Irregular Expressions

Jul 29 2011   10:57PM GMT

Good times



Posted by: Dan O'Connor
Tags:
incident handling
incident handling game

http://isc.sans.org/diary.html?storyid=11251

So what do you do?

My basic steps;

Containment.

  1. Block access to the news site.
  2. Block access to the dropsites and download sites (if possible), at least monitor with a signature.
  3. Restrict port TCP 445 between remote locations and servers where possible.
  4. Start updating machines with new AV signatures and system patches to stop the bleeding.
  5. Update the AV on the servers that require TCP 445 and cannot be patched. I have also seen some application firewalls for servers that might be a help.
  6. It might be possible to VLAN the infected workstations off the network, or through the main firewall to be scanned.
Identification.
  1. Use firewall logs to identify any machines that have visited the news site are.  Also use logs (hopefully) to watch for TCP 445 scans around the network.  Ongoing an IDS signature would be good for this.
  2. Try to use WSUS logs to identify machines missing the needed patch, and cross with AV logs for missing signatures.
At least that’s my take, there are some good comments on the post also.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: