Acrolinx fixes

Author: TerryLanfear

articles/security/fundamentals/ransomware-prepare.md

@@ -83,37 +83,37 @@ There are a number of activities that may be undertaken to prepare for potential
 
 ### Educate end users on the dangers of ransomware
 
-As most ransomware variants rely on end-users to install the ransomware or connect to compromised Web sites, all end users should be educated about the dangers.  This would typically be part of annual security awareness training as well as ad hoc training available through the company's learning management systems.  The awareness training should also extend to the company's customers via the company's portals or other appropriate channels.
+As most ransomware variants rely on end-users to install the ransomware or connect to compromised Web sites, all end users should be educated about the dangers. This would typically be part of annual security awareness training as well as ad hoc training available through the company's learning management systems. The awareness training should also extend to the company's customers via the company's portals or other appropriate channels.
 
 ### Educate security operations center (SOC) analysts and others on how to respond to ransomware incidents
 
-SOC analysts and others involved in ransomware incidents should know the fundamentals of malicious software and ransomware specifically.  They should be aware of major variants/families of ransomware, along with some of their typical characteristics.  Customer call center staff should also be aware of how to handle ransomware reports from the company's end users and customers.
+SOC analysts and others involved in ransomware incidents should know the fundamentals of malicious software and ransomware specifically.  They should be aware of major variants/families of ransomware, along with some of their typical characteristics. Customer call center staff should also be aware of how to handle ransomware reports from the company's end users and customers.
 
 ## Ensure that you have appropriate technical controls in place
 
-There are a wide variety of technical controls that should be in place to protect, detect, and respond to ransomware incidents with a strong emphasis on prevention.  At a minimum, SOC analysts should have access to the telemetry generated by antimalware systems in the company, understand what preventive measures are in place, understand the infrastructure targeted by ransomware, and be able to assist the company teams to take appropriate action.
+There are a wide variety of technical controls that should be in place to protect, detect, and respond to ransomware incidents with a strong emphasis on prevention. At a minimum, SOC analysts should have access to the telemetry generated by antimalware systems in the company, understand what preventive measures are in place, understand the infrastructure targeted by ransomware, and be able to assist the company teams to take appropriate action.
 
 This should include some or all of the following essential tools: 
 
 - Detective and preventive tools
   - Enterprise server antimalware product suites (such as Microsoft Defender for Cloud)
   - Network antimalware solutions (such as Azure Anti-malware)
   - Security data analytics platforms (such as Azure Monitor, Sentinel)
-  - Next generation intrusion detection and prevention systems 
+  - Next generation intrusion detection and prevention systems
   - Next generation firewall (NGFW)
 
 - Malware analysis and response toolkits
   - Automated malware analysis systems with support for most major end-user and server operating systems in the organization
-  - Static and dynamic malware analysis tools 
+  - Static and dynamic malware analysis tools
   - Digital forensics software and hardware
   - Non- Organizational Internet access (for example, 4G dongle)
   - For maximum effectiveness, SOC analysts should have extensive access to almost all antimalware platforms through their native interfaces in addition to unified telemetry within the security data analysis platforms.  The platform for Azure native Antimalware for Azure Cloud Services and Virtual Machines provides step-by-step guides on how to accomplish this.
   - Enrichment and intelligence sources
   - Online and offline threat and malware intelligence sources (such as sentinel, Azure Network Watcher)
   - Active directory and other authentication systems (and related logs)
- - Internal Configuration Management Databases (CMDBs) containing endpoint device info
+  - Internal Configuration Management Databases (CMDBs) containing endpoint device info
 
-- Data protection 
+- Data protection
   - Implement data protection to ensure rapid and reliable recovery from a ransomware attack + block some techniques.
   - Designate Protected Folders – to make it more difficult for unauthorized applications to modify the data in these folders. 
   - Review Permissions – to reduce risk from broad access enabling ransomware
@@ -131,25 +131,25 @@ This should include some or all of the following essential tools:
 
 ## Establish an incident handling process
 
-Ensure your organization undertakes a number of activities roughly following the incident response steps and guidance described in the US National Institute of Standards and Technology (NIST) Computer Security Incident Handling Guide (Special Publication 800-61r2) to prepare for potential ransomware incidents.  These steps include:
+Ensure your organization undertakes a number of activities roughly following the incident response steps and guidance described in the US National Institute of Standards and Technology (NIST) Computer Security Incident Handling Guide (Special Publication 800-61r2) to prepare for potential ransomware incidents. These steps include:
 
