Craig discusses the signs that you may be under attack and what to do about it.
For more tech tips, news, and updates visit – CraigPeterson.com
Automated Machine-Generated Transcript:
Craig Peterson: [00:00:00] So what’s the first sign that you are about to get hit by ransomware? that’s what we’re going to talk about right now. We’re going to go through some of these signs. What does it mean to you as a business? You’ve got a hundred, 200 employees or maybe more, maybe less. This could be bad.
Hey Craig, Peterson here. Thanks for joining me. I appreciate the time you’re spending with me today. I have really been enjoying it. Of course on WGAN are going to be continuing after that top of the hour. So make sure you stay with us, but we’ve got a whole other hour left. So what is going on here when somebody is trying to break in we’re generically calling this ransomware because that is frankly.
One of the major attack vectors that we’re seeing right now is the whole ransomware attack. What does that mean to you? So that’s exactly where we’re going. You should be seeing some signs. So let’s talk about the signs that I have seen. One is that your email is weird. No. I know that’s not a great definition.
But that’s what I always hear. So something weird is going on with our email. Craig, would you bring your team in and have a look at this for us? We’re not quite sure what, and it might be that there are emails that are being received by your clients or maybe your vendors. You’re trying to straighten it out.
What’s what, when what, and he can’t quite figure it out. So that’s a very common one. We get called in on to do some research and try and find out what is going on. So there’s number one. Another one is if you’re in that a hundred to 250 employee range that we’re working with a lot if you have an active directory server and for some reason, Logins are failing.
So the concept behind this is Microsoft. Once again, took some technology, Kerberos technology, let’s steal it and use it and mess it up while we’re at it and create it, this whole active directory concept, which is a major hack. It’s just Microsoft. But anyway, yeah. The idea is you have an active directory server and that server can provide file servers.
It can provide DNS, it can give you your DHCP or internet addresses. It can put everything together in one place, including log-ins, access control, lists. All kinds of things that will really help your network. So don’t get me wrong here. I think you should be using active directory if you have a Microsoft based network. You really should. Because you’re going to be much better off than if you try and maintain a hundred desktops manually. Okay. There really is no choice in this, but if you’re, we’re starting to see log-in failures, people are saying, yeah, I’m trying to log in. I can’t get in what’s going on.
Okay. That’s a sign. If you’re getting VPN connections, failing and your VPN server just isn’t working right. So those are the very basics. So let’s get into a little bit more detail here. If you go on to your active directory server, it is going to show multiple log-in failures. That’s a very big deal here.
If you’re seeing three login fails in a row, particularly from your remote desktop servers, you might be in trouble. A remote desktop is one of the ways. The bad guys are getting in because there are a number of known vulnerabilities in them. Most people, again, haven’t patched them up and businesses just didn’t have time to prepare for the whole COVID-19 thing.
So they sent people home and their systems weren’t set up. So keep an eye. If you have an active directory server, keep an eye on it. The log-in errors you might be having. If you’re using a remote desktop. Particularly if you’re exposing the server directly to the internet, it’s a very big problem.
Bruce brute force attacks, Bruce force a very big deal here. Because we’re seeing these all of the time, you should be keeping an eye on your firewall and your firewall should be logging. In fact, if you’re a regulated industry, it has to be logging and you have to have an accurate time source. So if you have all of this data and it’s logging it and it’s alerting you.
That there are a lot of attacks underway. that might be a sign that ransomware is heading your way and you turn well better, make sure that you have everything patched up. Okay. That’s just a really good idea. The bottom line also. You should look for your brute force attacks, not just on your firewall, but again, on your remote desktop system.
Once they’re inside your network, the bad guys are going to start looking for passwords, password files, various types of zip files, doc files, word texts, all of those sorts of things. Nowadays, they are running. Basically shell scripts. Microsoft came out with what they call power shell yet another rip-off.
And, they didn’t do a particularly good job on it and it is particularly vulnerable and that’s a bad thing. A lot of those PowerShell attacks that are underway are non-disc resident. They are memory resident, which means that none of your antivirus software is going to catch any of it. Okay. A very big deal there.
Also, keep an eye on phishing emails. These things have been coming in for a long time. Some of them have very strange domain names, keeping high out with your analysis tools. Again, hopefully, you’ve got a whole integrated system. That’s looking at all of this stuff, these new domains that are coming into your network, do you flag them?
