19

I'm not sure this is the right place, but figured people would find it useful if they aren't too familiar with security policies and general best practices.

There is a lot of information out there, however, we all know that you can't completely lock down a system because people need access to various outside sources.

So as a Cyber Security forum (of sorts), what would your recommendations be to combat this latest Petya and NotPetya ransomware attack?

Edit: it would also be useful to know what allowed the affected companies' systems to be infected.

Lelantos
  • 329
  • 2
  • 9
  • This article has a lot of very useful and interesting information https://www.theregister.co.uk/2017/06/28/petya_notpetya_ransomware/ – Lelantos Jun 28 '17 at 10:58
  • Some new info regarding Petya came up: https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b – Tom K. Jun 28 '17 at 19:51

4 Answers4

28

I think one of the main lessons learned is that the security services shouldn’t be hoarding zero days and tools to exploit them, (especially) if they can’t properly secure them.

The thing to remember, however, is that WannaCrypt and Petya both had patches available before they hit and both also took advantage of poor configuration.

Additionally, many organisations that were hit hard could have avoided some (possibly all) pain if they had standard belts and braces security practices in place.

The main lesson organisations should learn is that they should get the basics right.

For example:

Vulnerability Management

Conduct regular vulnerability scanning, understand the security posture of all assets and what vulnerabilities are present, what threats are related to these vulnerabilities, and what risk they pose to the IT estate and the business it serves.

This includes both missing patches (i.e. MS17-010) and poor configuration (i.e., having SMBv1 enabled).

This should all be supported by proper processes that allow for ongoing discovery, remediation of vulnerabilities (either via action or risk acceptance) and confirming remediation.

Ideally, all risks across the entire IT estate should be known about and managed.

Additionally, roles and responsibilities should be assigned to ensure that all of the above is done correctly. This includes security managers, security analysts, vulnerability managers IT technicians etc.

Patch Management

Ensure that patches are deployed in a timely manner. This doesn’t just mean pushing the latest Patch Tuesday patches. This also includes understanding what software you have in your IT estate and having a full inventory of assets to make sure everything is patched.

Removable Media Controls

Ensure removable media is limited to devices that are sanctioned only. Ideally, I would blacklist all removable media and whitelist anything that you approve. (This is just my view, however)

Malware Prevention

Ensure you have some kind of AV on all end points, at least the classic heuristics and definition based AV. (although there are more advanced solutions available) Make sure it is up to date and working.

Disaster Recovery

Ensure you have backups, including off-site, off-line backups of critical data.

Incident Management

Ensure you have a plan to react to a major security incident; ensure you have the right people in the right places supported by the right processes.

Control User Privilege

This one goes without saying really: make sure that all users have the least amount of privilege. This should be supported to ensure that this is audited regularly.

User Education and Engagement

Ensure all staff understand the security policy of your organisation. Conduct exercises such as phishing campaigns to test your users and provide training to allow them to understand the risks involved and be better prepared to spot pushing emails, web sites, social engendering etc. (Again, this is just a view, some people may suggest that security shouldn’t be a user problem; it should be an IT problem)

Good Network Security Hygiene

Have the correct access controls on your perimeter, ensure you have properly configured firewalls at all appropriate places in your network (with regular rule audits and reviews), and make sure that VLANS are properly setup with as much segmentation as is required. Ensure that all remote users can connect securely and that any devices they connect from have at least 1-to-1 patch levels as devices already on the network. Also, make sure that you have robust BYOD controls.

donjuedo
  • 659
  • 1
  • 5
  • 8
TheJulyPlot
  • 7,669
  • 6
  • 30
  • 44
  • 4
    +1 for importance of off-line backups. Can't believe people don't do those. Makes ransomware inconvenient rather than disasterous. – Jared Smith Jun 28 '17 at 16:27
12

One lesson that came up before is that authorities should not be hoarding vulnerabilities for their own purposes. Through extended non-disclosure they were putting companies and individuals at risk instead of making them more secure. Even if the EternalBlue exploit would not have been leaked and used by WannaCry and Petya, it would be a risk to not have the vendors fix the vulnerability in case other people or organizations found it but didn't disclose it.

