• No results found

Technical Note. CounterACT: Powerful, Automated Network Protection Inside and Out

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Technical Note. CounterACT: Powerful, Automated Network Protection Inside and Out"

Copied!
7
0
0

Loading.... (view fulltext now)

Download now ( 7 Page )

Full text

(1)

CounterACT:

(2)

Contents

Introduction . . . . 3

CounterACT: Powerful, Automated Threat Protection against Conficker . . . . 3

How the Conficker Worm Works . . . . 3

How to Use CounterACT to Protect vs . the Conficker Worm . . . . 4

1. Use CounterACT’s Ready-to-deploy Policy Templates to Speed Endpoint Protection . . . . 4

2. Track Corporate Compliance via Comprehensive Reports . . . . 4

3. Apply Extra Threat Protection . . . . 4

4. Ensure that the Microsoft Update Service is Running . . . . 4

1: Deploy Endpoint Protection Policies . . . . 4

2: Track Corporate Compliance to Policies via Comprehensive Reports . . . . 5

3: Apply Extra Threat Protection . . . . 6

4: Schedule/Enforce the Microsoft Update Service . . . . 7

(3)

3

Introduction

When the recent Conficker outbreak wreaked havoc upon Windows-based LANs in enterprises worldwide, CounterACTTM customers called in

to say: “our network is perfectly safe – CounterACT’s automatic zero-day threat prevention provided us with the 24/7/365 protection we have come to

expect and rely on!”

Conficker (aka Downup, Downadup and Kido) is an aggressive worm that targets Windows-based systems. It’s been estimated that the bug infected over 10 million PCs in just a few short weeks (over a million in a single 24-hour period) ... making it one of the most prolific, dangerous and widespread infections in recent times.

Anyone using a Windows-based system was cautioned to verify that their system was free of the Conficker worm and was running the latest, patched version of Microsoft Windows.

CounterACT users, of course, had the peace of mind that their systems were automatically protected: here’s why.

. . . . . .

CounterACT: Powerful, Automated Threat Protection against Conficker

CounterACT offers a powerful, automated 24/7/365 network solution for preventing the infection and spread of the Conficker worm. It both shields uninfected systems and remediates infected hosts, offering network users these security benefits:

• Prevention & Protection — CounterACT ensures that the MS-Update service is always running on every Windows device. It also blocks Conficker

infection using strong, built-in threat prevention technology.

• Enforcement & Remediation — CounterACT ensures other IT protection tools (anti-virus, anti-spyware, etc.) are working and “always on” and

automatically remediates infected hosts.

• Monitoring & Reporting — CounterACT continuously monitors endpoint security posture and maintains a clean, secure network. It also records

all remediation/enforcement actions taken against Conficker on malicious and/or infected hosts.

How the Conficker Worm Works

• The worm exploits a bug in the Windows Server service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003 and Windows

Server 2008. It self-replicates as the downloadable library file %System%\[RANDOM FILE NAME].dll, deletes any user-created System Restore points and creates the service, netsvcs.

• The worm then creates a registry entry and connects to three URLs to obtain the IP address of the compromised computer:

http://www.getmyip.org, http://getmyip.co.uk, http://checkip.dyndns.org.

• It then downloads and executes a file, creates an http server on the compromised computer on a random port, sends this URL as part of its

payload to remote computers, then connects back to this URL to download the worm. In this way, each exploited computer begins to spread the worm without needing to re-download it from a web location.

• The worm then connects to a UPnP router, opens the http port, then attempts to locate the network device registered as the Internet gateway

and opens the previously mentioned random port to allow access to the compromised computer from external networks. The worm then attempts to download a data file. It spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874).

• Finally, the worm attempts to contact the following sites to obtain the current date: http://www.w3.org, http://www.ask.com, http://www.msn.

(4)

How to Use CounterACT to Protect vs . the Conficker Worm

Take the following steps to protect your corporate network against the Conficker worm.

1. Use CounterACT’s Ready-to-deploy Policy Templates to Speed Endpoint Protection

• The Windows Update Compliance Policy ensures endpoints are patched with MS08-067. • The Microsoft Update Policy ensures the Microsoft Update service is running on all endpoints.

• The Anti-Virus Compliance Policy ensures that an anti-virus application is installed, running and up-to-date on all endpoints. • The USB Device Compliance Policy detects/blocks all connected USB devices or all devices that are not allowed.

2. Track Corporate Compliance via Comprehensive Reports

3. Apply Extra Threat Protection

• CounterACT’s IPS/Threat Protection Policy prevents worms from re-entering /spreading inside the network.

4. Ensure that the Microsoft Update Service is Running

• CounterACT also helps automate (enforces) the Microsoft update service.

1. Deploy Endpoint Protection Policies

CounterACT is delivered with ready-to-deploy NAC Compliance templates that can be used to create and deploy policies in five easy steps: 1. Open the CounterACT Console and select the Compliance icon from the Console Toolbar.