Does your firewall have the ability to flag them? So all of a sudden you’re seeing a bunch of people going to xyz.com and no one’s ever gone there before. You should have a flag for that, because oftentimes what’s happening is the bad guys have some software that’s trying to exfiltrate trying to take your data out of your network.
To use against you. That’s where open DNS can come in. very well handy. Cisco umbrella. That’s what we use there. The free version or inexpensive versions for home. Check it out. Cisco umbrella. I think it’s an umbrella.com but Cisco umbrella and that will help dramatically. With the exfiltration of data with phishing domains, et cetera, stopping them from being nasty, next time, or this is on an article, dark reading, and he’s got a lot of good information in here.
recently adding some things, taking some things. Yeah. I’m using my actual experience As to what’s happening up here. But. Questions that are really being raised about a particular machine. This is from an incident response manager. My name is Peter McKenzie saying. questions that everyday users aren’t normally asking, is this a Mac or Windows?
What’s the domain and company name? What kind of admin rights is the computer? Yeah, if you’re getting those coming into your help desk, you may have a big bloom, frankly. Okay. Also, security tools that aren’t being used by your security people. So keep an eye out for that. There are a number of pieces of security software that I teach people how to use that are going to really help you with digging into everything.
But to have a look at the few of them that are out there, things like process hacker, IO bit, and PC Hunter. So they’re legitimate tools, but not being used by just a regular user. So keep an eye on what’s running on the machines. Timestamps can be very weird. So keep an eye on that. Some VPN servers do have information about the time of the source of the VPN.
So if all of a sudden you’re seeing time connections that are coming in a really weird time zones like Russia, China, wherever it might be. There’s another sign. The ransomware might be on the way in, if not in already. Then traffic, all of a sudden goes up. You have a huge spike going to somewhere. I don’t know the internet.
Maybe you can trace it to the dark web. Maybe you can’t, but questionable places. Now keep an eye out for that. Unusual DNS requests. A very good thing to watch out for, but again, that’s why you use Umbrella. It will keep tabs on those and it’ll stop better than 90% of these bad guys from being able to install software that can call home.
And that’s very important. You may not be able to tell a tour site. I teach this again. You can use Tor and the onion network in order to hide your identity to a degree it’s none of this is absolutely perfect again, but the bad guys use it and they use it a whole lot. So what we do with our clients is we block these TOR entrance/exit sites, these onion network sites. So that bottom line, the bad guys just can’t get in. They can’t do anything about it. I think that’s really important to do That is your top sign that you’re about to get hit with ransomware and they all revolve around keeping an eye out for what’s going on in your network.
What you should be doing, what you shouldn’t be doing when it comes to your security software. If you own a business, if you’re C level responsible for some of this stuff, make sure you get some training, make sure your people get some training because a lot of these attacks are actually based on ignorance.
That’s where people don’t know that you should not be clicking on that type of email. People don’t know how to determine whether or not a URL is a legitimate URL either. Now we have all kinds of pieces of training for security that we provide to our clients and the tracks who’s doing what and helps to meet all of the regulations, whether it’s HIPAA or you name it.
But if you don’t have anything really simple little quiz training, you can do. Is available online for free from Google. Now, this is just a, it’s a few questions, but it helps to educate users about fishing. You can find it online. Just go to phishing quiz, all one-word fishing. P H I S H I N G phishing quiz dot with Google.
Dotcom and you can take that quiz. It’s very simple to do. It’s fun. I got a hundred door, And, they have emails and it acts kinda like Gmail for reading the emails and shows you what you should be looking for in order to catch some fishing. Going on with your email. So check that out again.
The phishing quiz dealt with google.com. It’s at a minimum and, your MSSP or managed security services provider should be providing you with training for all of your employees and tracking it to and giving you reports to make sure that you are compliant with all of the regulations out there. thanks for sticking with me here for the first hour.
We’re going to be back here on WGAN after the top of the hour. Of course, news and everything else. Make sure to join me every Wednesday, the morning at about seven 30 with Matt Gagnon, as we discuss the latest tech news out. There and visit me online. Craig peterson.com. If you missed any part of today’s show, you’ll find it right there in your favorite podcast app.
More stories and tech updates at:
Don’t miss an episode from Craig. Subscribe and give us a rating:
Follow me on Twitter for the latest in tech at:
For questions, call or text: