Security Enthusiast
HackTheBox user
Ethical Hacker
Linux lover
Unplug the infected computer(s) from network, and turn off any wireless functionality: Wi-Fi, Bluetooth, NFC.
Note: Do NOT turn systems OFF!
You will destroy logs and other useful information.
Check the Following for Signs of Encryption:
Develop and implement a Ransomware prevention checklist, specific to your organization, to prevent future attacks.
By implementing a good Firewall you can make sure unwanted traffic gets into your organisation. Most new Firewall’s have IPS (Intrusion Prevention) and the ability to run AV on all the traffic. Depending on how deep you can see into the traffic (Deep Inspection) to more viruses you will keep out of your company.
The smaller your network parts are, the more difficult it is for a hacker to get useful information to get “elevated” to a certain user. Also, make sure clients, servers, printers, network switches (the management part), WiFi, door security, Viop and all the other things are in a separate vlan (network part). With a Firewall (Internal Segmentation Firewall) in place, you can make sure that only wanted and expected traffic flows from one vlan to an other vlan. Also implement IPS between these vlans, as attacks do not always come from outside you network. Enable AV where possible. Use a Zero Trust policy on all the rules.
Make sure all you equipment is logging towards a logging server. When things go wrong and you have to disconnect (DO NOT TURN OFF) your systems, there is still a place where all the logging was collected. Here you can start investigating from where the attack is coming.
This will help you speedup the process, so you can remediate and restart you servers / business.
There are many ways to detect if something is going wrong in you network. There are many companies that sell Honeypot solutions.
The differ in strength and cost. I am running a Raspberry Pi (about 50$) and run OpenCanary on it (Free). Whit some scripting it does
tell me on many different media (eg. Slack) that something was interested in it. And I can investigate why system X, was contacting my Canary.
There are many vendors that have the ability to help you with detecting if on a system actions are taking place, that you’d like to know. Eg. If a hacker is an a system, he will most likely run the command “whoami” to see if he is a user, administrator or SYSTEM.
There are AV vendors (Eg. SentinelOne) that have “Deep Visibility”. All agents log to a cloud server what is happening on a system,
which processes are running, commands called, IP’s connected, files changed, Registry Key’s altered. You can filter on that and get notified. The earlier you know someone is in your network, the smaller the attack can be.
Never use a password twice. Preferable difficult passwords.
Only give users the rights the need. In case of Service Accounts it is the same. The less it may do, the smaller the chance a hacker can
use this account to elevate himself. ICT Admins should make a stepping stone environment to get to all servers. There they only should user their admin account.