DNS Amplification DDOS Attack

A Domain Name Server (DNS) amplification attack is a distributed denial of service (DDoS) that uses publically accessible open DNS servers to overwhelm a victim system with DNS response traffic.

The primary technique consists of an attacker sending a DNS name lookup request to an open DNS server with the source address spoofed to be the target’s address. When the DNS server sends the DNS record response, it is sent instead to the target. This creates a denial of service to the target.

Attackers will typically submit a request for as much zone information as possible to maximize the amplification effect. In most attacks of this type the spoofed queries sent by the attacker are of the type, “ANY,” which returns all known information about a DNS zone in a single request.

The size of the response is considerably larger than the request, the attacker is therefore able to increase the amount of traffic directed at the victim. By leveraging a botnet to produce a large number of spoofed DNS queries, an attacker can create an immense amount of traffic with little effort and very little of their own bandwidth. Additionally, because the responses are legitimate data coming from valid (allbeit open to query) DNS servers, it is extremely difficult to prevent these types of attacks. While the attacks are difficult to stop, network operators can apply several possible mitigation strategies.

While the most common form of this attack involves DNS servers configured to allow unrestricted recursive resolution for any client on the Internet, attacks can also involve authoritative name servers that do not provide recursive resolution. The attack method is similar to open recursive resolvers, but is more difficult to mitigate since even a server configured with best practices can still be used in an attack. In the case of authoritative servers, mitigation should focus on using Response Rate Limiting to restrict the amount of traffic.

In a typical recursive DNS query, a client sends a query request to a local DNS server requesting the resolution of a name or the reverse resolution of an IP address. The DNS server performs the necessary queries on behalf of the client and returns a response packet with the requested information or an error.  The DNS specification does not allow for unsolicited responses. In a DNS amplification attack, the main indicator is a query response without a matching request.

Due to the massive traffic volume that can be produced by one of these attacks, there is often little that the victim can do to counter a large-scale DNS amplification-based distributed denial-of-service attack.

Because the DNS queries being sent by the attacker-controlled clients must have a source address spoofed to appear as the victim’s system, the first step to reducing the effectiveness of DNS amplification is for Internet Service Providers to reject any DNS traffic with spoofed addresses. The Network Working Group of the Internet Engineering Task Force released Best Current Practice 38 document in May 2000 and Best Current Practice 84 in March 2004 that describes how an Internet Service Provider can filter network traffic on their network to reject packets with source addresses not reachable via the actual packet’s path. The changes recommended in this document would cause a routing device to evaluate whether it is possible to reach the source address of the packet via the interface that transmitted the packet. If it is not possible, then the packet obviously has a spoofed source address. This configuration change would substantially reduce the potential for most popular types of DDoS attacks. As such, we highly recommend to all network operators to perform network ingress filtering if possible.

In some cases the above may not be possible or practical. The only other option is to ‘throw’ more bandwidth at the problem, which is a ‘finger in the dam’ approach. The only way to overcome this effectively is to use a cloud based DDOS service such as Akamai Prolexic. However unless the victim is BGP connected this won’t be possible as Prolexic uses BGP to protect a BGP connected network. For example if the customer only has a small IP range (/30 or /28) they can’t be BGP connected to Prolexic. This would necessitate them having an ‘upstream’ clean pipe service, but even then the ISP or carrier would be also flooded by DDOS attack and would then need protecting themselves. The problem shifts up the food-chain.

At the point the query makes it to your (now spoofed) server it’s already too late. Your server will waste its resources trying to do something with the packets and the requests. Even if you have something like iptables or a stateful firewall drop all connections it’s still going to use up all of the bandwidth on the server inbound. Redirecting all traffic someplace else eats up your outbound bandwidth and propagates the network failure between your server and the now new target.

It’s a network infrastructure issue. Not a server issue (unless it’s an open recursive resolver). The traffic needs to be handled (killed) further up the pipe. Other mitigation techniques for resolvers include enforcing a minimum TTL (which also helps against poisoning) and a reasonable maximum payload size for responses sent using UDP. Google DNS are using a 512 bytes limit for this reason. Theoretically it’s important to use some combination of response-rate limiting or upstream measures. Technically you could use egress-filtering on edge routers to block outgoing packets that originated on a different link/interface than the route to the spoofed destination, but on simple networks (ie with a single Internet link) that’s not feasible.

