This is my first story in steemit.
Back in 2014 one our users opened an attachment thinking it was a PDF file. This file was a double extension meaning it looked like a real PDF file. Somehow the blackhats were able to change the icon to a PDF icon and use the PDF extension. For example, thefile.pdf.zip. By default users will see the file name and not the extension (for Windows users). It was quick and deliberate to encrypt the entire user's PC data along with the network drive. Long night recovering from backup. After grabbing the email and malicious file we ran it through a sandbox. With wireshark (network analyzer), we saw the file going to a server to download the payload along with making the PC a bot.
Lesson learned, we talked to Websense (Web filtering service) to see how this can have happened. They found that there is a category to block newly websites. We later also implemented DNS filtering using OpenDNS. OpenDNS is free for home use and now have been acquired by Cisco. We also used another layer of email security using AppRiver to send all emails before it hits our on premise email server. The more security layer the better but the weakest link are the end users. This issue we encountered prompted end user training of what to look for that can be malicious or phishing emails. Since 2014 we have been seeing a lot of ransomware emails trying to penetrate. The old style of routing to the production network servers are the thing of the past and should go through an IPS (Intrusion Prevention Service) before it hits the production network. Last but not least are versioning on the file servers which is best practice. This allows the server save multiple versions of the file.
With all this happening, I knew that blackhats were making money hand over fist because hardware is easy to replace but not the data. So when this happened, I bought some bitcoins in case we get hit in the future. We didn't pay the ransom.
Currently I am redesigning the network and system.
Auto-sandboxing is a must these days so we dropped Websense in 2016 and went with Zscaler as we are in the process of going Office 365. Implementing network (workstations, departments, printer, guest, servers) to go through a firewall with IPS enabled. So far I am going to drop the old SonicWALL firewalls for Palo Altos. They are expensive but I have noticed one of the smaller branches I deployed Palo Alto firewalls had a major decrease of viruses coming in. I deployed several Meraki MR72 for our WIPS (Wireless Intrusion Prevention Service) to also look to see what is in the air.