Light Dark
May 22, 2017 By Paul Griswold 2 min read
Network
Incident Response

Last week, we discussed the importance of patch management and the complexity of keeping systems within your company up to date.

Not only are organizations challenged by the necessity of patching, but they must also contend with specific change control processes that help keep the business running. When systems cannot be immediately patched, many companies turn to blocking malicious traffic with intrusion prevention systems (IPSs).

The Blocking and Tackling of Blocking and Patching

Blocking refers to the practice of deploying network security devices such as IPSs to block threats as they traverse the network. Such deployments are typically referred to as in-line mode, where the security device serves as a bump on the wire.

In this configuration, a pair of network ports is used to protect a segment. Network packets enter the security device on an inbound port and are inspected for malicious behavior. If none is found, the traffic is forwarded to the outbound port. However, if an attack is detected, the packet is dropped, thereby blocking the malicious traffic from reaching its destination.

Watch the on-demand Webinar: Avoid Ransomware Attacks by Blocking Bad

An effective blocking strategy can help reduce the workload on operational IT security staff. While it is true that no security product can block every single possible attack, it is critical to block as much as possible to reduce the number of events and incidents to investigate manually.

Slowing the Spread of Ransomware

The recent WannaCry ransomware attacks, which affected millions of endpoints across more than 100 countries worldwide, illustrated the importance of blocking. For organizations employing an effective strategy, blocking could have slowed the spread of this attack in two primary ways:

  1. Block command-and-control (C&C) traffic. Like most malware, WannaCry reaches out to C&C servers to receive information on how to carry out the attack. For customers of IBM IPS products, signatures such as SMB_EternalBlue_Implant_CnC and SMB_DoublePulsar_Implant_CnC (both available since April 20, 2017) can be used to block C&C traffic.
  2. Block vulnerability exploitation attempts. WannaCry propagated throughout the internet by exploiting a vulnerability in the Windows SMB protocol. Within IBM’s IPS products, the Windows_Null_Session signature offered early warning of WannaCry propagation attempts. Further, the SMB1_Windows_Overflow_02 and SMB1_Windows_Info_Disclosure signatures provided more specific coverage for the exploitation used by the ransomware.
 |  |  | 
Paul Griswold
Program Director, Strategy & Product Management, Threat Protection & X-Force

More from Network
May 15, 2024

New cybersecurity sheets from CISA and NSA: An overview

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) have recently released new CSI (Cybersecurity Information) sheets aimed at providing information and guidelines to organizations on how to effectively secure their cloud environments.This new release includes a total of five CSI sheets, covering various aspects of cloud security such as threat mitigation, identity and access management, network security and more. Here's our overview of the new CSI sheets, what they address and the key takeaways from each.Implementing…

August 7, 2023

Databases beware: Abusing Microsoft SQL Server with SQLRecon

20 min read - Over the course of my career, I’ve had the privileged opportunity to peek behind the veil of some of the largest organizations in the world. In my experience, most industry verticals rely on enterprise Windows networks. In fact, I can count on one hand the number of times I have seen a decentralized zero-trust network, enterprise Linux, macOS network, or Active Directory alternative (FreeIPA). As I navigate my way through these large and often complex enterprise networks, it is common…

June 23, 2023

Easy configuration fixes can protect your server from attack

4 min read - In March 2023, data on more than 56,000 people — including Social Security numbers and other personal information — was stolen in the D.C. Health Benefit Exchange Authority breach. The online health insurance marketplace hack exposed the personal details of Congress members, their families, staff and tens of thousands of other Washington-area residents. It appears the D.C. breach was due to “human error”, according to a recent report. Apparently, a computer server was misconfigured to allow access to data without proper…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature