SANS ISC INFOCON now at Yellow

Discussion in 'Business & Enterprise Computing' started by Icidic, Jul 20, 2010.

  1. Icidic

    Icidic Member

    Joined:
    Mar 17, 2007
    Messages:
    562
    Location:
    Brisbane, Queensland
    Hi all,

    As most of you probably already know, the SANS Internet Storm Center recently rose it's INFOCON level to Yellow to pre-empt the fallout of the recent Windows LNK vulnerability (still considered a zero-day).

    It kinda got me thinking - what protocols do you\your company have in place for when these kinds of events occur? Do you change Windows Updates settings, schedule more AV scans, ensure PCs are turned-off\locked when not in use, enable more restrictive firewall and proxy rules\ACLs? Obviously you don't have to go into specifics, but I know that there's a number of areas for me that are possibly worth looking in to that I haven't yet had the time to do so.

    So yeah, thoughts?
     
  2. zer0sum

    zer0sum Member

    Joined:
    Aug 20, 2001
    Messages:
    785
    Location:
    New York/Melbourne
    Generally people run around with their foil hats waving their arms in the air
     
  3. zer0sum

    zer0sum Member

    Joined:
    Aug 20, 2001
    Messages:
    785
    Location:
    New York/Melbourne
    Huh?

    AV defs have been available since the 13 July to identify this threat.
    Patch isn't out yet, but its only a matter of time.

    Agreed that layers are important :)
     
    Last edited: Jul 20, 2010
  4. biglolz

    biglolz Member

    Joined:
    Feb 14, 2007
    Messages:
    95
    ooohh look at me im mr fancy pants with all my controls. T H A T ' S C H E A T I N G!




    :)

    AV is piss and won't help you prevent 50%+ of this (this being 'bad shit'). Once your network is smashed, you can collect a sample + submit to AV vendor + send out update to network etc. Sucks if the malware changes though ;p
     
    Last edited by a moderator: Jul 20, 2010
  5. Gecko

    Gecko Member

    Joined:
    Jul 3, 2004
    Messages:
    2,715
    Location:
    Sydney
    We normally take it as an opportunity to remind everyone that they shouldn't be clicking on random things, beyond that just keep a close eye out for any unusual activity
     
  6. biglolz

    biglolz Member

    Joined:
    Feb 14, 2007
    Messages:
    95
    what type of network do you maintain?
     
  7. Iceman

    Iceman Member

    Joined:
    Jun 27, 2001
    Messages:
    6,647
    Location:
    Brisbane (nth), Australia
    I think of this every time some blank faced luser looks and me and says "But don't we run anti virus?!"

    If the hole is in your browser, a plugin (reader, flash, java), in a service of your OS, etc .. it doesn't even matter if your AV has detections for that payload. By the time your AV detects anything, something has already been executed on your machine without knowledge.

    What was it? Is any of it still in your system? How much of it did the AV stop running and how many files did it remove? Are you still secure now the AV has "Quarantined" or "Cleaned" the threat?


    In my experience the answers are: "Who knows", "Almost certainly", "Nothing but the single (now extracted) payload, and none of the temporary and other dropper files" and lastly "You weren't secure with that hole in your system to begin with, you're just lucky another layer caught it"

    That is.. as long as the second action of that the worm, prior to executing or downloading a payload, wasn't to disable your anti virus in some way, yet leaving it with the appearance of working. Can't tell you how often this is the case.
     
  8. Nyarghnia

    Nyarghnia (Taking a Break)

    Joined:
    Aug 5, 2008
    Messages:
    1,274
    I just recently placed some of our test systems onto a seperate network behind our firewall systems in their own DMZ, where only specific ports are open to the trusted network and nothing from the outside network is allowed.

    So far they work fine, running their apps as required. This also allows me to only allow authenticated users to even attempt to make connections and log every single connection and attempted connection, something that can be difficult to do inside the firewall.

    In fact, I'm waiting on someone to come out with a 'firewall Vlan switch' that includes the functionality of a firewall lots of ports with vlans, then you could literally break your network down into little bits, sort of beyond just vlan's.

    I think that the concept of 'Trusted Network' is redundant... :(

    Maybe I should have my foil hat ready.

    -NyarghNia
     
  9. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    13,224
    How is this done? by company policy, or on a technical level?

    We are having ongoing problems with dodgy USB sticks being used on work computers, but cant go as far as disabling USB mass storage completely. Being able to only use 'authorised' sticks would go a good way to towards this.
     
  10. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    36,318
    Location:
    Brisbane
    I have a client who does it with a hot glue gun. True story.
     
  11. gords

    gords Oh deer!

    Joined:
    Aug 3, 2001
    Messages:
    6,629
    Location:
    Sydney, Australia
    What endpoint security product do you use? The latest version of Sophos Endpoint Security and Control (9.5) does device control, and I'm pretty sure you can disable USB removable drives except for whitelisted or authorised ones.
     
  12. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    13,224
    We are in the evaluation stages. Currently only using the AV component of AVG.

    Hot Glue Gun seems a bit draconian. especially when you can just disable USB in the bios. But that doesnt help us, due to the need to have 'some' usb keys in use.

    Do you know if Sophos whitelisting is on a per key basis, or done using the device id (meaning all keys of that model).
     
  13. zer0sum

    zer0sum Member

    Joined:
    Aug 20, 2001
    Messages:
    785
    Location:
    New York/Melbourne
    But you don't just rely on the defs do you?
    Anyone with a clue has an endpoint product that does IPS and has application and device control.

    USB media and autorun blocking is enabled on all removable devices

    When you see a threat like this you just tweak your IPS and application/device control policy to to detect and block the threat.
     
  14. gords

    gords Oh deer!

    Joined:
    Aug 3, 2001
    Messages:
    6,629
    Location:
    Sydney, Australia
    Both. I've attached some screenshots of the device control policy.


    Click to view full size!



    Click to view full size!


    The recommended way to start using the device control policy is to log, but don't block. That will mean that every time someone uses a device that is set to block or read-only, it will be logged in the Enterprise Console, and you can then create an exemption for it (or ignore it). If you do that for a couple of weeks and whitelist the 'known good' devices (or models of device) you can then set it to block mode and it will do that, while honouring all your exemptions.
     
  15. chip

    chip Member

    Joined:
    Dec 24, 2001
    Messages:
    3,638
    Location:
    Pooraka Maccas drivethrough
    There's malware exploiting this in the wild now. My colleagues in desktop support mentioned that Sophos has started picking up mutations of W32/Dulkis on USB drives at work this morning. Being a university, we don't have the option of locking down staff desktops to the extent that corporate admins can.
     
  16. Iceman

    Iceman Member

    Joined:
    Jun 27, 2001
    Messages:
    6,647
    Location:
    Brisbane (nth), Australia
    Wait, what? Why aren't you using something like Deep Freeze ?
     
  17. chip

    chip Member

    Joined:
    Dec 24, 2001
    Messages:
    3,638
    Location:
    Pooraka Maccas drivethrough
    I'm guessing that you've never had the joy of trying to get tenured, independently funded academics to do anything that's in the broader interests of the organisation and not their own immediate needs
     
  18. Iceman

    Iceman Member

    Joined:
    Jun 27, 2001
    Messages:
    6,647
    Location:
    Brisbane (nth), Australia
    Well to be fair, tried and gave up. However we weren't deeply ingrained in the institute, just an external party trying to offer a mutually beneficial business relationship (endorsed by the state government, no less).

    But come on, you should have ways of getting around these things. This isn't something hard to sell like the cost of virtualized infrastructure. You've got the biggest alarmist keyword on your side, virus. Get someone to start pushing for budget while throwing around things like "malware outbreak, unpatched vulnerabilities, gaping security holes, critical infrastructure failure", then you propose a solution that's 5 times the cost of what you need, when they give you a quarter of what you asked for you're a hero for getting it done under budget!

    If that doesn't work, make it their immediate need. Yank their network connection, tell them they get no youtube due to previously mentioned problem flooding the internet link :)

    See.. IT is all about working *with people*. You work *with* them until they give you what you need :)
     
  19. chip

    chip Member

    Joined:
    Dec 24, 2001
    Messages:
    3,638
    Location:
    Pooraka Maccas drivethrough
    I don't need to worry about getting around things like this these days, as they fall under the category of Someone Else's Problem.
     

Share This Page

Advertisement: