On June 15th, 2017 KQED was crippled by a massive ransomware attack that flashed through the corporate network, encrypting the bulk of the Windows servers and workstations. It turns out the infection—a variant of the Samas ransomware—actually happened weeks earlier, and the malicious code sat dormant "sniffing" the network for usernames and passwords. Once it obtained domain administrator credentials (the highest level of account type in Microsoft's Active Directory) it was able to swiftly propagate and take control of and encrypt any domain joined servers and workstations. Our traditional signature-based antivirus (McAfee) was no match for this type of virus.
We didn’t have the time or resources to discover the original delivery vector of the infection (the way it got into our network) since we had to re-image computers immediately to get people working ASAP. Gone are the conveniences of Bring Your Own Device (BYOD), Single Sign On (SSO), unapproved software, and local admin privileges for users. Newly in place are more logical (VLAN) and physical network segments, network Access Control Lists (ACLs), additional separate Active Directory domains for certain environments (Dalet), and next generation antivirus that looks at process behaviors as well as signatures.
I’m the IT Director at KQED, and months after the attack, we're still in the process of rebuilding and redesigning our IT and network infrastructures to survive in the modern cyber villain landscape.
I want to share with you what we've learned.
Topics covered:
● KQED IT landscape and staffing pre June 15th
● The infection, what it was, what it did and how it did it
● What we did to contain it
● Emergency response and how we communicated to staff
● How we redesigned the future while we recovered the past
● Sequence of systems we recovered and why
● New email and antivirus threat protection solutions
● Network ACLs, logical and physical segmentation
● Linux solutions
● End-user restrictions
● Macs (Apple) are not immune
● Silver linings and lessons learned
Possible Topics: Cybersecurity , Possible Topics: Disaster Recovery , Possible Topics: Infrastructure , Possible Topics: Products & Technology , Possible Topics: Strategy , Possible Topics: Trends & Future Tech