Also installing patches, teaching users about the dangers of spam and network segregation for critical systems.

Community
  • 1
floworbit
  • 316
  • 1
  • 11
  • 2
    To play devil's advocate, it's not like if the NSA stops hoarding vulnerabilities that the FSB will stop as well. They have to determine whether disclosing them is worth the trade-off of no longer being able to use them. – IllusiveBrian Jun 28 '17 at 14:14
  • 1
    Many people have made this argument before and I personally tend to agree but how is that a lesson learned from these particular ransomware attacks? AFAIK, this particular vulnerability was leaked month ago so it had in the meantime become known to vendors and patches are available. Sure it was discovered earlier but it wasn't a zero-day anymore. – Relaxed Jun 28 '17 at 15:51
  • 1
    Petya/NotPetya does not require any vulnerabilities in order to spread. It would use the SMB vulnerability if available but had two other methods to try first. Good analaysis here: https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/ – David Marshall Jun 28 '17 at 20:17
6

If you are referring to WannaCry and Petya.A outbreaks, then the instructions are simple: follow basic security best practices, which are:

1) Install security patches in time

2) Do not let users work under administrative privileges (domain and local administrators)

3) Do not install suspicious applications from unknown sources

Just by following these 3 simple rules you will be able to protect your system against this kind of attacks.

These are basic mass attacks, not the targeted ones.

Valery Marchuk
  • 546
  • 2
  • 6
  • 1
    You are missing the most critical one in my mind: Have decent, not-online, backups (and if you haven't tested recovery from those backups, you don't have backups). – Martin Bonner supports Monica Jun 28 '17 at 15:35
  • Backups are completely different story ) They are very important to restore the data, but won’t prevent from encrypting your files. And it is hard to pursue people do backups if they have not lost their data in the past. – Valery Marchuk Jun 29 '17 at 09:30
  • 1
    I don't agree they are a different story. If you can quickly restore backups, it doesn't matter if the files *are* encrypted. In my view they are an important part of "security best practise". (Note in particular, that there is some suspicion that the NotPetya attack was *caused* by updating accounting software!) – Martin Bonner supports Monica Jun 29 '17 at 09:39
  • Yes, of course they are. I'm not saying backups are not important. I'm saying, it's hard to make people backup the data (in my experience). – Valery Marchuk Jun 29 '17 at 09:51
0

1- Keep your OS,programs up to date .
2- Store your files on a cloud or a drive (offline).
3- Keep your business network safe .

Abdullah Hussam
  • 78
  • 1
  • 6
  • 6
    How does number 2 help? If you can write to the file, so can ransomware. – Martin Bonner supports Monica Jun 28 '17 at 15:36
  • @MartinBonner Saving your files in external hard drive or a cloud will store them safe and you can get back if your computer locked by ransomware – Abdullah Hussam Jun 29 '17 at 11:16
  • 1
    Only if the external hard drive is not currently connected to the computer at the time the ransomware strikes. Ransomware will happily encrypt everything on your C: drive, everything on the D: drive plugged into the USB 3 port, *and* everything on the N: drive that is actually mirrored to DropBox. (And if you are using linux and SpiderOak the same applies). – Martin Bonner supports Monica Jun 29 '17 at 12:59
  • @MartinBonner external hard drive which is not plugged in . For example I am using 1TB external hard drive to save my file I get a backup every 2 weeks . even If I got a ransomware and I am a very careful person since I am a security guy . I will lost 2 weeks file not my entire files . – Abdullah Hussam Jun 29 '17 at 14:23
  • 2
    If you modify number 2 to specify an *offline* cloud or drive, I would agree with you - but that is not what most people will interpret your answer to mean. – Martin Bonner supports Monica Jun 29 '17 at 15:07
  • #3 is also completely undefined - what does 'safe' mean? – schroeder Jun 29 '17 at 15:19