By Greg Johnson, CEO Webcheck Security
Recently, the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal
Bureau of Investigation (FBI) posted this notice: US think tank organizations were being
targeted by advanced persistent threat (APT) actors. The resultant list of mitigations, though directly suggested to strengthen the affected orgs’ cyber posture, applies equally to most businesses. The mitigations, or controls as most would call them, are divided into three categories: Leaders, Users/Staff, and IT Staff/Cybersecurity Personnel.
The first mitigation, and in fact the only one suggested for the Leaders category, was
the implementation of a cyber awareness training program. Such a program is critical to stave off the onslaught of vishing and phishing success which fraudsters are perpetrating.
Minutes ago I was on a call with a large organization hit by a fraudster in an email and voice call
scam. The bad actor had gained root access to the unsuspecting user’s machine, spanning a
couple of hours. Finally the user realized he was being taken and notified IT, who immediately
“pulled the plug” by disconnecting from all network sources and initiated a forensic
investigation with our team.
Fortunately, no access to other servers was apparent and very little data of consequence
exfiltrated, but a few minutes more on the network and the results, including ransomware and
other malware introduction, might have been disastrous. The moral here is to take CISA
seriously – implement a training program!
Next, CISA recommends the following six controls which in my mind are foundational and should be had in all organizations:
1) Log off remote connections when not in use.
2) Be vigilant against tailored spearphishing attacks targeting corporate and personal
accounts (including both email and social media accounts).
3) Use different passwords for corporate and personal accounts.
4) Install antivirus software on personal devices to automatically scan and quarantine
5) Employ strong multi-factor authentication for personal accounts, if available.
6) Exercise caution when:
-Opening email attachments, even if the attachment is expected and the sender appears to be known. See Using Caution with Email Attachments.
-Using removable media (e.g., USB thumb drives, external drives, CDs).
IT Staff/Cybersecurity Personnel
Finally, these controls will help round out a more robust cyber security program, especially if documented into policy and put into practice:
-Segment and segregate networks and functions.
-Change the default username and password of applications and appliances.
-Employ strong multi-factor authentication for corporate accounts.
-Deploy antivirus software on organizational devices to automatically scan and
quarantine suspicious files.
-Apply encryption to data at rest and data in transit.
-Use email security appliances to scan and remove malicious email attachments or links.
-Monitor key internal security tools and identify anomalous behavior. Flag any known
indicators of compromise or threat actor behaviors for immediate response.
-Organizations can implement mitigations of varying complexity and restrictiveness to
reduce the risk posed by threat actors who use Tor (The Onion Router) to carry out
malicious activities. See the CISA-FBI Joint Cybersecurity Advisory on Defending Against
Malicious Cyber Activity Originating from Tor for mitigation options and additional
-Prevent exploitation of known software vulnerabilities by routinely applying software
patches and upgrades. Foreign cyber threat actors continue to exploit publicly
known—and often dated—software vulnerabilities against broad target sets, including
public and private sector organizations. If these vulnerabilities are left unpatched,
exploitation often requires few resources and provides threat actors with easy access to
victim networks. Review CISA and FBI’s Top 10 Routinely Exploited Vulnerabilities and
other CISA alerts that identify vulnerabilities exploited by foreign attackers.
-Implement an antivirus program and a formalized patch management process. Block certain websites and email attachments commonly associated with malware (e.g. .scr, .pif, .cpl, .dll, .exe).
-Block email attachments that cannot be scanned by antivirus software (e.g. .zip files).
-Implement Group Policy Object and firewall rules.
-Implement filters at the email gateway and block suspicious IP addresses at the firewall.
-Routinely audit domain and local accounts as well as their permission levels to look for
situations that could allow an adversary to gain wide access by obtaining credentials of a
-Follow best practices for design and administration of the network to limit privileged
account use across administrative tiers.
-Implement a Domain-Based Message Authentication, Reporting & Conformance
(DMARC) validation system.
-Disable or block unnecessary remote services.
-Limit access to remote services through centrally managed concentrators.
-Deny direct remote access to internal systems or resources by using network proxies,
gateways, and firewalls.
-Limit unnecessary lateral communications.
-Disable file and printer sharing services. If these services are required, use strong
passwords or Active Directory authentication.
-Ensure applications do not store sensitive data or credentials insecurely.
-Enable a firewall on agency workstations, configured to deny unsolicited connection
-Disable unnecessary services on agency workstations and servers.
-Scan for and remove suspicious email attachments; ensure any scanned attachment is
its "true file type" (i.e., the extension matches the file header).
-Monitor users web browsing habits; restrict access to suspicious or risky sites. Contact
law enforcement or CISA immediately regarding any unauthorized network access
Many organizations have the governance and IT support to implement all of the mitigations
listed above, but many don’t. Webcheck Security not only has partnerships with wonderful IT
augmentation groups but can lease a CISO or what is called a Fractional Information Security
Officer (FISO) to guide the prioritization, policy and implementation of the above initiatives. For
more information, please contact Webcheck Security at GetInTouch@webchecksecurity.com