Blog / Windows of Opportunity for Ransomware – Offsetting Attacks with Proper Computer Monitoring
Up till now I’ve done a few newsletters about monitoring your Network Traffic. This is a good thing to do. The more you know about what’s normal, the easier it will be to spot problems. So, monitor things like:
- How much traffic is moving through your network devices (switches, firewalls, etc.)
- What type of traffic is flowing (Web pages, Email, etc.)
- How many different destinations is it going to
The more information you can grab about it, the better. But is that enough? Should your monitoring begin and end with looking at the traffic in your network?
Well, I’ve also written a newsletter about monitoring software. When you look at software, it’s important to monitor for:
- Missing updates/patches in your Operating Systems
- Missing updates/patches in software installed on your Systems
- Outdated and unused software installed on your Systems
Things of that nature are incredibly important to monitor and keep track of.
But what else? Saying “You need to monitor the important parts of your infrastructure” is correct. It’s also totally worthless, because it doesn’t tell you anything useful.
So, I’ve talked about the importance of monitoring traffic, as well as software. That’s great – these are specific things; but what else is important to monitor? There’s actually a big list, but for today we’ll keep it simple:
- Active Directory logins (successful and failed)
- Group Policy Object setting changes
Now to explain why you should monitor these: I was reading an article the other day about some Ransomware that got loose in a large Aluminium and Renewable Hydro company (Norsk Hydro, a Norwegian outfit.) Apparently, the Ransomware they were infected with spread by making use of Active Directory. They’re a large company and the last article I read said the event had cost them $40 million, thus far.
The Ransomware was apparently distributed to a large portion of the computers, using Active Directory. Everything I’ve read seems to show they were well-prepared to deal with the event and have handled it well. Even so, the infection was so widespread, it has impacted business for weeks, plus they’re most likely paying out lots of overtime, to get things cleaned up as fast as possible.
That got me thinking: Active Directory is something that a lot of people have likely heard about for a long time and don’t actually know anything about.
To simplify things a lot, Active Directory is a framework that operates behind the scenes in Windows. It can be used to make changes to just about any settings you could think of. This includes things like: minimum password lengths, how many failed logins before a user account locks, is event-logging enabled, etc.
It can also be used to install, or uninstall, software remotely. If you have a domain setup (something many companies have), this can be simultaneously done to every connected computer. The settings that allow all of this are controlled by things called Group Policy Objects.
As you can imagine, an attacker who gained access to your network and managed to hijack a user with permissions to make changes to Active Directory, would be able to do whatever they felt like and cover their tracks while doing so.
Therefore, it’s incredibly important to have a setup in place that monitors the login activity for all your Administrative users, as well as any changes that are made to your Group Policy Objects.
Setting up proper monitoring isn’t difficult, or expensive. If you’re an expert, you can do it for free. For the rest of us (I include myself in this group), there’s software that can easily take care of it, and it’s cheap. Once the software is in place, it will send emails notifying your people of any activity that takes place.
Once you have a system for monitoring that is all set up, you just need to make sure you have qualified people who can properly monitor and react appropriately to those notifications… WHENEVER they might occur.
If you have any questions about Monitoring Active Directory, you can reach out to your TRINUS Account Manager for stress-free IT.
Your Friendly Neighbourhood Cyberman.