A quick post with a collective list of measures that can be undertaken to harden your environment to prevent a Petya outbreak.
Backups, Backups, Backups and Restore!
- With the current Ransomeware threats a working backup and even more important a working Restore saves you from death!
- Seriously, check if you are really able to restore critical servers.
- VM Snapshot based backup / restore tends to be much faster than oldschool file based backups.
- Databases tend to need special attention when it comes to backup and restore.
- How much data will you lose between backup cycles?
- Keep your AV up to date and pray it catches something (lol?)
- There are special patterns available by now
- Example McAfee: https://kc.mcafee.com/corporate/index?page=content&id=KB89540
- Make sure windows defender is not your next 0-day tomorrow :)
Prevent spread via MS17-010
- Patch your shit!
- Proper Patch management Processes
- think of 3rd party tools/patches to!
- Use Vulnerability Scanners and Management products like Tenable Nessus and Security Center (or others…) to keep an constant eye on critical vulnerabilities.
- MS17-010 is now older than 3 months!
- Disable SMBv1
- MS17-010 is based on SMBv1 vulnerabilities.
- Further vulnerabilities in this legacy protocol could come along in the future!
- Block inbound TCP139/445 on machines where possible
- At least between clients and client subnets!
- Clients should not need to access each other via SMB – they should rather use central file and printservers
- You obviously have to keep those ports open on fileservers and other servers where those Ports are required.
- Be Cautious to not break Fileserver / DFS Sync
- NEVER expose TCP 135/139/445 to the internet!
Prevent PSexec + WMI Spread:
- Block inbound TCP 135, 139, 445 on machines where possible
- Use AppLocker / SRP to prevent creation of C:\Windows\perfc.dat
- Make sure to limit privileges:
- Do not work with Admin accounts
- Never work with Domain Admin account if not absolutely necessary
- Users should have no permissions on servers / not be able to log onto servers
- Admins/Supporters should have special accounts for supporting and not do their daily routine with accounts that have admin rights on all clients
- Do not use the same local admin creds on all systems
- Use Microsoft LAPS or similar instead
- Prevent future PTH (heavy read):
Inform your users / Heighten awareness
- Even if you don’t often inform your users – now is the time!
- Ask everyone to be carefull and cautious
- Ask users double check strange mails with IT-Support
- Be able to help users swiftly that contact IT-Support for this
- Show them pictures of Inital Vectors (if available – Mails, attachments)
- Show them pictures of compromised systems
- Ask users to disconnect and power-off compromised systemes immediately to prevent spreading
- This Could lead to data loss for some ransomware that leaves keys in memory
- However spreading is probably bigger issue!
- It’s your decision in the end!
This list is obviously not all you can and should do for proper IT-Security Management!
This controls however are meant to specifically help with the current Petya outbreak.
Did I miss something vital?
Put it in the comments below and I will add it!