The chosen theme of field based devices and their ability to provide commodity services can only be successful if the core infrastructure and the devices themselves remain operational. Ransomware was a reoccurring theme at the cloud expo reported on a few blogs ago and can effect devices so that business services are diminished. Below are some points for review on responding to a ransomware compromise:
Based on the size of your geographical network, a two, three or n tiered approach can be used to respond to ransomware attack. Prioritisation will be key to be effective, such as ;
(i) Identify effected/reported core business networks, then engage in your DR plan to bring online backed-up data in a clean environment. This will let your business continue its operations, albeit within limits. Your organisation will likely have a Cyber Reponse Plan that would need to be invoked.
(ii) Look at the dashboard of your IPS/IDS services to determine any unusual/unexpected inbound or outbound signature alerts including any SSL handshake ( to identify and stop ransomware-cipher activities ) . Cross reference this will your Host-IDS/AV dashboard to see if any signature alerts correlate. ( Without any cyber tools, you may need to look at the activities of non effected machines i.e Top or Task Manager Activities to determine host behaviours ) .
(iii) Look at the dashboard for your File Integrity Monitoring solution and look for folder-paths or directories that are showing unusually high file-renaming activities where SSL handshake alerts from the IPS and HIDS signature activities correlate into. You can also investigate your email solution to identify any new pdf's, exe or attachments that were downloaded into unusual locations.
(iv) Capture any identified traffic and analyse using a tool like Wireshark to determine any outbound or inbound IP Addresses/URLs and consider blocking them on your perimeter devices and continue to use Wireshark to search for unidentifiable cipher handshakes/unusual RDP or file transfer activities.
(v) As a prevention, from a network perspective, you can set up a honey pot network with dummy servers, with dummy files and setup your IPS, IDS, HIDS and AV to monitor for ransomware variables - this will be your first alerting point if a repeat is likely to be seen again. From a server perspective you can look to monitor hidden file paths, search for *.*exe activity being executed, privileged accounts being used at a high rate, increase in file renames and also disabling running applications and data in default configurations such as Appdata/Local Data.
This will help lessen the initial impact across your network. Look across vendor threat landscape feeds ( including OS Vendors) you are subscribed to and determine if this is an isolated incident. Only after you have identified the type of compromise i.e. ransomware name, should you look to determine if you need restart the system in safe mode or initiate a complete fresh build ( fully patched ). The vendor feeds or other user forums may have free tools that you can use to help mitigate the compromise.
From a network storage perspective, you can search for any unusual activity taking place against any file directories or identifying unwanted files i.e. payload execution activities. If your data at rest may have been un-encrypted then look to invoke your organisations assurance risk strategy.
In addition to the above, for your specific field based devices/nodes/machines, be sure to continuously review your vendor subscriptions/forums/advisories who will be providing updates that should be reviewed whilst you execute your organisations cyber triage proceess for the compromise. The NCSC have published details on protection against ransomware exploits here.
Based on the size of your geographical network, a two, three or n tiered approach can be used to respond to ransomware attack. Prioritisation will be key to be effective, such as ;
(i) Identify effected/reported core business networks, then engage in your DR plan to bring online backed-up data in a clean environment. This will let your business continue its operations, albeit within limits. Your organisation will likely have a Cyber Reponse Plan that would need to be invoked.
(ii) Look at the dashboard of your IPS/IDS services to determine any unusual/unexpected inbound or outbound signature alerts including any SSL handshake ( to identify and stop ransomware-cipher activities ) . Cross reference this will your Host-IDS/AV dashboard to see if any signature alerts correlate. ( Without any cyber tools, you may need to look at the activities of non effected machines i.e Top or Task Manager Activities to determine host behaviours ) .
(iii) Look at the dashboard for your File Integrity Monitoring solution and look for folder-paths or directories that are showing unusually high file-renaming activities where SSL handshake alerts from the IPS and HIDS signature activities correlate into. You can also investigate your email solution to identify any new pdf's, exe or attachments that were downloaded into unusual locations.
(iv) Capture any identified traffic and analyse using a tool like Wireshark to determine any outbound or inbound IP Addresses/URLs and consider blocking them on your perimeter devices and continue to use Wireshark to search for unidentifiable cipher handshakes/unusual RDP or file transfer activities.
(v) As a prevention, from a network perspective, you can set up a honey pot network with dummy servers, with dummy files and setup your IPS, IDS, HIDS and AV to monitor for ransomware variables - this will be your first alerting point if a repeat is likely to be seen again. From a server perspective you can look to monitor hidden file paths, search for *.*exe activity being executed, privileged accounts being used at a high rate, increase in file renames and also disabling running applications and data in default configurations such as Appdata/Local Data.
This will help lessen the initial impact across your network. Look across vendor threat landscape feeds ( including OS Vendors) you are subscribed to and determine if this is an isolated incident. Only after you have identified the type of compromise i.e. ransomware name, should you look to determine if you need restart the system in safe mode or initiate a complete fresh build ( fully patched ). The vendor feeds or other user forums may have free tools that you can use to help mitigate the compromise.
From a network storage perspective, you can search for any unusual activity taking place against any file directories or identifying unwanted files i.e. payload execution activities. If your data at rest may have been un-encrypted then look to invoke your organisations assurance risk strategy.
In addition to the above, for your specific field based devices/nodes/machines, be sure to continuously review your vendor subscriptions/forums/advisories who will be providing updates that should be reviewed whilst you execute your organisations cyber triage proceess for the compromise. The NCSC have published details on protection against ransomware exploits here.
