Ensuring Cybersecurity: Blocking Discord Access with Firewall Rules

 

I. Introduction

Purpose of Blocking Discord Access

Social media and communication platforms like Discord are everywhere in today’s digital landscape. However, their widespread use also introduces significant cybersecurity risks. Discord, known for its extensive user base and real-time communication features, can be a vector for malicious actors’ malware distribution and command and control (C2) operations. Blocking access to Discord within a corporate environment is a proactive measure to mitigate these risks.

Importance of Controlled Access to Prevent Malware Command and Control

Controlling access to external platforms is crucial in preventing unauthorized use of corporate resources for malicious purposes. By restricting access to platforms like Discord, organizations can reduce the risk of malware infections, data breaches, and unauthorized communications. This measure helps keep network integrity and security intact, safeguarding sensitive business information from cyber threats.

II. Assessing Business Needs

Identifying Users with Legitimate Business Needs

Before implementing a blanket ban on Discord, it’s essential to identify any legitimate business needs for accessing the platform. This could include marketing teams monitoring brand presence, developers collaborating with external partners, or customer support teams engaging with clients through Discord channels.

Documenting and Justifying Business Needs

Once legitimate needs are identified, they should be documented comprehensively. This documentation should include the specific reasons for access, the potential benefits to the business, and any risks associated with allowing such access. This step ensures that decisions are transparent and justifiable.

Approval Process for Access

Establish a formal approval process for users requesting access to Discord. This process should involve a thorough IT and security team review, considering the documented business needs and potential security risks. Approved users should be granted access through secure, monitored channels to ensure compliance with corporate policies.

III. Technical Controls

A. Network Segmentation

Isolating Critical Systems

One of the fundamental strategies in cybersecurity is network segmentation. Organizations can limit the potential impact of a security breach by isolating critical systems from the rest of the network. Critical systems should be placed in separate VLANs (Virtual Local Area Networks) with strict access controls.

Implementing VLANs

Creating VLANs for different departments or user groups can help manage and monitor network traffic more effectively. For instance, placing high-risk users (those needing access to external platforms like Discord) in a separate VLAN allows for focused monitoring and control without impacting the broader network.

B. Firewall Rules

Blocking Discord-Related IPs and Domains

To block Discord access, configure firewall rules to block known Discord IP addresses and domain names. For example:

! Block Discord IP addresses
access-list 101 deny ip any host 162.159.129.233
access-list 101 deny ip any host 162.159.128.233

! Block Discord domain names
ip domain list discord.com
ip domain list discord.gg
access-list 101 deny ip any host discord.com
access-list 101 deny ip any host discord.gg

! Apply the access list to the appropriate interface
interface GigabitEthernet0/1
 ip access-group 101 in
    

For comprehensive lists of Discord servers and IPs to block, refer to resources such as:

Creating Whitelists for Approved Users

For users with approved access, create specific firewall rules to allow traffic. This can be done by setting up a whitelist:

! Allow approved users to access Discord
access-list 102 permit ip host approved_user_ip any

! Apply the whitelist access list to the appropriate interface
interface GigabitEthernet0/1
 ip access-group 102 in
    

C. Proxy Servers

Filtering Traffic

Utilize proxy servers to filter and control web traffic. Proxy servers can block access to Discord by filtering requests to known Discord domains. This ensures that only approved traffic passes through the network.

Monitoring and Logging Access

Proxy servers should also be configured to monitor and log all access attempts. These logs should be reviewed regularly to detect unauthorized access attempts and potential security threats.

D. Application Control

Blocking Discord Application

Application control can prevent the installation and execution of the Discord application on corporate devices. Use endpoint security solutions to enforce policies that block unauthorized software.

Allowing Access Only to Approved Instances

For users who need Discord for legitimate reasons, ensure they use only approved instances. This can be managed by allowing access only through specific devices or within certain network segments, with continuous monitoring for compliance.

Conclusion

Blocking Discord access in a corporate environment involves a multi-layered approach combining policy enforcement, network segmentation, firewall rules, proxy filtering, and application control. Organizations can mitigate the risks associated with Discord by thoroughly assessing business needs, documenting justifications, and implementing robust technical controls while allowing necessary business functions to continue securely.

For assistance or additional insights on implementing these controls, contact MicroSolved. Our team of experts is here to help you navigate the complexities of cybersecurity and ensure your organization remains protected against emerging threats.

 

 

* AI tools were used as a research assistant for this content.

 

Saved By Ransomware Presentation Now Available

I recently spoke at ISSA Charlotte, and had a great crowd via Zoom. 

Here is the presentation deck and MP3 of the event. In it, I shared a story about an incident I worked around the start of Covid, where a client was literally saved from significant data breach and lateral spread from a simple compromise. What saved them, you might ask? Ransomware. 

That’s right. In this case, ransomware rescued the customer organization from significant damage and a potential loss of human life. 

Check out the story. I think you’ll find it very interesting. 

Let me know if you have questions – hit me up the social networks as @lbhuston.

Thanks for reading and listening! 

Deck: https://media.microsolved.com/SavedByRansomware.pdf

MP3: https://media.microsolved.com/SavedByRansomware.mp3

PS – I miss telling you folks stories, in person, so I hope you enjoy this virtual format as much as I did creating it! 

Ransomware TableTop Exercises

When it comes to Ransomware, it’s generally a good idea to have some contingency and planning before your organization is faced with a real life issue. Here at MicroSolved we offer tabletop exercises tailored to this growing epidemic in information technology. 

 

What if your organization was affected by the Golden Eye or WannaCry today? How quick would you be able to react? Is someone looking at your router or server log files? Is this person clearly defined? How about separation of duties? Is the person looking over the log files also uncharge of escalating an issue to higher management?

 

How long would it take for you organization to even know if it was affected? Who would be in-charge of quarantining the systems? Are you doing frequent backups? Would you bet your documents on it? To answer these questions and a whole lot more it would be beneficial to do a table top exercise. 

 

A table top exercise should be implemented on an annual basis to evaluate organizational cyber incident prevention, mitigation, detection and response readiness, resources and strategies form the organizations respective Incident Response Team. 

 

As you approach an incident response there are a few things to keep in mind:

 

  1. Threat Intelligence and Preparation

An active threat intelligence will help your organization to Analyze, Organize and refine information about potential attacks that could threaten the organization as a whole.

After you gain Threat Intelligence, then there needs to be a contingency plan in place for what to do incase of an incident. Because threats are constantly changing this document shouldn’t be concrete, but more a living document, that can change with active threats.

  1. Detection and Alerting

The IT personal that are in place for Detection and Alerting should be clearly defined in this contingency plan. What is your organizations policy and procedure for frequency that the IT pro’s look at log files, network traffic for any kind of intrusion?

  1. Response and Continuity

When an intrusion is identified, who is responsible for responding? This response team should be different then the team that is in charge of “Detection and Alerting”. Your organization should make a clearly outlined plan that handles response. The worse thing is finding out you don’t do frequent backups of your data, when you need those backups! 

  1. Restoring Trust

After the incident is over, how are you going to gain the trust of your customers? How would they know there data was safe/ is safe? There should be a clearly defined policy that would help to mitigate any doubt to your consumers. 

  1. After Action Review

What went wrong? Murphy’s law states that when something can go wrong it will. What was the major obstacles? How can this be prevented in the future? This would be a great time to take lessons learned and place them into the contingency plan for future. The best way to lesson the impact of Murphy, is to figure out you have an issue on a table top exercise, then in a real life emergency! 


This post was written by Jeffrey McClure.

Petya/PetyaWrap Threat Info

As we speak, there is a global ransomware outbreak spreading. The infosec community is working together, in the open, on Twitter and mailing lists sharing information with each other and the world about the threat. 

The infector is called “Petya”/“PetyaWrap” and it appears to use psexec to execute the EternalBlue exploits from the NSA.