2. The NAC Policy Wizard>Compliance folder opens. 3. Select the following policy templates and

configure them by following the on screen instructions:

• Windows Update Compliance • Anti-Virus Compliance • USB Device Compliance • Malicious Hosts

4. The policies you create appear in the NAC Policy manager.

(5)

5

2. Track Corporate Compliance to Policies via Comprehensive Reports

CounterACT offers easy-to-build reports that help you track corporate compliance to policies. The reports can be tailored to include the exact level of information you require, and can generate in five easy steps:

1. Select the Reports icon from the Console toolbar. 2. Select the NAC Policies Compliance Details link. 3. Define reports settings in the page that opens.

4. In the 2 . Scope >Select Policy section; choose one of the policies you created. 5. Scroll down and generate the report.

(6)

3. Apply Extra Threat Protection

For additional protection, you can deploy CounterACT’s IPS/Threat Protection Policy as follows:

1. Select the Threats icon form the Console toolbar (for version 6.3.2 and above) For versions 6.3.1 and below select the IPS Manager icon).

2. The Threat Protection Policy pane opens.

3. Select Port Block from the Action on Bite dropdown menu in the Network Worm Policy section. 4. Select Host Block from the Action on Email Worm dropdown menu in the Email Worm Policy section. 5. Select Customize. The Customize, Scan tab opens.

6. Select the Login type and verify that it is enabled.

(7)

7

. . . .

About ForeScout

ForeScout delivers pervasive network security by allowing organizations to continuously monitor and mitigate security exposures and cyber attacks. The company’s CounterACT appliance dynamically identifies and assesses all network users, endpoints and applications to provide complete visibility, intelligence and policy-based mitigation of security issues. ForeScout’s open ControlFabric™ technology allows a broad range of IT security products and management systems to share information and automate remediation actions. Because ForeScout’s solutions are easy to deploy, unobtrusive, flexible and scalable, they have been chosen by more than 1,500 enterprises and government agencies. Headquartered in Campbell, California, ForeScout offers its solutions through its network of authorized partners worldwide. Learn more at www.forescout.com.

©2014 ForeScout Technologies, Inc. Products protected by US Patent #6,363,489, March 2002. All rights reserved. ForeScout Technologies, the ForeScout logo, CounterACT and ControlFabric are trademarks of ForeScout Technologies, Inc. All other trademarks are the property of their respective owners.

Doc: 2013.0055 ForeScout Technologies, Inc .

900 E. Hamilton Ave., Suite 300 Campbell, CA 95008 U.S.A. T 1-866-377-8771 (US) T 1-408-213-3191 (Intl.) F 1-408-371-2284 www.forescout.com . . . . Figure 4: Ensure Microsoft Update Service is Running.

4. Schedule/Enforce the Microsoft Update Service

To ensure the Microsoft Update service is running regularly:

1. Select the Compliance icon from the Console Toolbar . 2. The NAC Policy Wizard opens . Navigate to the Custom folder . 3. Select Next . The Name pane opens

4. Add a policy name and description and select Next . The IP Address

Range dialog box opens .

5. Define the range of IP addresses to be inspected for this policy . Select

Ok and then select Next . The Main Rule dialog box opens .

6. Select the Add button from the Condition section . The Condition

dialog box opens .

7. Navigate to the Windows OS folder and then select Service

Running .

8. Select the Does not meet the following criteria: radio button . 9. Select the Matches option from the drop down box and type in

Automatic Updates in the field that follows .

10. Select Ok . The Main Rule dialog box reopens . 11. Select Add from the Actions section .

12. Navigate to the Remediate folder and the select the Run Script on

Windows action .

13. Enter the following command in the Command or Script field: net

start wuauserv .

14. Select Ok . The Main Rule dialog box reopens .

References

Download now ( PDF - 7 Page - 5.45 MB )

Related documents

NIH research funding and early career physician scientists: continuing challenges in the 21st century

on postdoctoral NIH T32 Institutional Research Training grants from 1982 through 2009. T32 data include awardees receiving funding under the American Recovery and Reinvestment Act

Further information concerning Exel Composites Corporate Governance matters is available on the Group s website at

According to the Corporate Governance Code Recommendation 27, the Board of Directors shall establish an Audit Committee if the extent of the Company’s business requires that a

Press and the digital revolution: the challenges of the Portuguese market

The Global Media group, another of the major media groups in Portugal, has three daily newspapers (one of which a sports newspaper), a Sports cable TV and a national news radio

Asymptotic dimension and asymptotic property

Chapter 1 lays out some of the fundamental notions of geometric group theory including information about word metrics, Cayley graphs, quasi-isometries, and ends of groups and

Technical Note. ForeScout CounterACT Rogue Device Detection

ForeScout CounterACT manages rogue devices by using multiple technologies to learn about everything on your network with continuous endpoint visibility, automated actions (as noted

Technical Note. ForeScout CounterACT Endpoint Detection & Inspection Methods

CounterACT’s unique combination of endpoint discovery and inspection techniques are used to track endpoint changes making CounterACT instrumental in continuously monitoring

QuickSpecs. Models. Features and Benefits Management. HP ProCurve 2520 Switch Series Overview. HP ProCurve PoE Switch

Denial of service protection Denial of service protection Denial of service protection Denial of service protection CPU DoS Protection Device management Device management

Technical Note. CounterACT: 802.1X and Network Access Control

• Assess BYOD endpoints against a security policy, such as verifying the device configuration or the endpoint security posture • Provide different levels of network access and