The problem is that you need to drop the traffic before it reaches your network. So even when dropping packets at your server is way too late. The best way to reduce risk is to use packet scrubbing services like Akamai who have DDoS mitigation techniques in place to prevent this traffic from reaching your network.

There are two criteria for a good amplification attack vector: 1) query can be set with a spoofed source address (e.g., via a protocol like ICMP or UDP that does not require a handshake); and 2) the response to the query is significantly larger than the query itself. DNS is a core, ubiquitous Internet platform that meets these criteria and therefore has become the largest source of amplification attacks.

DNS queries are typically transmitted over UDP, meaning that, like ICMP queries used in a SMURF attack, they are fire and forget. As a result, their source attribute can be spoofed and the receiver has no way of determining its veracity before responding. DNS also is capable of generating a much larger response than query.

 

Posted in Network Security, Opinion | Leave a comment

Anatomy of an IoT Attack

This is a very neat 3Min film showing you why, who and how to carry out an IoT attack. Cisco made it, but cleverly they don’t product name drop or even drop their brand name until the very end. Neat.

 

Posted in Network Security, Opinion, Video | Leave a comment

ITogether Check Point Blade Training Course Sign Up Form 2017

Please complete this little form to register yourself for any of the ITogether and Check Point Official Blade Training Courses in 2017. Please select the course you would like to attend.

If you have any questions you can call us on 0113 341 0123

Your First Name and Surname *

Your Email Address *

Phone Number in case we need to call you

Company Name and Postal Address in
case we need to write to you *

Do you maybe have any facilities
requirements or diet requirements ?

captcha

Posted in Network Security, News and Updates | Leave a comment

New 2017 Outpost24 advert on Youtube

Whilst browsing some Symantec information on YouTube around the subject of CASB (Cloud Access Security Brokers) I was played the new Outpost24 advert.

I like it because it’s simple and to the point. Have a look here.

 

Posted in Network Security, News and Updates, Opinion | Leave a comment

ITogether the first UK partner to offer monthly free Check Point Blade Courses

ITogether, the fastest growing UK Check Point Three Star partner yet again are providing additional value to the Check Point user base in the UK.

On 18th and 19th October 2017 ITogether are offering ANY Check Point or ‘would like to be Check Point’ customer free Check Point Blade Training.

There is no cost for the course and lunch and free parking is included on both days. Delegates are asked to bring their own laptop (the labs are virtual cloud hosted) and ipad or similar tablet to view the course notes and make it easier when working on the labs on your laptop. The course notes are secured using Check Point Capsule which will need to be installed on the tablet before the course commences.

The course provides a unique insight into the use of the Check Point blades and newer essential features. It is ideal for any customer that has bought already or are considering a purchase of any new blades or are looking to add blades to their deployment.

This training goes beyond that offered on the CCSA and CCSE courses, which focus on ‘features and architecture’ of the product and the accreditation, by showcasing the blade features in full and using real-world scenarios to look at how they might be deployed and how to get the best out of them.

This is a deep-dive of blade functionality that can’t be found elsewhere and covers NGTP and NGTX on predominantly R77.30 but also will cover an intro to R80 blades.

This course is perfect for anyone who is worried about deploying blades in a production environment and wants to see them working in the lab first. A team of Check Point technical specialists will be on hand to answer questions around deployment methods and sizing requirements.

The course is available to any customer who meets the pre-requisites. Customers are entitled to send as many employees as they wish through all of the courses, however customers are asked to send a maximum of two delegates per course date.

Training courses are run from the ITogether offices in Leeds, West Yorkshire by official Check Point Trainers and only using official Check Point courseware and labs.

Contact ITogether via the form on the website for more information.

Further courses will follow in November and December so far are 14th and 15th November 2017, and 12th and 13th December 2017. You can sign up for the course here.

About Check Point Software Technologies Ltd.
Check Point Software Technologies Ltd. (www.checkpoint.com), is the largest network cyber security vendor globally, providing industry-leading solutions and protecting customers from cyberattacks with an unmatched catch rate of malware and other types of threats. Check Point offers a complete security architecture defending enterprises – from networks to mobile devices – in addition to the most comprehensive and intuitive security management. Check Point protects over 100,000 organisations of all sizes.

