Based on my experience with ransom attacks, I came up with an idea I thought I'd share. The concept is to implement a sort of "scoped" lockdown of all connected switches via a password-protected, single-switch command that propagates throughout a predefined defined domain and/or scope. Basically, you define which ports would be locked down when this command is issued and it sends encrypted messages to all other switches to perform the same task. It's essentially a means of pulling the plug to prevent lateral movement without actually pulling the plug (and losing forensic details, etc.).
The lockdown command would tell each switch to admin disable the ports in scope (conf lockdown scope userports add port 1:5-25 for example). If you ran a lockdown (lockdown scope userports), all switches with matching, defined scopes, sharing a common key, would disable those ports. You could build "domains" as boundaries to the scopes as an added option. This might be something like "lockdown domain campuswide scope userports".
The lockdown would trigger an immediate copy of the current logs to a backup file on all impacted devices, storing with it current ARP/FDB info and anything else useful from a forensics standpoint. You could exclude uplinks and a single management port from the scope(s), allowing for isolated access from a single trusted device or subnet. The goal would be to drop all of the known PC-related connections, preserve the current state of the network, and provide access to forensic teams. I realize you could likely do this via the management ports as well but many don't have the same levels of connectivity between OOB mgmt interfaces and this method would allow you to exclude uplinks and other objects that keep the pipes intact, but drop the more likely and susceptible end-station ports.
Engineers could then selectively bring devices, networks and other objects back online as they're identified as clean. In theory, the scopes could include any type of object, like a vlan or an interface, LAGs, etc. I figured something could be written via scripts to possibly do this, but it seemed like it would be less secure. Eventually, this could be extended through APIs to allow EDR/MDR tools to externally trigger a scope lockdown in the most critical scenarios. Anyway, I thought I'd drop this here to see if anyone wanted to brainstorm the idea (or tell me it's a bad idea). Thoughts?
