Branching off from this thread.
https://www.symantec.com/connect/forums/where-can-i-see-more-information-about-small-yellow-sep-popup-notifications#comment-12017131
I'm not directly involved in this anymore. We're seeing more of these kind of attacks and it doesn't appear to a friendly surprise security scan, at least not for all the remote ip addresses.
Here's a sample of the descriptions. I see a lot of these in the logs.
Attack: SMB Double Pulsar Ping
Audit: Unimplemented Trans2 Subcommand
OS Attack: Microsoft SMB MS17-010 Disclosure Attempt
Web Attack: IIS Server CVE-2017-7269
What's a good response to an ongoing attack like this? Just about every hour for 10-15 minutes an ip address will go after anything on subnets I work within.
It's been sent to higher security levels in my organziation. Isn't the best thing to find the remote host ip machines and take those out? From what I've seen I think 95% of the remote host ip addresses are within my overall organization. Remove the source of the problems (infected machines I would think), not as much adjustments made on my end? But on my side, is there anything I should be doing? Machines are updated. Symantec is installed and updated. All the attacks are from outside my subnets but as far as I can tell still within the range of the overall organization. I'm thinking the best option is for people above me to remove those infect, attacking machines, and we've given them plenty of information from logs to find them. Do you agree? Beyond that, is there anything reasonable I should do for things I might control on my end? On one extreme, someone could say if you're not using a machine, shut it off, problem solved. But is that "problem solved" really if the attacker is still there? I've removed the target but that's it. And I'm wondering why I should change anything on my side if the main attack threat is still present. Is "hide more targets" really a great stategy?