cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion

What are you doing about Insider Threats?

Hi All

 

A very different twist on ransomware from the inside out.

 

https://www.wired.com/story/tesla-ransomware-insider-hack-attempt/

 

What is your organisation doing about thwarting this type of threat?

 

Regards

 

Caute-Cautim

3 Replies
ericgeater
Community Champion

  • removing administrator privilege from the user at the desktop
  • ensuring the PCs and storage servers have additional defenses, such as updated antivirus and / or EDR
  • we're not doing this, but blocking international IP ranges may be useful

I haven't really heard a good defense at the firewall level, other than signature-based detection or anomalous encrypted exfiltration detection

 

But if a user is privileged enough, and if the data pool is large enough, and the servers are poorly hardened... that is a pickle, ennit?

--
"A claim is as good as its veracity."
tmekelburg1
Community Champion


@ericgeater wrote:
  • we're not doing this, but blocking international IP ranges may be useful

 


It might be if the C&C server IP is located in another Country. This can get unruly pretty quickly, based on my experience, depending on how many Countries you block/allow. I've had Windows 10 machines try and pull updates from Dublin, Ireland just as an example. 

Caute_cautim
Community Champion

@ericgeaterIP Reputation or Geolocation blocking may also be useful too.

 

Regards

 

Caute_cautim