Endpoint Protection

Branching off from this thread.

https://www.symantec.com/connect/forums/where-can-i-see-more-information-about-small-yellow-sep-popup-notifications#comment-12017131

 

I'm not directly involved in this anymore.  We're seeing more of these kind of attacks and it doesn't appear to a friendly surprise security scan, at least not for all the remote ip addresses.

 

Here's a sample of the descriptions.  I see a lot of these in the logs.

 

Attack: SMB Double Pulsar Ping

Audit: Unimplemented Trans2 Subcommand

OS Attack: Microsoft SMB MS17-010 Disclosure Attempt

Web Attack: IIS Server CVE-2017-7269

 

 

 

What's a good response to an ongoing attack like this?  Just about every hour for 10-15 minutes an ip address will go after anything on subnets I work within.

 

It's been sent to higher security levels in my organziation.  Isn't the best thing to find the remote host ip machines and take those out?  From what I've seen I think 95% of the remote host ip addresses are within my overall organization.  Remove the source of the problems (infected machines I would think), not as much adjustments made on my end?  But on my side, is there anything I should be doing?  Machines are updated.   Symantec is installed and updated.  All the attacks are from outside my subnets but as far as I can tell still within the range of the overall organization.  I'm thinking the best option is for people above me to remove those infect, attacking machines, and we've given them plenty of information from logs to find them.  Do you agree?  Beyond that, is there anything reasonable I should do for things I might control on my end?  On one extreme, someone could say if you're not using a machine, shut it off, problem solved.  But is that "problem solved" really if the attacker is still there?  I've removed the target but that's it.  And I'm wondering why I should change anything on my side if the main attack threat is still present.  Is "hide more targets" really a great stategy?

Is this just swatting flies?  I've made a few firewalls in the past.  It should be possible to remotely deploy an extra firewall on user machines to block an ip address I think.  The attacker could just change ip addresses, but potentially I could lessen an attack that way.  Later, remove the extra firewall rule.

Is the remote attacker an internal or external IP? Make sure the box is patched and block any external IPs that shouldn't be hitting it.

Outside of my subnets/subdepartment but still within the overall organization/subnets, as far as I can tell.  I don't recognize the ip addresses, and I don't have control over those machines.  That's why I thought it might be a security person higher up doing a scan.  From what I saw in the past security people above me would immediately disable an account, network port, or whatever they had to do when they became aware of a threat.  I wonder how these attacks slipped by for so long.  If I'm getting attacked I would think my ip space neighbor is getting attacked too.

Looking at the logs it looks like it runs through all the ip space for my subdept.  Then things are quiet for several hours.  Then it repeats.   That's all from one ip address as the remote host.  I would imagine when it's quiet in my area, whatever is scanning has moved over into the space of another subdept.  It looks like two passes this afternoon, two passes early this morning, one later last night, two passes yesterday toward the end of the day....  It looks like (what I'm calling) passes/scans are either one or two hours apart.

I'd start by asking if vulnerability scans are running so you're not chasing ghosts. Either that or you have a compromised machine.