Posted in Network Security, News and Updates, Opinion | Leave a comment

ITogether first UK Check Point partner to launch managed services powered by Check Point MDSM (Multi Domain Site Management)

Following on from our announcement in 2015 that ITogether were the first partner in the UK to offer ‘leasing options for Check Point hardware and software’ ITogether are today announcing another first to market. After significant investment in infrastructure and software and training and whilst working closely with Check Point ITogether are now able to offer Check Point managed cyber security services powered by Check Point MDSM.

MDSM gives ITogether and their customers significant advantage when it comes to management of Check Point firewall products. Centralised management and reporting and simple change management.

Intially offered as a complimentary service to existing ITogether Check Point customers this is now being rolled out and marketed to other existing and new Check Point customers.

The cost of the service is only a marginal increase in existing support contracts and for new customers special offers are available when combined with a traditional support contract with ITogether (not necessarily multi-year contract)

ITogether are also offering a unique offer of ‘zero cost’ Check Point support services for net new customers. Essentially a long term ‘try before you buy’ of upto 6 months with no cost and no risk.

Contact ITogether via the form on our website for pricing or more information

Posted in Managed Service, Network Security, News and Updates | Leave a comment

ITogether launches their own Cloud backup service powered by Veam and Cisco

ITogether are pleased to announce that their newly built cloud backup environment is now launched to new customers and ITogether managed services customers. The solution is currently provided from two ITogether datacenters with inter-site replication. A third and fourth is in planning stages. Customers are able to backup virtual machines, physical hosts and mobile devices. The cost is based the number of devices being backed up in combination with the volume of storage required. Storage is to disk (not then to tape) so recovery is instant. A unique aspect of the service is that it includes complimentary portable storage to a customer premises if required, or a customer is able to physically visit ITogether themselves to recover data at any time. No more waiting for cloud recovery downloads from Amazon Glacier or Microsoft Azure !

Contact ITogether via the form on our website to request pricing.

Posted in Managed Service, Networks, News and Updates | Leave a comment

MDSM Multi-Domain Security Management Provider-1 and Check Point Managed Services in the UK

ITogether are one of the few (we are fairly positive the only !) Check Point Partner in the United Kingdom offering Check Point Multi-Domain Security Management (AKA MDSM or Provider-1)

What is Check Point MDSM ? A rarely promoted product in the UK, but one that has it’s roots in a product formally called Provider-1. Check Point produced a ‘service provider’ management product called Provider-1 back in the day (circa 1998 ish) for the likes of BT, C+W etc to enable them to ‘mass manage’ lots of Check Point customers’ policies and products (not the small office or Sofaware or X series small office products or 600 or 700, 1100, 1200 and 1400 series I might add, they use a totally different management cloud product called Security Management Portal for SMB) MDSM isn’t cloud management or cloud managed, it is a ‘hosted’

What does it actually do ? It delivers control to managed service providers by allowing them to compartmentalise many customer’s policies (securely and separately) and logs and database into multiple virtual domains. This can be done by department, geography, business unit or function or customer. All of the customers can ‘viewed’ and ‘changed’ at the same time from a single view.

Is this for Check Point firewalls only ? Yes only Check Point firewall modules. It is for the 2200 series and above firewalls that are not based on embedded GAIA or Sofaware.

What advantages does it give the end user ? The MDSM environment ITogether run is based on redundant Management Servers in multiple locations. This gives immediate redundancy benefits. Multiple administrators can work on the policy at the same time.

If you are an existing Check Point customer you can benefit by migrating your existing gateways into the ITogether MDSM service for very little cost per month in addition to your annual support costs. This gives you peace of mind that management and monitoring is being carried out on your behalf by a Check Point Managed Service Three Star Partner.

ITogether can optionally implement the additional cost Check Point Smart WorkFlow (a blade to enable the end user or customer to track and approve changes to the policy to enable easy auditing and compliance)

If you are a customer wanting management of a 600, 700 or 1100 series, ITogether are able to offer very good value centralised management using a slightly different product called ‘Check Point Security Management Portal’. This is a cloud hosted (by ITogether) service.

Contact ITogether today via the website for more information and costs for MDSM or SMP.

