My daughter graduated just from High School. Immediately following her graduation, we leave for our yearly family vacation back to the Maine seacoast. It is the end of the school year and the holiday week.
It is always quiet.
My wishful thinking didn't last too long.
Those that would do us all harm were very busy exploiting everyone's preoccupation with summer and the July 4th holiday.
In our world, three events happened:
- Cisco Umbrella picked up an unusual DNS request for a Tor browser download from Germany in an usual location. Tor is generally the pre-cursor to an attack.
- A major remote support platform was hacked and the bad guys were actually using the tool to infect supposedly 1,000 different networks demanding $70 million dollars.
- It was announced that an active local and remote exploit was going on worldwide dubbed PrintNightmare for which Microsoft had no patch.
My vacation was off to an incredible start.
Bob and I have been talking about layers of protection with different layers looking from different perspectives trying to find, report, block, and remediate any potentially bad events.
However, the good news is that the events of my vacation week were examples of the layers doing what they are intended to do.
Cisco Umbrella blocked the request so the suspicious activity went no where except to raise the our threat level awareness. Our managed firewall service showed that the threat was isolated and not "inside" the network in question. Shields up, we went through the due diligence checklist. Microsoft patch status. Third party patch status, EDR active scans, AV scans, isolation of the questionable box, and firewall logs.
A quick look at our Paladin Sentinel Monitoring showed that we had two systems that in fact some clients that had the compromised software. Phone calls were made. Services were stopped to close the hole before anything bad could occur. For our CyberSentinel Endpoint Detect and Respond (CSEDR) clients, it was announced by the vendor that the currently deployed client could see the malicious code download and block it - without updates.
As the PrinterNightMare saga unfolded, we were able to leverage our Paladin Sentinel Monitoring and Paladin Sentinel Patch Management Services to start pushing out the patches as Microsoft released them. This situation remains fluid and recommendations from Microsoft and others has changed over the coming days.
In closing I will leave you with three "to dos" that became top of mind for me coming out of my vacation week that you need to address:
With the bad guys it is all about getting a persistent foothold and they will start with *any* foothold to begin to map your network and plan their attack. You need to deny them that foothold.
First USB devices are threats to your network. Our CSEDR offering has an awesome USB and Bluetooth blocking and approved registration policy built into it. We can for the most part take this attack vector right off the map. For those not in our CSEDR service, there are some more robust group policies that can be deployed to at least block most of this access.
Second you should be blocking all Microsoft Office Macros in your documents except for the very few people who actually need them (if any). And anyone who needs it, should be set to consciously request the Macro and be trained by you to know the risks of saying yes to items outside their very narrow work requirements.
Finally you absolutely need to turn on User Account Control (UAC). This is the "mother may I" administrator credentials prompt when anyone or anything tries to install software on your servers or endpoints. Looking in Paladin Sentinel across the vast numbers of Windows devices I see the footprints of those of you who have this turned off. As techs we hate it. It is annoying. However, it was again proven in the recent PrintNightMare saga that when it was claimed that Microsoft's patch didn't patch and still allowed local access to the exploit, Microsoft came back and said that was because the network had turned off UAC and allowed a "do your own thing for printing" group policy.
UAC is a vital component in protecting your network. If the bad guys are triggering UAC, they are already sitting in the room with you. That is your last line of defense and those of you with it turned off, will have bad things happen to you. This is also a simple group policy change.
I encourage you to address as much of my three to dos as you can. If you need help with this, or would like to have the layers of visibility and protection added to your network infrastructure, give us a call. We are happy to help.
Scott Quimby |
You must be logged in to post a comment.