Home > IT Blogs > Irregular Expressions > Good times
>>VIEW ALL POSTS  

Irregular Expressions

«
»
Jul 29 2011   10:57PM GMT

Good times



Posted by: Dan O'Connor
incident handling, incident handling game

http://isc.sans.org/diary.html?storyid=11251

So what do you do?

My basic steps;

Containment.

  1. Block access to the news site.
  2. Block access to the dropsites and download sites (if possible), at least monitor with a signature.
  3. Restrict port TCP 445 between remote locations and servers where possible.
  4. Start updating machines with new AV signatures and system patches to stop the bleeding.
  5. Update the AV on the servers that require TCP 445 and cannot be patched. I have also seen some application firewalls for servers that might be a help.
  6. It might be possible to VLAN the infected workstations off the network, or through the main firewall to be scanned.
Identification.
  1. Use firewall logs to identify any machines that have visited the news site are.  Also use logs (hopefully) to watch for TCP 445 scans around the network.  Ongoing an IDS signature would be good for this.
  2. Try to use WSUS logs to identify machines missing the needed patch, and cross with AV logs for missing signatures.
At least that’s my take, there are some good comments on the post also.
  Bookmark and Share     Comment     RSS Feed     Email a friend

Comment on this Post

Leave a comment: