WannaCry : Some Quick Precautions To Take

Author - Tushar Vartak, Director Information Security, Rak Bank


Since 12th Apr 2017, a Ransomware exploiting MS17-010 has been wreaking havoc worldwide.

8669802465?profile=original


Precautions to be taken:


1 - Patch Management

  • Ensure all Workstations and Servers have the latest Microsoft patches, especially the ones related to MS17-010.


2 - Antivirus

  • Ensure AV signatures are updated on all assets. Identify critical assets and target them first. Block IOCs on AV solution.
  • Get the details with regards to the name of the malware and verify if this malware has been detected in the logs for last 1 week.


3 - IPS

  • Ensure IPS signatures are updated. Verify if the signature that can detect this vulnerability / exploit attempt is enabled and is in blocking mode.
  • Get the details with regards to the name of the Signature and verify if this Signature has been detected in the logs for last 1 week.


4 - eMail Gateway

  • Ensure eMail Gateway solutions has all relevant updates for detecting possible mails that may bring the Trojan in the environment.


5 - Proxy

  • Ensure Proxy solution has updated database. Block IOCs for IP Address and Domain names on the Proxy.
  • Verify last one week logs for the IOCs on Proxy and take action on sources of infection.


6 - Firewall

  • Block the IP addresses on Perimeter Firewall.
  • Verify logs for last one week.


7 - Anti - APT Solutions

  • Ensure signatures are up to date.
  • Check for possible internal sources of infection and take actions.


8 - SIEM

  • Check logs to verify if any of the IOCs have been detected in 1 week logs.

Note:
a - If required, raise case with OEM for getting details
b - All changes to follow proper approvals and change management process

E-mail me when people leave their comments –

CISO Platform

You need to be a member of CISO Platform to add comments!

Join CISO Platform