Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/7/2017
12:50 PM
Kelly Sheridan
Kelly Sheridan
Slideshows
Connect Directly
Twitter
LinkedIn
RSS
E-Mail

NotPetya: How to Prep and Respond if You're Hit

Security pros share practices to prepare and handle advanced malware attacks like NotPetya.
5 of 8

Respond: Detect the problem
The sooner you know about a problem, the sooner you can implement a disaster recovery plan and mitigate the damage. Pierson notes antivirus is a good first line of defense for endpoint protection, especially when configured according to specialized guides to protect certain file locations.
In addition, he says, there are several controls businesses can use to scan for files being encrypted en masse. Teams should be reviewing all of their controls, and using network or behavioral tools to accurately identify and block suspicious activity.
'Companies need to make sure they have the traditional signature-based defenses in place, but they must also have network anomaly-based tools that can sense the rapid encryption of system resources and shut down an attack in progress,' Pierson says. 
(Image: Sergey Nivens via Shutterstock)

Respond: Detect the problem

The sooner you know about a problem, the sooner you can implement a disaster recovery plan and mitigate the damage. Pierson notes antivirus is a good first line of defense for endpoint protection, especially when configured according to specialized guides to protect certain file locations.

In addition, he says, there are several controls businesses can use to scan for files being encrypted en masse. Teams should be reviewing all of their controls, and using network or behavioral tools to accurately identify and block suspicious activity.

"Companies need to make sure they have the traditional signature-based defenses in place, but they must also have network anomaly-based tools that can sense the rapid encryption of system resources and shut down an attack in progress," Pierson says.

(Image: Sergey Nivens via Shutterstock)

5 of 8
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
RobEnns
50%
50%
RobEnns,
User Rank: Author
7/13/2017 | 2:56:59 PM
Re: What about replicated COOP scenarios
Very good question, interested in the same.
matt.trevors
50%
50%
matt.trevors,
User Rank: Apprentice
7/12/2017 | 12:13:55 PM
We need to stop confusing end users
We in the security community have a very difficult time conveying the importance of various strategies and tactics to end users when it comes to securing their infrastructure.  I believe it in part is because we aren't promoting a unified message. Instead, we tell them what we "think" are the right things to do.  Instead, why don't you preach about the adoption of existing well-documented strategies and tactics?  For instance, you could have pointed end users to the Center for Internet Security Critical Security Controls (formerly SANS 20) which would include standing up an incident response plan, patching boxes, and backing up high-value assets.  Also, you could have pointed people to NIST 800-61 Computer Security Incident Handling Guide which would give them a good idea of how to stand up incident response capabilities for their organization (planning, detection & analysis, containment, eradication, recovery, and post-incident activities).  Finally, you are dancing around the NIST Cybersecurity Framework which includes functions, categories, and subcategories that describe how to identify, protect, detect, respond, and recover.  

As a community, we need to get better at getting our message across or things are never going to get better.  To do that, we all need to get on the same page and back published standards.  If you don't agree with the standards, most encourage community feedback.
randyfromsd
50%
50%
randyfromsd,
User Rank: Apprentice
7/11/2017 | 4:23:26 PM
Re: What about replicated COOP scenarios
Isolate the backup target from the network - make shares hidden so they aren't easily accessible - restrict user accounts - implement local\offsite backup.
jenshadus
50%
50%
jenshadus,
User Rank: Strategist
7/10/2017 | 8:35:09 AM
What about replicated COOP scenarios
Just curious of how a malware attack would affect an active-active DR scenario.  If the malware can infect a primary target, I would think it would affect the backup environment.  And what would this do to the backup recovery plans?  Sounds like the best bet is to still use tape backup.
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3493
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
CVE-2021-3492
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
CVE-2020-2509
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later Q...
CVE-2020-36195
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
CVE-2021-29445
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...