In this episode I talk about how a client of ours learned a hard lesson: that the lack of logging/alerting makes for a pretty miserable investigation after they were breached.
- Public-facing terminal servers without 2FA basically have a sign on their back that say “Kick me. Then hack me.”
- At first sign of breach, unplugging the firewall is a good idea but make sure you’ve got a log server setup so you don’t lose the firewall’s local cache of logs!
- The terminal servers mentioned in this episode had extra suspicious local admin accounts called Template and root.
- Make sure that you’re auditing for account management in your Active Directory environment! (see Local Computer Policy->Computer Configuration->Windows settings->Security Settings->Local Policies->Audit Policy->Audit account management)
- The bad guys had downloaded a fun kit of tools to the terminal servers, including ophcrack_nogui, serverpw and plink.exe.
- Besides ensuring the technical infrastructure has great logging/alerting, make absolute sure that if you run an EHR system, they have detailed logs as to who logged in, when, and what they did while logged in. In this episode, the EHR in question held absolutely no logs. That’s right: none!