Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 5 subscribers
  • Views 7329 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Catching actual noPetya (or similar) actions with IPS possible?

ManuelKarl

Hello there,

is it possible, to catch actions from actual Ransomware like noPetya with IPS between subnets?

Example: Clients in one subnet, servers in another one. One client is infected by noPetya, which starts encrypting files on a file-share (server-subnet).

Thats a normal file-access via TCP445 (CIFS/SMB). Is this behaviour (ip-/frame-pattern) detectable via ips/snort or does ist just seeing a normal file-access from a client?

If not, how can i prevent the access from infected clients, which on-access-scanner (sophos endpoint) cannot see/recognize the infection due to missing pattern-files (0day)?

 

Thx,

 

Manuel



This thread was automatically locked due to age.
  • 0

    Hi Manuel,

    This is the first I've heard of this here.  V9 IPS Rules is the current list that might give you an answer.  Please share what you find.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    The problem you run into with current products (IPS, antivirus, etc.) is that most of these "attacks" are really staged in such a say that the delivery mechanism and the payload can be manipulated separately.  The vulnerability that NotPetya takes advantage of might be caught if that is the direct attack vector.  However, typically what you see is the delivery mechanism is something entirely different, such as a generic handler/trojan, then that fires off a another attack to exploit the vulnerability in question behind the wall (and most monitoring) from a trusted resource (a workstation on the domain for example).  Most organizations are not watching closely for internal traffic like that, so it will most likely be missed on the wire.  Once it executes, most basic antivirus products that are signature based will also likely miss the attack because they have no signatures to match it.  About the only way to capture these events at this time is something that is actively monitoring and policing system calls.  These are products like Carbon Black or Sophos Interceptor-X or the ilk.  They are fairly expensive and are also still pretty new.  But like everything else, there will be a way around them soon enough.  The cat and mouse game will be going on for a long time.

  • 0 in reply to darrellr

    Very tricky subject and always ongoing. The best you can do is minimise the risk:

    1. Patch fairly quickly using a ringed approach
    2. Ensure your av is up to date
    3. Ensure firewall rules are good and internal access is buttoned down as much as you can

    With regards to the UTM, use the DNS best practice and ensure no clients can dns, smtp etc direct to the internet. It adds an extra layer of security as the UTM will have to know about the transactions.

    We can't afford any outages due to the service we offer, so recently we added sandstorm to the UTM and exploit (intercept x) to our endpoints. A fair bit of expense and maybe a step too far for some.

    And the biggie...... make sure you have a good backup strategy with fully tested working backups.

    Another thing we find very useful is Sophos iview. It allows you to pick up on patterns that you normally wouldn't spot eg excessive firewall blocks etc Well worth implementing with the UTM.

Unfiltered HTML