-1. **Preparation**:  This stage describes the various measures that should be put into place prior to an incident.  This may include both technical preparations (such as the implementation of suitable security controls and other technologies) and non-technical preparations (such as the preparation of processes and procedures).
-1. **Triggers / Detection**:  This stage describes how this type of incident may be detected and what triggers may be available that should be used to initiate either further investigation or the declaration of an incident.  These are generally separated into high-confidence and low-confidence triggers.
-1. **Investigation / Analysis**:  This stage describes the activities that should be undertaken to investigate and analyze available data when it isn't clear that an incident has occurred, with the goal of either confirming that an incident should be declared or concluded that an incident hasn't occurred.
-1. **Incident Declaration**:  This stage covers the steps that must be taken to declare an incident, typically with the raising of a ticket within the enterprise incident management (ticketing) system and directing the ticket to the appropriate personnel for further evaluation and action.
-1. **Containment / Mitigation**:  This stage covers the steps that may be taken either by the Security Operations Center (SOC), or by others, to contain or mitigate (stop) the incident from continuing to occur or limiting the effect of the incident using available tools, techniques, and procedures.
-1. **Remediation / Recovery**:  This stage covers the steps that may be taken to remediate or recover from damage that was caused by the incident before it was contained and mitigated.
-1. **Post-Incident Activity**:  This stage covers the activities that should be performed once the incident has been closed.  This can include capturing the final narrative associated with the incident as well as identifying lessons learned.
+1. **Preparation**: This stage describes the various measures that should be put into place prior to an incident.  This may include both technical preparations (such as the implementation of suitable security controls and other technologies) and non-technical preparations (such as the preparation of processes and procedures).
+1. **Triggers / Detection**: This stage describes how this type of incident may be detected and what triggers may be available that should be used to initiate either further investigation or the declaration of an incident.  These are generally separated into high-confidence and low-confidence triggers.
+1. **Investigation / Analysis**: This stage describes the activities that should be undertaken to investigate and analyze available data when it isn't clear that an incident has occurred, with the goal of either confirming that an incident should be declared or concluded that an incident hasn't occurred.
+1. **Incident Declaration**: This stage covers the steps that must be taken to declare an incident, typically with the raising of a ticket within the enterprise incident management (ticketing) system and directing the ticket to the appropriate personnel for further evaluation and action.
+1. **Containment / Mitigation**: This stage covers the steps that may be taken either by the Security Operations Center (SOC), or by others, to contain or mitigate (stop) the incident from continuing to occur or limiting the effect of the incident using available tools, techniques, and procedures.
+1. **Remediation / Recovery**: This stage covers the steps that may be taken to remediate or recover from damage that was caused by the incident before it was contained and mitigated.
+1. **Post-Incident Activity**: This stage covers the activities that should be performed once the incident has been closed.  This can include capturing the final narrative associated with the incident as well as identifying lessons learned.
 
 :::image type="content" source="./media/ransomware/ransomware-17.png" alt-text="Flowchart of an incident handling process":::
 
 ## Prepare for a quick recovery
 
-Ensure that you have appropriate processes and procedures in place. Almost all ransomware incidents result in the need to restore compromised systems. So appropriate and tested backup and restore processes and procedures should be in place for most systems.  There should also be suitable containment strategies in place with suitable procedures to stop ransomware from spreading and recovery from ransomware attacks.
+Ensure that you have appropriate processes and procedures in place. Almost all ransomware incidents result in the need to restore compromised systems. So appropriate and tested backup and restore processes and procedures should be in place for most systems. There should also be suitable containment strategies in place with suitable procedures to stop ransomware from spreading and recovery from ransomware attacks.
 
-Ensure that you have well-documented procedures for engaging any third-party support, particularly support from threat intelligence providers, antimalware solution providers and from the malware analysis provider.  These contacts may be useful if the ransomware variant may have known weaknesses or decryption tools may be available.
+Ensure that you have well-documented procedures for engaging any third-party support, particularly support from threat intelligence providers, antimalware solution providers and from the malware analysis provider. These contacts may be useful if the ransomware variant may have known weaknesses or decryption tools may be available.
 
-The Azure platform provides backup and recovery options through Azure Backup as well built-in within various data services and workloads. 
+The Azure platform provides backup and recovery options through Azure Backup as well built-in within various data services and workloads.
 
 Isolated backups with [Azure Backup](../../backup/backup-azure-security-feature.md#prevent-attacks)
 - Azure Virtual Machines