient detail, so it’s impossible to track the evolution of an attack in real time – much less historically. This makes preventing attacks and mitigating their consequences extremely tricky.

LotL tactics are used by various groups: spy groups (see here and here), money-minded cybercriminals, and ransomware gangs.

Environments prone to LotL attacks

LotL attacks can be carried out in any environment: cloud, on-premises, hybrid; on Windows, Linux, and macOS platforms. Incidentally, attacks on macOS are sometimes known as Living off the Orchard – a reference to, yes, apples. In each of these environments, attackers have a variety of tools and techniques at their disposal:

Tools useful to attackers are usually called LOLBins (LOL binaries) or LOLBAS (LOL binaries and scripts). We analyzed the most popular LOLBins; a more complete list of all Windows tools seen in attacks can be found in this GitHub repository. To escalate privileges and disable defenses, threat actors can exploit legitimate software drivers, a list of which is available at loldrivers.io.
Unix/Linux. An extensive list of tools exploited by attackers can be found in the gtfobins repository on GitHub.
macOS. “Orchard” tools used in attacks are available at io.

It should be reiterated here that all the files listed in the links above are legitimate tools. They aren’t vulnerable per se, but can be used by an attacker who’s penetrated a system and gained sufficient privileges.

What’s stopping you from detecting LotL?

Even if an organization has a high level of information security maturity – with an expert team and advanced protective tools – in practice, defenders may be hampered in detecting LotL attacks due to the following reasons:

Non-adapted settings. Even advanced security tools need to be adapted to the specifics of the organization and the particularities of network segmentation, user-server interaction, and typical IT-system operating scenarios. Correlation rules need to be created and customized based on the available threat intelligence and known characteristics of the company. Sometimes defenders rely too heavily on IoC detection, and don’t pay enough attention to potentially dangerous behavioral signals. Sometimes InfoSec or IT services use broad exclusion rules and extensive allowlists that include many LOLBAS simply because they’re legitimate applications. All of the above significantly lowers the effectiveness of protection.
Inadequate logging. The standard level of logging in many systems doesn’t allow for the detection of malicious activity, storage of event parameters sufficient for incident analysis, or reliable differentiation between legitimate administrative actions and malicious ones.
Insufficient automation. Malicious actions in a heap of logs can only be detected after preliminary filtering and removal of background noise. The most effective filtering is telemetry from EDR, which collects relevant telemetry, increases flexibility in detecting attacker techniques, and reduces false positives. Without filtering and automated analysis, logs are useless. There are simply too many of them.
Isolation from IT. The above issues would be especially acute if IT and InfoSec services have little interaction: InfoSec is unfamiliar with IT work regulations, tool settings, and so on. In addition, if the teams don’t talk to each other, an investigation into suspicious activity can drag on for weeks or even months – during all of which time the threat actors would be further developing their attacks.

How to detect LotL attacks

There are many practical cybersecurity recommendations for detecting LotL attacks – none of them exhaustive. The most recent and detailed public guidance comes from cyber agencies in the US, UK, and Australia. But even there, the authors emphasize that they’re only providing best practice benchmarks.

The most practical, effective, and implementable detection tips are as follows:

Implement detailed event logging. Collect logs in a centralized repository that’s write-once and disallows modifications. This prevents attackers from deleting or changing logs. Centralization of logs is critical because it enables behavioral analysis, retrospective searches, and targeted threat hunting. It also often makes it possible to save logs for longer periods of time.
 
To be useful, logs must be comprehensive and verbose. They must log security events – including all commands in management consoles (shells), as well as system calls, PowerShell activity, WMI event traces, and so on. It’s worth reiterating that standard logging configurations rarely cover all necessary events. What’s more, in some cloud environments, the right level of logging is only available as part of costly service packages. When Microsoft 365 customers got burned this last year, Microsoft revised its policy.
 
