11.12 Hardening Recommendations

4-6 hours · Module 11

Hardening Recommendations

Post-incident hardening prevents the same attack from succeeding again. Each recommendation includes the blast radius, cost, rollback procedure, and GRC compliance mapping — because hardening recommendations that do not include implementation reality do not get implemented.

Recommendation 1: Deploy Conditional Access Token Protection (Token Binding)

What it does: Binds session tokens to the device that completed the original authentication. Replayed tokens from a different device are rejected.

Why it matters: This is the definitive AiTM prevention control. It would have prevented every compromise in INC-2026-0227-001.

Blast radius: All users in the targeted CA policy must re-authenticate on all devices after policy enforcement begins. Session tokens issued before token protection are not retroactively bound — they remain valid until expiry. Tenant-wide for users in the policy scope.

Before enabling: Verify that all applications used by your organisation support token binding. Some legacy applications and thick clients may not support the token protection claim. Test with a pilot group of 10-20 users for 2 weeks before tenant-wide rollout.

Cost impact: £0 additional licensing (included in Entra ID P1/P2, which E5 includes). IT effort: ~4 hours for configuration, testing, and rollout.

Rollback: Disable or delete the conditional access policy. Effect is immediate.

Compliance mapping: NIST CSF PR.AC-7 (Authentication). ISO 27001 A.8.5 (Secure authentication). SOC 2 CC6.1 (Logical access controls). CIS v8 6.3 (Require MFA for externally exposed applications) — token binding extends the MFA protection to the session.

Recommendation 2: Deploy FIDO2 Security Keys for High-Value Users

What it does: Provides phishing-resistant authentication. The FIDO2 key validates the origin domain — it will not authenticate to an AiTM proxy because the proxy’s domain does not match login.microsoftonline.com.

Priority users: Global Admins, finance staff (BEC targets), executives, IT administrators.

Blast radius: Only users with FIDO2 keys assigned are affected. Other users continue with their existing MFA methods. Per-user scope.

Cost impact: ~£25-50 per FIDO2 key (YubiKey 5 NFC). For 20 high-value users: £500-1,000 one-time. No recurring cost.

Rollback: Users can fall back to their existing MFA method. Remove the authentication strength CA policy to stop requiring FIDO2.

Compliance mapping: NIST CSF PR.AC-7. ISO 27001 A.8.5. SOC 2 CC6.1. CIS v8 6.5 (Require MFA for administrative access).

Recommendation 3: Restrict Inbox Rule Creation to Internal Forwarding Only

What it does: Exchange Online transport rule that blocks inbox rules from forwarding email to external domains.

Execute:

1
2
3
4
5
6
// PowerShell — create transport rule blocking external forwarding via inbox rules
// New-TransportRule -Name "Block External Inbox Rule Forwarding"
//   -FromScope InOrganization
//   -SentToScope NotInOrganization
//   -MessageTypeMatches AutoForward
//   -RejectMessageReasonText "Automatic forwarding to external recipients is blocked."

Blast radius: All users in the organisation. Any existing inbox rules that forward to external addresses stop working. This may affect legitimate workflows (e.g., a user who forwards work email to a personal account). Tenant-wide.

Before enabling: Run a query to identify existing external forwarding rules: Get-InboxRule -Mailbox * | Where-Object { $_.ForwardTo -or $_.RedirectTo } | Where-Object { $_.ForwardTo -notlike '*@northgateeng.com' -or $_.RedirectTo -notlike '*@northgateeng.com' }. Notify affected users before enabling the transport rule.

Rollback: Disable or remove the transport rule. External forwarding resumes immediately.

Cost impact: £0. Transport rules are included in all Exchange Online plans.

Compliance mapping: NIST CSF PR.DS-5 (Protections against data leaks). ISO 27001 A.8.12 (Data leakage prevention). SOC 2 CC6.7 (Restrict transmission of information).

Recommendation 4: Enable Safe Links for Internal Email

What it does: Configures Safe Links to scan URLs in internal-to-internal emails, not just external emails. This would have caught the Wave 2 internal phishing.

Blast radius: URL scanning applies to all internal emails. Minor latency increase on email delivery (typically < 1 second). Tenant-wide.

Cost impact: No additional licensing. May increase Safe Links processing volume — no direct cost for E5 customers.

Rollback: Disable the internal email scanning setting in the Safe Links policy.

Compliance mapping: NIST CSF DE.CM-4 (Malicious code is detected). ISO 27001 A.8.23 (Web filtering).

Recommendation priority matrix

#	Recommendation	Impact	Effort	Cost	Priority
1	Token protection (token binding)	Prevents all AiTM token replay	4 hours	£0	Critical — implement within 1 week
2	FIDO2 for high-value users	Prevents AiTM credential capture for protected users	8 hours + key procurement	£500-1,000	High — implement within 1 month
3	Block external inbox forwarding	Prevents attacker data exfiltration via inbox rules	2 hours	£0	High — implement within 1 week
4	Safe Links for internal email	Detects internal phishing from compromised accounts	1 hour	£0	Medium — implement within 2 weeks

Subsection artifact: The hardening checklist above with blast radius, cost, rollback, and GRC mapping for each recommendation. This is reusable for any AiTM incident — the recommendations apply universally to M365 environments without token binding.

Knowledge check

Check your understanding

1. You recommend blocking external inbox rule forwarding. The CFO has an inbox rule that forwards all email to their personal Gmail. What do you do?

Notify the CFO before enabling the transport rule. Explain: the rule will block external forwarding to prevent data exfiltration by attackers. The CFO's personal forwarding is a security risk regardless of the incident — corporate email forwarded to personal Gmail bypasses DLP, retention, and eDiscovery controls. Recommend an alternative: Outlook mobile app or OWA for personal device access. If the CFO insists, document the risk acceptance and create a transport rule exception — but flag this as a GRC compliance gap (data leakage prevention controls are weakened by the exception).

Create an exception for the CFO

Do not implement the recommendation

Block it without telling the CFO

Notify, explain the risk, recommend alternatives. If the CFO accepts the risk, document the exception and the compliance impact. Never block without communication. Never skip hardening because of one exception.

← 11.11 CISO Report 11.13 Detection Engineering →