Time to do a little doomsday prepping for the folks on the IT floor. Cyberattacks are happening constantly and, eventually, one succeeds against your organization. There are things that will be available and absolutely great to have. They are the same things that, if you don’t have them, you wish real hard that you did. What should be in the doomsday prepper bug-out kit?
First on that list has to be an external hard drive. I specify an external drive because a PC off the network is too easily left unpatched and could accidentally be connected to a hot network, whereupon all its information gets compromised by the ransomware. A stack of papers in a sealed envelope wouldn’t be a bad way of storing vital information, either.
What would I put on the hard drive? I would start with current copies of network diagrams. Even relatively recent copies will do the job. If a ransomware worm gets into the network share where these are kept, it’s game over as far as sharing intel quickly with first responders.
Likewise, information on what SNMP communities exist and what devices they work with; SNMP v3 information and what devices accept those credentials; TACACS accounts that are not connected to AD that work; where network devices still have local accounts and those credentials; which devices do ssh with keys of length 1024 or greater; which devices are still stuck on telnet. Knowing this can do two things: help with getting access to determine if the network devices are compromised, and being able to make an educated guess about which devices and credentials are most likely compromised.
What else… how about a client installed on each PC that is able to monitor the activity on the PC and also run scripts with local admin or system privileges? This client should be able to access the system independently of AD, which could be compromised in such a situation. Enterprise software distribution tools can be damaged in a major outage, so having the scripting ability can invoke a hardware install from a known clean network share. Granted, the client isn’t in the external drive or sealed envelope, but it’s something I’d want in place for my IT doomsday prepping.
I want it because monitoring activity on endpoints is critical. Anything and everything that provides information for reporting is excellent. If it can provide spreadsheets that can be further analyzed, even better. If the client or AD account can reach most machines, but is cut off on a segment of the population, then it’s a good bet that the ones where it has been cut off are compromised. Those monitors might be able to find dual-homed devices that can serve as vectors of contagion. You’ll want to know where those are and maybe shut them down as part of the prepping.
But I’m just a network guy that does a lot of NAC work. I’d like to know what else would be good to have on that external hard drive? What would be good to have in a sealed envelope? Is there a way to securely store application code in the event that app servers are compromised? Speaking of servers, should we ensure that the server networks are properly segmented from the rest of the network?
In short, what are the things you would put into place if you were brought in to get an organization as prepared as possible for The Big One?