For proper implementation of logging, SIEM (centralization, aggregation, and event analysis) and EDR (collection of necessary telemetry from hosts) are indispensable tools.
Identify and record typical, day-to-day activity of network devices, servers, applications, users, and administrators. To gather information about baseline behavior in a particular network, SIEM is recommended: all normal sequences of events, service relationships and the like are clear to see. Special attention should be paid to the analysis of “administrative” behavior, and the use of specific tools by privileged accounts – including system ones. Keep the number of administrative tools to a minimum, with detailed logging of their operation; use of other similar tools should be either blocked or set to trigger alerts. For administrator accounts, it’s important to analyze what time they are in use, what commands they run and in what sequence, what devices they interact with, and so on.
Use automated systems (such as machine learning models) to continuously analyze logs, match them against typical activity, and report anomalies to InfoSec. Ideally, implement user and entity behavior analytics (UEBA).
Continuously update settings to reduce background noise and adjust low-impact alerts or downgrade their priority.
 
You can fine-tune monitoring rules and alert triggers to better distinguish between routine administrative actions and potentially dangerous behavior. Avoid overly broad rules that will burden systems and analysts alike, such as “CommandLine=*”. Work with the IT team to reduce the variety of administration utilities used, their accessibility on unrelated systems, and the number of available protocols and types of accounts for logging in to corporate systems.

How to defend against LotL

The very nature of these attacks makes it almost impossible to prevent them completely. However, proper configuration of your network, endpoints, applications, and accounts can dramatically narrow the attack surface, speed up detection, and minimize the damage caused by intrusion attempts.

Review and implement “hardening” recommendations from vendors of the hardware and applications you use. The following should be considered as the minimum:

For Windows systems, apply Microsoft updates promptly.
For Linux systems, review permissions for key applications and daemons by following an industry guide – such as Red Hat Enterprise Linux Benchmarks.
For macOS devices, be aware that there are no generally accepted hardening recommendations, but there is a misconception that they’re secure out-of-the-box. In mixed networks, Windows devices are often more prevalent, such that IT and InfoSec tend to focus on Windows, overlooking threats and suspicious events on Apple devices. Besides the advice to regularly update macOS to the latest version and implement EDR/EPP, we recommend studying the macOS Security Compliance Project, which lets you generate InfoSec recommendations for specific macOS devices.
For organizations that actively use Microsoft 365 and Google Workspace cloud services, it’s vital to implement the minimum InfoSec recommendations from Microsoft and Google.
Critical IT assets, such as ADFS and ADCS for Microsoft-based IT systems, warrant special attention and in-depth analysis of possible hardening measures.
Widely apply universal hardening measures such as minimizing the number of running services, the principle of least privilege, and encryption and authentication of all network communications.

Make the allowlisting (aka default deny) approach standard. If implementing it across all applications and all computers is troublesome, try a phased approach. Popular LOLBAS that your team doesn’t use for work and your system processes don’t need can be blocked. The tools that actually are needed should only be available to administrators, only on relevant systems, and only for the duration of administrative tasks. All sessions that use such tools must be carefully logged and analyzed for anomalies.
 
Conduct an in-depth inventory of configurations, policies, and software installed on each host. If an application isn’t needed on a host, remove it: this will take it out of the toolkit of attackers and eliminate the headaches associated with updates and vulnerabilities. EDR solutions are ideal for this task.
Strengthen IT and OT network segmentation and monitoring at the internal network level. Besides isolating the OT network, you can move administrative machines with high privileges, important servers and the like to a separate subnet.

When implementing such restrictions, many organizations allowlist excessively broad IP ranges, for example, all addresses of a particular cloud provider. Even if this cloud hosts legitimate servers that the company server needs to communicate with, neighboring IPs could be leased by attackers. Therefore, it’s imperative to specify precise IP ranges and keep the allowlist as short as possible.

Network analysis tools should also be used to monitor traffic between segments, with a focus on unusual sessions and communications with more important network segments. Such analysis requires deep packet inspection (DPI).

To significantly simplify monitoring and to make attacks much harder, introduce privileged access workstations (PAWs) in your organization. High-risk administrative actions should be allowed on these and nowhere else. As part of the minimum program for Windows environments, operations with Active Directory servers should be allowed from PAWs only.

Implement authentication and authorization for all human-machine and machine-machine interactions regardless of their network location.
Implement a comprehensive approach to infrastructure protection based on detection and response tools (SIEM + EDR), building both awareness and team expertise (threat intelligence + cybersecurity training), and continuous hardening of the company’s overall InfoSec posture.

Kaspersky official blog – ​Read More