INTRODUCTION
Padvish Malware and Forensics Analysis Team has published practical security recommendations to combat cyber threats, especially ransomware, based on daily experiences across various networks across the country, based on experiences gained from the real threats that threaten organizations and networks.
The purpose of this document is not to provide a comprehensive but very general solution ISMS for any network, it requires hours of adaptation and compilation of different documents (This is well done in the relevant standards and is necessary in its place). Rather than providing a very detailed list of relevant checksums for each type of technology and infrastructure that may not be usable due to their size.
This document focuses on providing practical and workable solutions for network managers to secure the biggest common weaknesses and tries to address issues at an intermediate and understandable level.
Summary of critical security recommendations
The most important practical security measures that must be taken in any network to protect against the most common cyber threats, especially ransomware, include the following:
-
Ensure safe and up-to-date offline backups are somehow not connected to the system.
-
Install anti-virus, update and activate all its security mechanisms in all network systems, and regularly review alerts and events – (Read the next section on how to monitor alerts)
-
Update operating systems and software across network systems
-
Update firmware and hardware of all infrastructure equipment and systems (Virtualization, switches and)
-
Observe the principle of minimum access so that each user has the minimum level of access required, and each address and each service has the least number of necessary ports from the minimum number of required IPs.
-
Close the remote port and shared folder of the Internet and use VPN Token-based if needed
-
And other items are discussed in more detail in the following sections.
Network monitoring through Padvish
The following are the most important things to look for in an anti-virus setting, as well as the most important reports that should be reviewed at least weekly.
-
Install and update the latest Padvish Total Security version on the whole network
-
Change the default password of the Padvish Management Console (User Manager> Change Password)
-
Set a password for Padvish settings (Change Client Settings> Padvish AV> Password) To prevent deleting or changing unwanted settings
-
Ensure that Padvish is installed on all systems and identify systems without Padvish using the Padvish Management Console discovery mechanism (Discovered Computers)
-
Perform a full scan after installing the Padvish
-
Create a periodic task for a fast or complete scan of clients in the Padvish management console (Perform Task> Virus Scan)
-
Ensure proper performance of the Padvish database by checking for up-to-date backups in the Last Backup column of the Managed Computers section of the Padvish Management Console
-
Pay attention to the status of clients (Yellow and red) in Managed Computers. Check the Computer Status Reason column to find out the cause of the issue and take action to eliminate the recorded warnings (Contact Padvish Support if you need help)
-
Ensure that protection mechanisms are active and that there are no wider-than-necessary exceptions in antivirus (Real-time protection, self-protection, UMP, Firewall, IPS, Anti-Crypto)
-
Daily review of reports on detected and anti-ransomware malware in Padvish Management Console (Client Logs> Threats And Client Logs> AntiCrypto)
-
Contact the Padvish support team if you see a blog based on the Hacktool Or Ransomware diagnosis in the previous step (This type of detection is usually a sign of intruders entering the network and a sign of imminent danger)
-
Identify invasive systems at the network level using logs Custom Reports> Intrusion Detection: Top Sources Of Network Attacks and install Padvish on them
Complementary measures
The following actions related to general network policies are listed in order of priority and importance and should be applied in addition to a good antivirus and periodic monitoring to minimize the risk of attacks.
-
Ensure that the direct Remote Desktop Port (RDP) through the internet is closed (If necessary from VPN Token-based Used for telecommunications)
-
Ensure that Remote tools such as AnyDesk And TeamViewer are closed (not installed) on servers and systems (this software is used for temporary and in-need situations if necessary interactive being used and preferably does not permanently set in password-based form)
-
Ensure that 1433 (SQL Server)، 445 (Shared Folder), and other sensitive ports are closed from the internet.
-
Restrict access to management and infrastructure ports (Switches, network equipment, ILO Servers, ESX، vCenter, And …)
-
Continuous review of admin communications and VPN especially outside office hours
-
Offline Backing up from information and testing the backups provided to ensure that any of them can be recovered and are usable
-
Update operating systems and software (Especially email, web, database, and servers.) regularly
-
Update Virtual Infrastructure (ESX, vCenter), server firmware, and network equipment
-
Restrict access to shared folders
-
Restrict client access to SQL Server database ports and alike
-
No storage of admin passwords in systems
-
Install and update programs only through official sites
-
Activation of software using a legal license and not using lock-breaking software provided by various sites
-
Observe the minimum access principles in all cases (provides the user with the least necessary access)
-
Separating different and unrelated parts(VLAN) and preventing any unnecessary communication between these sections
-
Close unnecessary ports (In particular, ports 445 and 3389 should be closed for needless addresses)
-
Disconnect Internet servers that do not require Internet access or restrict access to essential sites
-
Educate and warn users not to download and run suspicious files, and report anti-virus alerts to network administrators as soon as they have seen them
-
Changing all admin passwords, checking accounts with this access, changing the Administrator username in all networks and servers with a name that can not be guessed, as well as applying passwords with the necessary complexity in all accounts of the admin domain, local servers, and other systems
-
Do not use default security settings and passwords for software programs and hardware equipment
-
Activating the account lock policy: If several unsuccessful attempts are made to log in to an account, the account will be locked.
-
Determine the necessary policies to use complex, unpredictable, and non-repetitive passwords and change them in less than three months
-
Disable the local admin account and give the minimum possible access to normal users
-
Separating network (Air Gap Network) to secure all critical network parts
-
Perform network penetration testing by experts to identify weaknesses
-
Use a separate server to store logs and events recorded online
-
Educating users to become familiar with intrusion methods and social engineering attacks
-
Encrypting information sent on the network platform
-
Using a multi-step authentication mechanism (Multi-Step Verification)
-
Determine the necessary policies to specify the off hours
-
Important server physical protection against human and natural factors
What to do in case of an accident?
-
Keep calm and inform the antivirus support team as soon as possible
-
Isolate-affected systems (Network disconnection)
-
Stop (Suspend) If you use a virtual machine or shut down systems infected with ransomware as a hardware infection
-
Shutting down the system should not be done using software methods and using the related menu as this can cause the ransomware to re-run and further damage the information. It is recommended that you turn off the servers physically by disconnecting the power supply.
-
Note that time is an important factor in ransomware attacks, and you must act quickly so that in addition to preventing the spread of the attack and reducing the damage, it is also possible to restore backups.
-
Contact the antivirus forensic or support team to study the issue