How to Build a Robust Lights Out Checklist
Table of Contents
A cybercriminal gets paid best by causing enough damage to a victim that justifies payment. After encrypting a few files on a laptop, the likelihood of receiving payment is low. However, encrypting an entire network justifies receiving payment. This is why organizations face a substantial spike in cyberattacks during extended weekends brought on by holiday observations.
Notable Holiday Cyberattacks
Kaseya RMM Vulnerability Exploit – Fourth of July Weekend
Attackers got a list of all the Kaseya RMMs in operation by scanning the internet, checking open ports, and cataloging them together. The exploit occurred just before the July 4th weekend, pushing out ransomware to almost every business on this list. Fortunately, the attack happened that Friday before the end of the day. So, Kaseya responded promptly by contacting their customers and instructing them to shut down their RMM servers.
Colonial Pipeline Darkside Ransomware – Mother's Day Weekend
The Darkside ransomware had infected the corporate office network of the Colonial Pipeline the Friday of Mother’s Day weekend, holding data hostage for a ransom. As a precautionary measure, officials with the Colonial Pipeline made the decision to shut down the pipeline altogether, turning off networks to prevent the cyberattack from reaching the systems responsible for the physical operations and transportation of the fuel itself. The pipeline was shut down for six days, leaving a huge impact on their customers who relied on the over 100 million gallons of fuel that was transported up the east coast daily.
PlayStation Network (Sony) and Xbox Live (Microsoft) - Christmas Eve
PlayStation Network and Xbox Live were both victims of a Distributed Denial of Service (DDoS) attack on Christmas Eve, ironically during the time of year when most PlayStation and Xbox gift recipients are turning on their consoles for the first time. The attacking group, the “Lizard Squad”, claimed to start the DDoS attack “for the laughs” but eventually decided to extend the attack in order to make a statement and force the two companies to upgrade their cybersecurity. They chose Christmas Eve and Christmas Day for scheduling the attack because they knew it would reach the largest amount of people.
Ensuring a good cybersecurity configuration and posture are vital year-round. However, here are some items you can enlist to increase your odds of surviving a holiday weekend cyberattack.
Shut Down Your Devices
Shut down machines before you or your employees leave for the weekend if you do not plan on working. Shutting down machines stops remote access tools. Ensure any missed open ports, such as 3389, are closed to prevent reverse shells from running. This security step is at the human level, where individual employees outside the IT department can take care of this step.
Multi-Factor Authentication (MFA)
Incorporate Multi-Factor Authentication (MFA) into your security practices as frequently as possible, year-round. If you do not have MFA on things that can enable you to add this extra layer of security, add it. Implementing MFA everywhere across your environment can be an extensive process. So, if you are in a time crunch, prioritize admin and privileged accounts.
Block All Untrusted Software
Even if you are still in the learning stage of ThreatLocker, 99% of required software is learned during the first hour. So, it is safe to turn on secure mode before going away for the weekend. Secure mode makes it very difficult for attackers to gain access to your computer if they cannot run any untrusted software. It is key to remember that ransomware is just software, and it cannot run if it is not on the allowlist.
Recovery and Backups
Verify that you have several backups before leaving for the weekend. These backups should span multiple locations, with at least one not connected to your network. Having an off-site backup drastically increases your probability of recovering from a cyberattack. You can save a backup on an encrypted disk and bring it home with you.
Some cyberattacks change backup configurations to back up absolutely nothing but will still notify you that an “X” amount of data has been successfully backed up. Ensure your backup is going where you intend it to. Online backups are a simple way to back up large amounts of data from any organization.
Check for (Unmanaged) Remote Access Tools Within the Environment
Find and remove any unneeded/unwanted Remote Access Tools in your environment. Some standard tools include GoToAssist, Bomgar (Now BeyondTrust), and TeamViewer. Quickly uninstall the remote access tools or block them entirely.
ThreatLocker can find untrusted software easily with monitor mode and then block them by quickly switching to secure mode.
Minimize RMM (Remote Monitoring Management Tool) Access
If you have your own RMM server, you have more control of your server security. Your best practices include:
- Patching your RMM as soon as patches become available.
- Monitoring your RMM for alerts.
- Blocking all ports apart from customer ports.
- Shutting down your server or taking it off the internet for the long weekend.
Minimize Remote Monitoring Management (RMM) Tool Access with ThreatLocker
ThreatLocker takes endpoint security to the next level by implementing controls that can prevent the weaponization of RMMs year-round, including the long weekends.
ThreatLocker Allowlisting blocks all untrusted software. Threat actors cannot push any untrusted software to your organization’s endpoints. This includes driving any additional RMMs from what you already have implemented to run malware.
Allowlisting blocks software pushed by RMMs. If you need to push out new software through your RMM, it is much safer to block all untrusted software. Then, you would go through the two-minute process of approving the software you need to be pushed.
If a threat actor gains access to your RMM, ThreatLocker Ringfencing™ can stop them from
- Editing, encrypting, sharing, or even accessing your files and data.
- Sending anything out to the internet or connecting to the internet at all during the long weekend.
Implement Network Controls
ThreatLocker Network Control uses dynamic controls that block all inbound traffic to servers (including RMM servers) while being configured to allow only trusted objects. These “objects” can be an explicit group of computers that Network Control can identify beyond the IP Address, which could change daily. This will allow you to essentially “turn off” traffic flow outside of what is necessary for the users who need access to your servers or the internet during long weekends.
Before departing for the long weekend, check your ThreatLocker Network Control denies to look for suspicious denies on your servers. If you see suspicious activity, someone may be plotting a cyberattack on your organization.
Port Scans, Check Port 3389
Sometimes, ports are left open after being opened temporarily and accidentally forgotten about. This is not just on organizations’ server firewalls but also on home firewalls, where users take their work laptops home and map their home firewalls to port 3389.
Make sure you don’t have any remote desktop ports open by doing a port scan of all your IP Addresses before going home. Check that nothing is responding that you don’t expect to be responding. This goes for any other ports that are open in which you did not expect or want to be open.
ThreatLocker Ops is a comprehensive Zero Trust threat detection and behavior monitoring tool that hardens an environment by notifying and automatically responding to identifiers of attempted compromise. Influences of alerts include, but are not limited to:
- Failed login/brute force attempts and how many attempts there were.
- Ports scans and how many times ports were scanned (in combination with Network Control).
- When an attack continuously gets blocked after attempting to run unknown (in combination with Allowlisting).
- Failed/blocked vulnerability exploits (in combination with Ringfencing™).
Regardless of whether you are a ThreatLocker customer or not, if you do run into trouble during the holiday weekend, ThreatLocker Cyber Hero Team is available 365 days per year, with an average response time of 60 seconds or less. No order required; ThreatLocker will help you recover in the event of a disaster.
If you want to learn more about how ThreatLocker can harden your lights-out checklist and overall cybersecurity strategy, contact a ThreatLocker Cyber Hero Team Member.