[sdnog] Network Full with malicious activities

Thu Nov 22 14:59:08 SAST 2018

Hello khadiga,

After all, don't forget

- To setup a firewall and define rules for all you need in and out of your
network.
- To educate your internal users on what is acceptable practice on the
network (most attackers use internal users to launch their attacks)
- To Install and update a good antivirus on your systems(especially Windows
devices)
- Regularly patch your systems and update antivirus.

Regards.

--- MSH
Le jeu. 22 nov. 2018 à 13:46, Nishal Goburdhan <nishal at controlfreak.co.za>
a écrit :

> On 22 Nov 2018, at 17:53, Khadiga Elhassan wrote:
>
> > Hi all ,what is the most proper way of dealing with a network full of
> > malicious activities . From where to start and does free anti-viruses
> > help?
> > if yes which is the best?
> > Would some one suggest a strategy or a policy to implement?
> > Please specify in details..
>
> hi khadiga,
>
> you weren’t very specific;  malicious activities could be many things,
> and hosts themselves, could relate to a myriad more.  so i’ll write
> primarily about how you can contain some of these, inside a university
> network, since that’s where it seems you might be having these issues.
>
> so, rule #1.  disconnect it!   ;-)
> no really, i’m not joking;  disconnect the host.  the best and first
> thing you want to do is to take the infected hosts offline.
> and, if the network segment is really badly infected, then, if it’s
> possible, take the entire segment offline.
> that keeps the rest of your network safe, from these hosts, and, at the
> same time, prevents the infected machines from participating in any
> nefarious activity, or being compromised via a second vulnerability.
>
> there are very few “safe” ways to recover from a compromise, or
> exploit.  and certainly, in the event of this being an “end-user”
> PC, i would format and re-image.  fortunately, for a lab environment,
> that’s easy to do, and there’s lots of tools that can help with
> that.  if it’s your own personal machine, well, this is why we have
> backups, right?  :-)
> it might be tempting to try to remove files off the infected host.  do
> this *only* if you are 110% sure that the host you’re going to try to
> read this information off later, is immune to this sort of infection.
> otherwise, it’s not worth the risk ..
>
> if they are windows machines, then yes, even the free anti-virus
> software can help prevent this.  i would certainly not dismiss this
> outright.  however, i’m not, and have never been, a windows lan admin,
> so perhaps other people here have better suggestions around software.
>
> one way to limit the spread of infections is to limit the size of the
> network segments;  put each lab into their own layer-3 domain, and
> filter *both* in and outbound, to the lab.  that’ll help you contain
> thing easily;  especially for example, if you’re filtering udp 135-139
>   (and the other commonly abused ports).   of course - this needs to fit
> into your connectivity strategy; ie.  you don’t have devices
> “mapped” from other devices across the university, etc.
>
> finally, make sure you have visibility into what’s happening in the
> network;  it’s not terrible difficult to setup monitoring of all
> switch ports  (librenms/cacti/etc), so you know which hosts are
> misbehaving, and of traffic going through your the lab uplinks
> (snort/suricata/etc) so you know what they are doing.  knowing *where*
> to look, and *what* to look for, is going to make all the difference,
> when you need it.
>
> there a lot more that can be written about security, process and policy,
> but hopefully this has given you a start.
>
> --n.
> _______________________________________________
> sdnog mailing list
> sdnog at sdnog.sd
> https://lists.sdnog.sd/mailman/listinfo/sdnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sdnog.sd/pipermail/sdnog/attachments/20181122/465e54a4/attachment.html>