Ransomware Thread: One day a user clicked on a malicious link which caused some havoc - the company files got encryped with ransomware. Upon investigation looking at the headers of the email it was noted that the email had come from one of the DR servers. How? Why?

#infosec

Apparently the Exchange Admin had decided to carry out a DR test but not considered including the spam filter failover as part of the test. It was only meant to be a short while I mean what could possibly go wrong?

Also this was a known threat so why didnt the IPS block it?

Well turns out the DR mailbox IP’s had been added to an access policy but that policy had not been configured with file analysis. Therefore the email attachment went undetected - passed the firewall and since no spam filter was there ended up in the users mailbox.

Ok.... what about the AV? well again turns out the laptop had been off the network and signatures had not been updated too. Wow talk about Defence in Depth thats three layers passed already..

What made the task to recovery easier was that only that particular users department was impacted. Why? because the NTFS permissions applied on that file share were restricted to a very granular level which meant only that user and his team were impacted.

The files were restored from recovery. However many important lessons were learnt.

-Plan your DR properly
-Have incident reponse plans ready
-Don’t work in silo’s communicate your plans to each other
-Monitor endpoints especially AVs for missing signatures etc
-Defense in Depth can be a life saver
-Test backups are working

#infosec #ransomware #CyberSecurity