Posted in Managed Service, Network Security, Networks, Opinion | Leave a comment

Akamai Enterprise Application Access – Akamai EAA

Remote access isn’t a new thing. VPN clients are definately not new ! It is therefore great to see a fresh approach to ‘getting’ people access to applications and data whilst not being directly connected to the corporate network. Only today have we been a meeting with a new customer where they need to provide remote access to patient confidential data. They need to access a network connected only to the NHS N3 network. How to do this securely and easily for contractors ? Here is the answer. Akamai EAA. Simple pricing and integrates with Duo.

 

Posted in Network Security, Networks, Video | Leave a comment

WannaCry and Other Ransomware – What is it and How to Defend Against It?

WannaCry and Other Ransomware – What is it and How to Defend Against It?

This isn’t the first time we have been here. Remember CryptoLocker in 2013? This all sounds to familiar.

The last few days have seen an unprecedented ransomware attack that has affected organisations in over 150 countries. The software called WanaCrypt0r 2.0 (aka WannaCry or WCry) has been affecting computers across the globe. Initial estimation states it hit 36,000 organizations, among them the UK National Health Service (NHS) and hospitals across the UK and Scotland, organizations in Spain, Russia, the Ukraine and Taiwan.

This brings to attention the exploding threat landscape that we face today and highlights just how prepared we have to be. The WannaCry outbreak demonstrates just how damaging ransomware can be, and how quickly such attacks can disrupt vital services.

Let’s later look at WannaCry as a case study and use it to understand how we might be not prepared for the next variant.

Firstly, the background.

What is ransomware?

There are two types of ransomware; the first type encrypts the files on a computer or network. The second type locks a user’s screen. Both types require users to make a payment (the ‘ransom’) to be able to use the computer normally again. The ransom is often demanded in a cryptocurrency such as Bitcoin.

In many cases, the ransom amount is quite modest, for example WannaCry was asking for around $300. You must never pay it. Even if you are desperate to get your files back. This is designed to make paying the ransom the quickest and cheapest way to return to normal use. However, there is no guarantee that the key or password (to ‘unlock’ the computer) will be provided upon payment of the ransom.

The scale and automated nature of a ransomware attack makes it profitable through economies of scale, rather than through extorting large amounts from targeted victims. In some cases, ransomware has been known to strike the same victim more than once in succession. Ransomware attacks are not normally targeted at specific individuals or systems, so infections can occur in any sector or organisation.

How does ransomware infect your system?

Computers are infected with ransomware via a number of routes. Sometimes users are tricked into running legitimate-looking programs, which contain the ransomware. These may arrive via authentic-looking email attachments or links to apparently genuine websites (otherwise known as phishing). More recently, we have seen ransomware infections which rely on unpatched vulnerabilities in computers, and simply visiting a malicious website can be enough to cause a problem. Although less common, data transfers between computers (such as via USB memory sticks) can also cause ransomware to spread.

You simply can’t rely on one thing to protect you. Anti Virus isn’t even a sticking plaster. Some anti virus vendors took several hours to get updates issued (Symantec), whereas Sophos was quick, around a couple of hours. Carbon Black and Cybereason are new kids in town that are quick to identify newer variants of malware and ransomware. Cybereason even gives away it’s basic product to protect against Ransomware. Ransomware is difficult to stop even on Microsoft Windows computers running. The only truly reliable defence is backup but even that can come under attack from ransomware if it is reachable from the infected PC. Users must not pay the fees.

Let’s look at WannCry specifically now, from the perspective of Talos, a Cisco company. Some of their comments are copied and pasted below and merged with our own comments.

http://blog.talosintelligence.com/2017/05/wannacry.html

This is the link to the Cisco Talos blog article which from everything we have read in the last few days is the best summary of what has happened and why.

On Friday, May 12, 2017, a global ransomware campaign began targeting computers around the world with a ransomware variant called WannaCrypt malware (alternatively known as WCry, WannaCry or WanaCrypt0r), hitting dozens of organizations across the globe. Among the victims are universities in China, Russia’s Ministry of Internal Affairs, National Health Service in the UK, and enterprises including Federal Express, the Spanish telecommunication company Telefonica, French car manufacturer Renault, and more.

How Does WannaCry Operate?

What Does the Malware Do?

WannaCry features several stages of execution: propagation, encryption and TOR communication. WannaCry is innovative in that it only needs to gain access to a network once and automatically spreads to additional endpoints, versus other ransomware campaigns that target as many machines as possible.

