By Greg Johnson, CEO Webcheck Security

Recently, the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal

Bureau of Investigation (FBI) posted this notice: US think tank organizations were being

targeted by advanced persistent threat (APT) actors. The resultant list of mitigations, though directly suggested to strengthen the affected orgs’ cyber posture, applies equally to most businesses. The mitigations, or controls as most would call them, are divided into three categories: Leaders, Users/Staff, and IT Staff/Cybersecurity Personnel.

Leaders

The first mitigation, and in fact the only one suggested for the Leaders category, was

the implementation of a cyber awareness training program. Such a program is critical to stave off the onslaught of vishing and phishing success which fraudsters are perpetrating.

Minutes ago I was on a call with a large organization hit by a fraudster in an email and voice call

scam. The bad actor had gained root access to the unsuspecting user’s machine, spanning a

couple of hours. Finally the user realized he was being taken and notified IT, who immediately

“pulled the plug” by disconnecting from all network sources and initiated a forensic

investigation with our team.

Fortunately, no access to other servers was apparent and very little data of consequence

exfiltrated, but a few minutes more on the network and the results, including ransomware and

other malware introduction, might have been disastrous. The moral here is to take CISA

seriously – implement a training program!

Users/Staff

Next, CISA recommends the following six controls which in my mind are foundational and should be had in all organizations:

1) Log off remote connections when not in use.

2) Be vigilant against tailored spearphishing attacks targeting corporate and personal

accounts (including both email and social media accounts).

3) Use different passwords for corporate and personal accounts.

4) Install antivirus software on personal devices to automatically scan and quarantine

suspicious files.

5) Employ strong multi-factor authentication for personal accounts, if available.

6) Exercise caution when: 

-Opening email attachments, even if the attachment is expected and the sender appears to be known. See Using Caution with Email Attachments.

-Using removable media (e.g., USB thumb drives, external drives, CDs).

IT Staff/Cybersecurity Personnel

Finally, these controls will help round out a more robust cyber security program, especially if documented into policy and put into practice:

-Segment and segregate networks and functions.

-Change the default username and password of applications and appliances.

-Employ strong multi-factor authentication for corporate accounts.

-Deploy antivirus software on organizational devices to automatically scan and

quarantine suspicious files.

-Apply encryption to data at rest and data in transit.

-Use email security appliances to scan and remove malicious email attachments or links.

-Monitor key internal security tools and identify anomalous behavior. Flag any known

indicators of compromise or threat actor behaviors for immediate response.

-Organizations can implement mitigations of varying complexity and restrictiveness to

reduce the risk posed by threat actors who use Tor (The Onion Router) to carry out

malicious activities. See the CISA-FBI Joint Cybersecurity Advisory on Defending Against

Malicious Cyber Activity Originating from Tor for mitigation options and additional

information.

-Prevent exploitation of known software vulnerabilities by routinely applying software

patches and upgrades. Foreign cyber threat actors continue to exploit publicly

known—and often dated—software vulnerabilities against broad target sets, including

public and private sector organizations. If these vulnerabilities are left unpatched,

exploitation often requires few resources and provides threat actors with easy access to

victim networks. Review CISA and FBI’s Top 10 Routinely Exploited Vulnerabilities and

other CISA alerts that identify vulnerabilities exploited by foreign attackers.

-Implement an antivirus program and a formalized patch management process. Block certain websites and email attachments commonly associated with malware (e.g. .scr, .pif, .cpl, .dll, .exe).

-Block email attachments that cannot be scanned by antivirus software (e.g. .zip files).

-Implement Group Policy Object and firewall rules.

-Implement filters at the email gateway and block suspicious IP addresses at the firewall.

-Routinely audit domain and local accounts as well as their permission levels to look for

situations that could allow an adversary to gain wide access by obtaining credentials of a

privileged account.

-Follow best practices for design and administration of the network to limit privileged

account use across administrative tiers.

-Implement a Domain-Based Message Authentication, Reporting & Conformance

(DMARC) validation system.

-Disable or block unnecessary remote services.

-Limit access to remote services through centrally managed concentrators.

-Deny direct remote access to internal systems or resources by using network proxies,

gateways, and firewalls.

-Limit unnecessary lateral communications.

-Disable file and printer sharing services. If these services are required, use strong

passwords or Active Directory authentication.

-Ensure applications do not store sensitive data or credentials insecurely.

-Enable a firewall on agency workstations, configured to deny unsolicited connection

requests.

-Disable unnecessary services on agency workstations and servers.

-Scan for and remove suspicious email attachments; ensure any scanned attachment is

its "true file type" (i.e., the extension matches the file header).

-Monitor users web browsing habits; restrict access to suspicious or risky sites. Contact

law enforcement or CISA immediately regarding any unauthorized network access

identified.

Many organizations have the governance and IT support to implement all of the mitigations

listed above, but many don’t. Webcheck Security not only has partnerships with wonderful IT

augmentation groups but can lease a CISO or what is called a Fractional Information Security

Officer (FISO) to guide the prioritization, policy and implementation of the above initiatives. For

more information, please contact Webcheck Security at GetInTouch@webchecksecurity.com