Bryan Owen

Tips on Handling Destructive Malware

Discussion created by Bryan Owen on Dec 23, 2014

The Sony breach has become a drama in mainstream media with policy questions rising all the way to the White House.

 

For the rest of us it seems prudent to dust off your play book for handling destructive malware.  US-CERT tips can be found here.

https://www.us-cert.gov/ncas/tips/ST13-003

 

Tips on access control and monitoring seem to align with recent topics in our PI Square.

 

PI Security by André Åsheim similarly mentions the need for tightened access control  (eg. granting access to "Everyone" is a practice to avoid).

 

Security monitoring ideas includeHarvesting PI Logs for Real Time Forensics.

 

I wonder if we can put PI to work to monitor the first 6 indicators suggested by US-CERT?

 

Audit and review security logs for anomalous references to enterprise-level administrative (privileged) and service accounts.

  • Failed logon attempts,
  • File share access, and
  • Interactive logons via a remote session.

 

Review network flow data for signs of anomalous activity.

  • Connections utilizing ports which do not correlate to the standard communication flow associated with an application,
  • Activity correlating to port scanning or enumeration, and
  • Repeated connections utilizing ports which can be utilized for command and control purposes.

 

Hey, maybe using the ping interface or sending the firewall log to a UFL interface isn't so crazy!

What are some good use cases for the Ping Interface?

Welcome to PI Square – let the fun begin! (Consuming Windows Firewall logs)

 

Happy holidays!

Outcomes