Propagation

WannaCry scans for computers for port 445 and leverages EternalBlue to gain access and deploy the WannaCrypt malware onto the machine (using a malware loader called DOUBLEPULSAR). From that moment, the worm scans nearby machines it can target in the same way and begins to move laterally within the network, transferring the malicious payload to more and more endpoints.

This attack spread by leveraging recently disclosed vulnerabilities in Microsoft’s network file sharing SMB protocol. CVE-2017-0144 – MS17-010i, a Microsoft security update issued on March 14th 2017, addressed these issues and patched these remote code execution vulnerabilities. The current ransomware campaign targets computers that were not updated.

What are FuzzBunch, DoublePulsar and EternalBlue?

In April of 2017, a group named Shadow Brokersii leaked several exploitation tools, including FuzzBunch. Inside of the FuzzBunch framework there were remote exploits for Windows like EternalBlue and DoublePulsar.

The DoublePulsar SMB plant from the Shadow Brokers dump is a backdoor exploit that can be used to distribute malware, send spam, or launch attacks. EternalBlue is a remote code exploit affecting Microsoft’s Server Message Block (SMB) protocol. Attackers are also using the EternalBlue vulnerability to gain unauthorized access and propagate WannaCrypt to other computers on the network.

It appears the attackers are using Fuzzbunch or Metasploit (similar tool) modulesiii to launch these attacks. The exploits, payloads and scanners needed to launch an attack against computers with exposed SMB services are all available on a Github page.

Encryption

Like other known ransomwares (Locky, Cryptowall, etc.), the encryption phase is executed at the first stage, before any outbound communication.

Communication

The TOR communication is not necessarily done over http and is not preliminary prerequisite stage for any of the other stages. The TOR client is embedded within the ransomware, so no need to execute outbound communication for downloading. It is only used to share the encryption keys with the C2 server.

Spreading

After dropping the first executable and checking the domain for the kill switch, WannaCrypt will drop another executable to scan the IP addresses and attempt to connect to those devices via the SMB vulnerability on port 445/TCP. If there is another vulnerable device on the network, WannaCrypt will make the connection and transfer the malicious payload to that device as well.

Command and Control Servers

  • cwwnhwhlz52ma.onion
  • gx7ekbenv2riucmf.onion
  • xxlvbrloxvriy2c5.onion
  • 57g7spgrzlojinas.onion
  • 76jdd2ir2embyv47.onion

Bitcoin Addresses

  • https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
  • https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
  • https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

The remediation cost (the ransom) was $300 per infected machine to be paid in Bitcoin. Three days after the infection, the ransom increases to $600. When the clock expires after seven days, the victim loses the ability to pay the ransom and decrypt their files. The files on the infected computers are encrypted using a custom AES-128 in CBC mode. At the moment there are no confirmed reports of victims receiving a key for decryption after making a payment. Normally ransomware campaigns have personalized Bitcoin wallets to help identify who has paid the ransom. In the case of WannaCrypt, it is believed the only way to identify the author that you have made a payment is by sending the extortionist your transaction ID through their “Contact Us” section.

Kill Switch

Upon infection, WannaCrypt executes a file that sends an HTTP GET request to a hardcoded domain. This is a killswitch. If the request for the domain is successful, WannaCrypt will exit and not deploy. If the request fails, it continues to infect devices on the network. When the campaign began on Friday, a security researcher, @MalwareTechBlog, noticed the killswitch domain was unregistered. He promptly registered the domain and directed the request to a sinkhole, thereby effectively preventing this variant from spreading further.

Kill switches

  • ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com (@msuiche)
  • iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com (@MalwareTechBlog)

What’s Expected Next?

Extortion is not new to humanity, and the cyber space is fertile grounds for it to prosper. The frequency of ransom attacks doubled the past year, but 2016 was the year where it became the primary motivation of cyber-attacks, particularly in Europe. In 2016, 49% of organizations reported having suffered either a ransomware infection or a DDoS threat for ransom.

It is very likely that as the malware spreads, hackers will be able to customize it and more permutations will appear, like the case of the Mirai Botnet whose source code went public in the autumn of 2016. WannaCry variations at Virus Total (four until now):

https://www.virustotal.com/en/file/cd7542f2d7f2285ab524a57bc04ae1ad9306a15b9efbf56ea7b002d99d4b974f/analysis/

Installing Microsoft MS-17-010 Security Updates

Users should immediately patch their computers with Microsoft’s MS-17-010 security update that includes the patch for this vulnerability. This vulnerability is so severe that Microsoft has even pushed an update for Windows XP for the first time since 2014. Users who cannot make the update should disable SMBv1 from allowing direct connections. Open Windows features and uncheck SMB 1.0/CIFS File Sharing Support

How do you protect yourself from Ransomware?

