Jump to content

Recommended Posts

  • Replies 242
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Posted

My dad drives a 1988 Land Rover Defender V8, and every time someone in a new, efficient diesel gives him the same schpiel he always replies with "The Landy only cost R60k. I can buy a shitload of fuel with the R400k change I have from not buying a Fortuner".

My brother said the same thing about his Landy, then fuel prices shot to R15+ and he realized that paying R800 to drive 300km wasnt what he wanted anymore.

That car was awesome to drive though.

 

Then again its probably because I fill up every 3 odd months being in a permanent work from home position  :whistling:

Posted

I'll give you an example of my company's dilemma when it happened.

 

The servers that the data was on were shutdown, immediately - that means we were unable to operate from that minute going forward. These were then formatted after the restore process on other servers were completed, and restored a few weeks later.

 

In the time between the existing servers being shutown and "repaired", software had to be loaded on other servers, eg. ERP system, Exchange server, and all the other 3rd party apps that were used (74 different apps). Once that was done, they had to test the integration between multiple servers and the apps we use, using a small amount of data. Once the testing was done, the backups could be restored - I don't know all the ins-n-outs, but I heard enough to understand the basics.

 

I'm not sure how Garmin would work, but I'm sure they would have a similar dilemma... have to reload everything from scratch.

 

edit: grammar

Yup it sounds about right.

I get involved in security incidents fairly often from an investigation perspective.

In our environment we run both Qualys and Crowdstrike on all servers. Qualys does vulnerability management and Crowdstrike is a bit of a hybrid intrusion detection system/AV software.

 

The normal route an attack like this takes place(the same happened to Twitter recently) is that they will spearphish a known target in the organization and socially engineer their way through them.

Then its a case of establishing a repeatable entry method in a few locations and an investigation of the network and servers. 

At this point on a high profile network there should be a bunch of "honey pots" which are servers that exist for the sole purpose of finding out if anyone is in your network. There should be no activity on those servers at any point, so if something happens on them it trips an alert.

Back to the "hackers" they will often use really basic tools to try and elevate permissions and then start encrypting if their software is allowed to run...

 

Most servers would be virtualized these days so backups can be in the form of bare metal for the entire server layer of OS/apps/data. The backups can also be just data and config if its quick enough to spin up a new server and install the basics before restoring.

 

To me though the bottom line is that it shouldnt have happened. Some security people are going to be sweating pretty hard through the hearings that follow this incident.

Posted

To me though the bottom line is that it shouldnt have happened. Some security people are going to be sweating pretty hard through the hearings that follow this incident.

How will you implement a defensive strategy against WastedLocker? 

Posted

 

 

.

 

To me though the bottom line is that it shouldnt have happened. Some security people are going to be sweating pretty hard through the hearings that follow this incident.

We are a multi national GPS company also in some pretty important sectors.... I'm wondering if our IT team is sweating bullets... Pretty sure they are

Posted

Im wondering why everything hasnt been restored from backup yet.

Did their SAN's get infected too? Most have a hardened Linux based kernel so its unlikely to be the case.

Were they not backing up all of the core systems?

Or is it the age old "we have backups" until you try restore from them and find they dont actually work.

Hardened Linux based kernel......can you serve that in digestible chunks?

Posted

We are a multi national GPS company also in some pretty important sectors.... I'm wondering if our IT team is sweating bullets... Pretty sure they are

 

i just know we will be getting questions from our non-execs this week.

 

"will you be ready if something happens to us?"

Posted

How will you implement a defensive strategy against WastedLocker? 

It has to be a multi-phased approach.

Firstly all filesystems should already be encrypted to begin with, secondly the flow of data should be segregated with very specific permission sets.

In terms of deployment tools for something like WastedLocker the payload gets deployed via SocGholish or Cobalt strike(or a combination) Having something like Crowdstrike will prevent them and the rest of the tools from executing, it will also alert and block traffic to the servers if setup correctly.

Most of these companies are not using a Privileged Access Management(PAM) system but that would go a long way to both limiting damage and providing traceability on the actions performed on the affected servers.

 

With all of the zero hour vulnerabilities for sale on the darkweb its not always possible to prevent intrusion but the design of the systems should cater for that.

Unfortunately very few devs consider security when writing systems so the controls are not always in place.

Posted

If you still have to do bare metal restores with todays tech you should not be in IT at all.

I agree its not always necessary but sometimes its the fastest way to get back online.

Ops teams and security teams generally have different and sometimes conflicting objectives so Im sure a full rebuild was what took place with Garmin.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Settings My Forum Content My Followed Content Forum Settings Ad Messages My Ads My Favourites My Saved Alerts My Pay Deals Help Logout