By browsing this site, you are agreeing to our cookie policy. More Information

NotPetya Happened Today, But What About Tomorrow?

Security | Jun 27, 2017

WannaCry and NotPetya are obviously big wake up calls. Long gone are the days when companies can expect to keep powerful malware out of their networks entirely. Today, sophisticated companies increasingly see themselves in a state of continuous compromise.

The key takeaway from recent attacks? It is absolutely imperative that companies have an incident response plan and process in-place before attacks like these happen.

We see growing signs that companies are doing just that. Guidance Software customers, for example, are prioritizing incident response plans. In a recent survey, twice as many companies said they plan to build a formal security and incident management team this year compared to the year before. While incident response teams are getting bigger and companies are getting more prepared, EDR tools are gaining in importance as well. According to our recent study, “How Data Breaches Affect the Enterprise,” sponsored by Dark Reading, we noticed a 2x increase from 2016 to 2017 in organizations stating that they plan to build out incident response management teams.

But even as many companies rethink their security strategies, NotPetya is a harsh reminder that as prepared as some companies are becoming, there is still a long way to go for many companies.

NotPeyta - What To Do Today

Petya

At the time of writing this blog, there is still a lot of speculation as to exactly what this variant is and is capable of. For example, there is speculation that the malware is capable of lateral movement via psexec and wmic.

This is not a definitive list, but possible mitigation steps for companies hit by NotPetya include:

  • Identify and sandbox infected machines: Remove infected machines from your network until more is known about NotPetya. If NotPetya can in fact propagate using file sharing, it is important that infected machines be isolated immediately. Take file shares down and bring up clean backup file shares.
  • Apply patches: Be sure that healthy machines are patched and updated. Apply patches for MS17-010.
  • Block email senders: Block email senders at SMTP gateway (SMG, FireEye)
  • Block domains: Block domains at proxy and alert on callbacks in SIEM
    • hxxp://coffeinoffice.xyz/cup/wish.php
    • hxxp://french-cooking.com/myguy.exe
    • hxxp://84.200.16.242/myguy.xls
  • Block alerts: Block/alert on hashes at NSM/HIPS

  •        027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745

           4ee2ae805c31ec4f11f3f6ecf56e9c6e2f59dcd517a5a73210b5e5015f63beea

           b5ef16922e2c76b09edd71471dd837e89811c5e658406a8495c1364d0d9dc690

           17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd

           02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f

           71b6a493388e7d0b40c83ce903bc6b04

           E8fb95ebb7e0db4c68a32947a74b5ff9

           da2b0b17905e8afae0eaca35e831be9e

  • Incident response teams: Incident response teams should work to determine the infection vectors (registry analysis and timeline analysis to try and determine the infection vector - where did it come from, who clicked on what?).
  • Additional online resources:

EDR - The Longer View

Once the WannaCry and NotPetya fire drills subside, companies are faced with the decision. Do they want to remain reactive to these attacks and act surprised each time they happen? Or do they want to gain the upper hand and not fear the breach.

If the latter, there are a few key things to remember:

  • First, companies need to locate, categorize and backup sensitive data (and implement ongoing processes to locate and backup new instances of sensitive data over time).
  • Second, companies need to re-evaluate the cost/benefit analysis of upgrading vulnerable legacy systems and associated business applications. For example, what are the risks of running industrial applications on headless systems? In a recent poll by Absolute Software, only 27% of respondents rated their organization's ability to prioritize the endpoint devices that pose the greatest risk as highly effective, and only 30% said they are highly effective in detecting insecure or off-line endpoints.
  • Finally, teams need to have the trained personnel in place to build out incident response plans they can effectively execute when the time comes.

Guidance Software has mission-critical and best-in-breed applications that can help.

EnForce Risk Manager allows organizations to proactively identify and remove sensitive data from unauthorized locations. Keeping your most valuable data in the most secure locations – and not sprawled across the enterprise – will ensure that ransomware attacks targeting more vulnerable machines will have minimal disruption and loss. If those systems cannot be restored or decrypted, the damage will be reduced. Moreover, the secure locations can be segregated by network to prevent further lateral spread.  

EnCase Endpoint Security, ranked #1 in Endpoint Detection and Response by Gartner, readily returns your endpoints to a trusted state by offering earlier detection, enabling faster decisions and empowering organizations with automated, on-demand responses. With our latest EnCase Endpoint Security 6, this solution enables organizations to detect potential ransomware with conditional anomaly scans focused on particular system behaviors. Once identified, it validates possible threats with continually updated cloud-based threat intelligence. One can then remediate the threat before it executes. EnCase Endpoint Security is designed for tier-one security analysts and tier-two incident responders with a user interface designed to be intuitive and easy to use. With more organizations building out sophisticated incident response teams, they can quickly hit the ground running with minimal training and quickly ramp up using EnCase. 

With bigger incident teams, more sophisticated incident plans, and EDR solutions that help support millions of endpoints, intelligent companies will face future breaches with much greater ease. With increasingly advanced forms of attacks (including new levels of ransomware), security teams require a standalone, best-of-breed EDR solution that integrates with your layered security approach and tools.

    Load more comments
    Thank you for the comment! Your comment must be approved first

    Leave a Comment

  • comment-avatar


  • You May Also Like

    Security

    EnForce Risk Manager: Redefining Data Privacy & Co...

    Have you ever asked yourself if your organization has control over its data?
    Feb 4
    Security

    Finding those Easter Eggs?

    We don't mean to egg you on... well, in fact, we do.
    Nov 3