How One Company Cleaned Up The Thumb Drive Attacks- And Learned A Lot In The Process.
Here's the email I got in answer to "Why Did You Send People To SANS This Year When You Have A Ban On Training and Travel?"
Alan,
Take a closer look; you'll find that 12 or 13 people are coming from (company) to SANS in Orlando, not just my three. The others are coming from other divisions. Here's why. You remember the big wave of attacks last November where infections were spread by thumb drives. We got hit by that. It is amazing how often people use those things. It spread to dozens of Windows file servers, and from there jumped to thousands of workstation systems. Clogged our networks. It was so bad a lot of machines, including the ones on the top floor of this building, had to be taken off line - and that got some unwanted visibility from the CEO.
We called both our AV vendors but neither had a signature for this virus yet. It took a long time and a lot of pain before we found all the machines that were hit, stop the spread to new machines, and got rid if the (expletive deleted) thing. The whole company - every US division and international.
So what does that have to do with my guys going to SANS? It turns out our CEO was in the UK visiting our facility there and somehow the topic of the virus came up and our UK manager told him it had hardly been aproblem at all in the UK. He said his security guys found it within afew minutes and cleaned it out. As you might imagine the CEO's follow-up email to me was unpleasant. So I called my counterpart in the UK andasked him how he had dealt with the attack so easily. He told me one of his guys knew what to do immediately. He said used the built-in Windows WMIC command to find systems with the malware processes running and thatalso told him about the changes made by the malware. Then, he used thereg command to remove an entry from the auto-start capabilities ofinfected machines to stop the malware from running on startup. He also said the reg command let him change the USB and CD/DVD autorun function to stop similar infections. After shutting down the malware and stopping it from spreading, he said he used a couple more techniques to clean up the infected machines quickly. I asked where his guy learned all that. He said at SANS, in a course called 504 which I later learned was your Hacker Exploits and incident Handling class. I reported that back to our CEO. He told me to make sure every division had at least two people who knew those techniques. So, our travel ban was lifted for SANS.
==end==
No comments:
Post a Comment