The list is extensive, most of this is common sense, and some quite advanced and comes with cost.

Patch ALL Windows machines in your environment immediately. The EternalBlue vulnerability was patched by Microsoft back in March as part of MS17-010. Vulnerability management and patching – some ransomware gains control by exploiting software vulnerabilities in operating systems, web browsers, browser plug-ins or applications. Often these vulnerabilities have been publicly known about for some time and the software providers will have made patches available to mitigate them. Deploying these patches, or otherwise mitigating the vulnerabilities, is the most effective way of preventing systems being compromised. However, as well as patching the devices used for web browsing and email, it’s important to patch the systems they are connected to, since some ransomware is known to move around systems, encrypting files as it goes.

Maintain up-to-date backups of files and regularly verify that the backups can be restored. Ransomware attacks target shared network drives and cloud backups. This scenario makes it hard to retrieve the information in case of a ransomware attack. Therefore, do not rely on backup only – you must consider a protection mechanism.

Controlling code execution – consider preventing unauthorised code delivered to end user devices from running.  One common way that attackers gain code execution on target devices is to trick users into running macros. You can prevent these attacks from being successful in your organisation by preventing all macros from executing – unless you have explicitly trusted them. It’s also good practice to ensure users do not have privileges to install software on their devices without the authorisation of an administrator. Remember that users may sometimes legitimately need to run code that you have not pre-authorised; consider how you will enable them to do this, so that they are not tempted to do it secretly, in ways you can’t see or risk-manage. See our End User Device security guidance for recommended configuration of the platforms you are running.

Email. Attachment filtering in your mail system won’t work for a lot of ransom ware, including WannCry. (though investigations are ongoing there is no proof email was used to transmit the ininital attacks). You need a content-inspecting web proxy that deals with both HTTP and HTTPS or you need to be very restrictive about the websites you allow your users to visit.

Educate. Ransomware is often delivered through the exact same channels as other types of malware: spear-phishing and malicious drive-by. Educate users to obtain from clicking on suspicious links, downloading email attachment and downloading software from un-known resources.

Install a ransomware detection and prevention tool. Small businesses and individuals should install Cybereason RansomFree. It is a free ransomware protection tool for PCs running Windows 7, 8, 10 and Windows Servers running 2008 R2 and 2012 R2. Download RansomFree herehttps://ransomfree.cybereason.com It

Filter web browsing traffic – we recommend using a security appliance or service to proxy your outgoing web browsing traffic (Bluecoat for example). Filter attempted connections based on categorisation or reputation of the sites which your users are attempting to visit.

Manage and control removable media access to prevent ransomware from being brought in to an organisation on foot.

Confirming that you do not have any SMB (Server Message Block) ports publicly exposed to the Internet. Outpost24 Outscan, Nessus or Qualys will pick this up.

Confirm traffic to Tor nodes is blocked

Ask 3rd parties who have VPN connections to confirm their posture prior to establishing a connection. SMB should never traverse VPN and MPLS links, for example, unless you absolutely need it.  Endpoints almost never need SMB inbound – Windows firewall block it by default. It isn’t just SMB, however – there’s lots of Windows services which endpoint PCs shouldn’t be listening for.

Apply access protection rules to block creation of wnry files

Enable IPS rule to block traffic exploiting MS17-010

Using a SIEM solution to identify the following: hosts conducting mass SMB scans / mass filerenames on fileshares

Install Sysmon on fileshares to aid in forensic investigation if hit

Confirm Killswitch domains are accessible

Keep the userbase informed that the threat remains so that they remain vigilent

Segment networks / vlans with IPS between them that can generate signatures in real time.

Direct SMB and Terminal Services external communications should be forbidden or securely configured and monitored. Akamai have a product called Enterprise Application Access to get around this.

Disable Tor communications to and from your organization. (IPS)

Consider zero-day protection / sandboxing solutions. The Check Point firewall can do this very well.

 

 

 

 

 

 

Posted in Network Security, News and Updates, Opinion | Leave a comment