Controls to prevent Petya Outbreak and harden your environment in the future

A quick post with a collective list of measures that can be undertaken to harden your environment to prevent a Petya outbreak.

Backups, Backups, Backups and Restore!

  • With the current Ransomeware threats a working backup and even more important a working Restore saves you from death!
  • Seriously, check if you are really able to restore critical servers.
  • VM Snapshot based backup / restore tends to be much faster than oldschool file based backups.
  • Databases tend to need special attention when it comes to backup and restore.
    • How much data will you lose between backup cycles?

AV :-)

Prevent spread via MS17-010

  • Patch your shit!
    • WSUS
    • Proper Patch management Processes
    • think of 3rd party tools/patches to!
  • Use Vulnerability Scanners and Management products like Tenable Nessus and Security Center (or others…) to keep an constant eye on critical vulnerabilities.
    • MS17-010 is now older than 3 months!
  • Disable SMBv1
    • MS17-010 is based on SMBv1 vulnerabilities.
    • Further vulnerabilities in this legacy protocol could come along in the future!
  • Block inbound TCP139/445 on machines where possible
    • At least between clients and client subnets!
    • Clients should not need to access each other via SMB – they should rather use central file and printservers
    • You obviously have to keep those ports open on fileservers and other servers where those Ports are required.
    • Be Cautious to not break Fileserver / DFS Sync
  • NEVER expose TCP 135/139/445 to the internet!

Prevent PSexec + WMI Spread:

  • Block inbound TCP 135, 139, 445 on machines where possible
  • Use AppLocker / SRP to prevent creation of C:\Windows\perfc.dat
  • Make sure to limit privileges:
    • Do not work with Admin accounts
    • Never work with Domain Admin account if not absolutely necessary
    • Users should have no permissions on servers / not be able to log onto servers
    • Admins/Supporters should have special accounts for supporting and not do their daily routine with accounts that have admin rights on all clients
    • Do not use the same local admin creds on all systems
  • Prevent future PTH (heavy read):

Inform your users / Heighten awareness

  • Even if you don’t often inform your users – now is the time!
  • Ask everyone to be carefull and cautious
  • Ask users double check strange mails with IT-Support
    • Be able to help users swiftly that contact IT-Support for this
  • Show them pictures of Inital Vectors (if available – Mails, attachments)
  • Show them pictures of compromised systems
  • Ask users to disconnect and power-off compromised systemes immediately to prevent spreading
    • This Could lead to data loss for some ransomware that leaves keys in memory
    • However spreading is probably bigger issue!
    • It’s your decision in the end!

 

This list is obviously not all you can and should do for proper IT-Security Management!
This controls however are meant to specifically help with the current Petya outbreak.

Did I miss something vital?

Put it in the comments below and I will add it!

BR
Sebastian

 

 

Advertisements

About SebastianB

read it in my blog
This entry was posted in miscellaneous. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s