The current infector has the following list of target file extensions in the current (as of an hour ago) release. https://twitter.com/bry_campbell/status/879702644394270720/photo/1

Those with robust networks will likely find containment a usual activity, while those who haven’t implement defense in depth and a holistic enclaving strategy are likely in trouble.

Here are the exploits it is using: CVE-2017-0199 and MS17-010, so make sure you have these patched on all systems. Make sure you find anything that is outside the usual patch cycle, like HVAC, elevators, network cameras, ATMs, IoT devices, printers and copiers, ICS components, etc. Note that this a combination of a client-side attack and a network attack, so likely very capable of spreading to internal systems… Client side likely to yield access to internals pretty easily.

May only be affecting the MBR, so check that to see if it is true for you. Some chatter about multiple variants. If you can open a command prompt, bootrec may help. Booting from a CD/USB or using a drive rescue tool may be of use. Restore/rebuild the MBR seems to be successful for some victims. >>  “bootrec /RebuildBcd bootrec /fixMbr bootrec /fixboot” (untested)

New Petrwrap/Petya ransomware has a fake Microsoft digital signature appended. Copied from Sysinternals Utils. – https://t.co/JooBu8lb9e

Lastline indicated this hash as an IOC: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 – They also found these activities: https://pbs.twimg.com/media/DDVj-llVYAAHqk4.jpg

Eternal Blue detection rules are firing in several detection products, ET Rules firing on that Petya 71b6a493388e7d0b40c83ce903bc6b04  (drops 7e37ab34ecdcc3e77e24522ddfd4852d ) – https://twitter.com/kafeine/status/879711519038210048

Make sure Office updates are applied, in addition to OS updates for Windows. <<Office updates needed to be immune to CVE-2017-0199.

Now is a great time to ensure you have backups that work for critical systems and that your restore processes are functional.

Chatter about wide scale spread to POS systems across europe. Many industries impacted so far.

Bitdefender initial analysis – https://labs.bitdefender.com/2017/06/massive-goldeneye-ransomware-campaign-slams-worldwide-users/?utm_source=SMGlobal&utm_medium=Twitter&utm_campaign=labs

Stay safe out there! 

 

3:48pm Eastern

Update: Lots of great info on detection, response, spread and prevention can be found here: https://securelist.com/schroedingers-petya/78870/

Also, this is the last update to this post unless something significant changes. Follow me on Twitter for more info: @lbhuston 

State of Security Podcast Episode 11 is Out!

“Hey, I heard you missed us. We’re back! … I brought my pencil, give me something to write on, man!” — Van Halen

That’s right – we heard you and we’re back. It took 7 months to rework the podcast format, find a new audio post processor to partner with, close the deal, do some work on the Honorary Michael Radigan Studios and bring the whole thing back to you in a new audio package. Whew! 🙂 

That said, check out the new episode of the podcast as Lisa Wallace tears into malware history, discusses why she loves infosec and gives some advice to women working in the industry. There’s a lot of great stuff here, packed into ~40 minutes.

Look for new episodes coming soon, and hopefully with an increased pace. Hit me up on Twitter and let me know what you think! (@lbhuston). Enjoy the audio goodness and thanks for listening!

 

Ready for Ransomware?

Ransomware is becoming common. We are getting a lot of calls for help with incident response. Here’s a couple of things to think about, in general, around ransomware attacks.

1. Backups are your first line of recovery – just think about making sure they aren’t infected as well, so that you don’t restore infected files

2. Paying the ransom can be hairy – in some cases, paying the ransom could be a crime (think money laundering, banking regulations and the Patriot Act…), plus having a process to pay in bitcoin, even if you wanted to – in the time provided – is often a challenge

3. Some ransomware is recoverable – so check for options

4. Measure business impact – is re-creation of the data viable at a cost less than the cost of paying the ransom, including the work of paying the ransom – sometimes yes… 

5. Can you identify the failed controls that let you get infected? – If so, fix them, if possible.

These are a good place to start. Think about ransomware, your incident response process and current capabilities. Check your backups and have multiple sources. Be prepared instead of panicked.

