Re: What are you doing about Insider Threats?

Caute_cautim · ‎08-30-2020

Hi All

A very different twist on ransomware from the inside out.

https://www.wired.com/story/tesla-ransomware-insider-hack-attempt/

What is your organisation doing about thwarting this type of threat?

Regards

Caute-Cautim

ericgeater · ‎08-31-2020

removing administrator privilege from the user at the desktop
ensuring the PCs and storage servers have additional defenses, such as updated antivirus and / or EDR
we're not doing this, but blocking international IP ranges may be useful

I haven't really heard a good defense at the firewall level, other than signature-based detection or anomalous encrypted exfiltration detection

But if a user is privileged enough, and if the data pool is large enough, and the servers are poorly hardened... that is a pickle, ennit?

-----------
A claim is as good as its veracity.

tmekelburg1 · ‎08-31-2020

@ericgeater wrote:
we're not doing this, but blocking international IP ranges may be useful

It might be if the C&C server IP is located in another Country. This can get unruly pretty quickly, based on my experience, depending on how many Countries you block/allow. I've had Windows 10 machines try and pull updates from Dublin, Ireland just as an example.

Caute_cautim · ‎09-06-2020

@ericgeaterIP Reputation or Geolocation blocking may also be useful too.

Regards

Caute_cautim