Blog post

Introducing the Mitigating Malware and Preventing Lateral Movement Guidance

Created:  09 Feb 2018
Updated:  09 Feb 2018
Author:  Dan U
Part of:  Malware protection
WannaCry screen

Last year, following the global WannaCry incident in May 2017, the NCSC published guidance that described how organisations of all sizes -  and home users - could reduce the likelihood of being infected by malware.

To make it simpler for you to find the information you need, we've now updated and combined these publications into a single piece of guidance around Mitigating Malware.

Our aim for this guidance is to answer three questions:

  1. What is malware?
  2. What should I do to protect myself?
  3. What should I do to protect my organisation?

So, if you're a home user, you'll only need to consider the first 2 questions. However if you're an IT professional responsible for securing even just a small business, then question 3 describes protections you can put in place that will reduce the likelihood of malware causing serious damage.

No matter what steps you take, there is always the risk that an attacker will eventually get through. This is where our new Preventing Lateral Movement guidance comes in. WannaCry and NotPetya both highlighted the impact that ransomware can have if it is able to move between endpoints and through your networks. However, you can make it hard for malware to spread laterally and fulfil its objective (whether that is obtaining valuable data, spreading ransomware, or causing general disruption) by performing additional hardening.

The guidance also explains why you should monitor your network to try and detect when it has been compromised. This can help you manage the impact, find out how the malware got in, and take defensive action as quickly as possible.

We understand that some of the recommended mitigations may be difficult to implement quickly. However, we hope this guidance will provide your organisation with a starting point. You should then tailor and prioritise the recommendations to reflect your own environment, balancing your available budget against the costs associated with a network compromise.


Dan U
Security Consultant, NCSC


Elad Sharf - 19 Feb 2018

I recommend this guide to be more comprehensive; for e.g. you're advising on lateral movement but there's no mention of WMI?

Dan U - 21 Feb 2018
Hi Elad, thanks for your feedback.

With guidance such as this our aim is to, as much as possible, focus on the broader principles. This is so that it can be applied to any organisation regardless of the specific platforms in use.

We would always recommend that readers look for guidance from their vendors about how to implement the controls described in the products that they use.
Peter Glock - 21 Feb 2018
I see that the 'Preventing Lateral Movement' guidance contains a small section on honeypots. Is there any other NCSC guidance on how to best use deception technology?
Dan U - 21 Feb 2018
Hi Peter.

We currently do not have guidance published on deception techniques, however if there is a demand for it we will consider producing material that covers the topic.

If you have any specific queries, then you can send them through to the Enquiries team using this contact form:
NCSC Communications Team - 11 Sep 2018
This blog is now closed to comments.

Was this blog post helpful?

We need your feedback to improve this content.

Yes No