Malware Can Hide in a LOT of Places

This article about research showing how malware could be hidden in Blu-Ray disks should serve as a reminder to us all that a lot of those “smart” and “Internet-enabled” devices we are buying can also be a risk to our information. In the past, malware has used digital picture frames, vendor disks & CD’s, USB keys, smart “dongles” and a wide variety of other things that can plug into a computer or network as a transmission medium.

As the so called, Internet of Things (IoT), continues to grow in both substance and hype, more and more of these devices will be prevalent across homes and businesses everywhere. In a recent neighbor visit, I enumerated (with permission), more than 30 different computers, phones, tablets, smart TV’s and other miscellaneous devices on their home network. This family of 5 has smart radios, smart TVs and even a Wifi-connected set of toys that their kids play with. That’s a LOT of places for malware to hide…

I hope all of us can take a few minutes and just give that some thought. I am sure few of us really have a plan that includes such objects. Most families are lucky if they have a firewall and AV on all of their systems. Let alone a plan for “smart devices” and other network gook.

How will you handle this? What plans are you making? Ping us on Twitter (@lbhuston or @microsolved) and let us know your thoughts.

Do You Browse From a Virtual Machine?

Configure 256

This article brings to mind an interesting trend we see going on among our financial and highly regulated clients – using a virtual machine for all Internet browsing. Several of our clients have begun using this technique in testing and small production groups. Often they are using ChromeOS images with VirtualBox or some other dedicated browser appliance and a light VM manager. 

Have you or your organization considered, tried or implemented this yet? Give us a shout on Twitter (@lbhuston, @microsolved) and let us know your thoughts. Thanks for reading!

Crypto Locker Down, but NOT Out

So, the US govt and law enforcement claim to have managed the disruption of crypto locker. And officials are either touting it as a total victory or a more realistic slowdown of the criminals leveraging the malware and bot-nets.

Even as the govt was touting their takedown, threat intelligence companies around the world (including MSI), were already noticing that the attackers were mutating, adapting and re-building a new platform to continue their attacks. The attackers involved aren’t likely to stay down for long, especially given how lucrative the crypto locker malware has been. Many estimates exist for the number of infections, and the amount of payments received, but most of them are, in a word, staggering. With that much money on the line, you can expect a return of the nastiness and you can expect it rather quickly.

Takedowns are effective for short term management of specific threats, and they make great PR, but they do little, in most cases, to actually turn the tide. The criminals, who often escape prosecution or real penalties, usually just re-focus and rebuild. 

This is just another reminder that even older malware remains a profit center. Mutations, variants and enhancements can turn old problems like Zeus, back into new problems. Expect that with crypto locker and its ilk. This is not a problem that is likely to go away soon and not a problem that a simple takedown can solve.

Spend Your First Hour Back the Right Way – Go Malware Hunting!

So, you’ve been out of the office for a quick holiday break or vacation. Now you face a mountain of emails and whole ton of back-logged tasks. Trust me, put them aside for one hour.

Instead of smashing through emails and working trouble tickets, spend an hour and take a look around your environment – go hunting – target malware, bots and backdoors. At a macro level, not a micro level. Were there an abnormal number of trouble tickets, outbound connections, AV alerts, IDS and log entries while you were gone? What does egress look like during that period? Were there any abnormal net flows, DNS anomalies or network issues that would indicate scans, probes or tampering on a larger scale?

Spend an hour and look for high level issues before you dig into the micro. Read some logs. See what might be getting lost in your return to work overwhelm. It is not all that uncommon for attackers to use holidays and vacations as windows of opportunity to do their nasty business.

Don’t fall victim to the expected overwhelm. Instead, use it as a lens to look for items or areas that correlate to deeper concerns. You might just find that hour invested to be the one that makes (or breaks) your career in infosec.

Good luck and happy hunting!

PS – Thanks to Lee C. for the quick edits on 7/4/14.