Ransomware is continuing to wreck havoc on companies and individuals, with the attacks getting more sophisticated on a daily basis. The latest was the Colonial Pipeline incident involving the Darkside ransomware.
While nothing is 100% secure, doing our best to prevent these things is a constant battle that enterprises worldwide must continue to fight.
With that Palo Alto Networks has released guidelines for preventing Darkside from infiltrating your network (official documentation here):
Antivirus signature, make sure all protocols, HTTP2, IMAP, POP3, and others, are set to "reset-both".
Vulnerability and spyware signatures with the severity of High and Critical to "reset-both" or "drop" is a good practice.
Your URL Filtering and setting the following categories to block: command and control, dynamic DNS, hacking, high-risk, insufficient-content, malware, newly-registered-domains, not-resolved, parked, phishing, questionable, unknown.
SSL Decryption is one of the requirements for detecting malicious patterns as most of our signatures use the http_decoder to inspect the content in the payload. The firewall can only inspect and encrypt traffic (TLS/SSL/HTTPS) if decrypted using decryption profile and policy.
File blocking profile: Block password-protected compressed and zip file.
Remote access to OT and IT networks needs multi-factor authentication.
Use strong spam filters to prevent phishing emails from reaching end-user.
Continuous monitoring and improvement in security posture based on alerts and threat logs.
Continuously train IT and end-user for social engineering.
Network traffic:
IP-based: prohibit ingress and egress communications with known malicious IP addresses.
URL-based: Prevent users from accessing malicious websites by implementing URL blocklists and allow lists.
Software-update: Make your software update as centralized and controlled.
Risk-based assessment strategy to determine which OT network assets and zones should participate in the patch management program.
Limit RDP
Limit Resources access
Limit resources access attempts
Regular Scanning of the resources by antivirus/antimalware.
Commentaires