A week ago, the US Cybersecurity and Infrastructure Security Agency (CISA) issued a warning to all businesses and government entities on the risk of Russian cyberattacks affecting US systems and networks. Rob Lee, CEO of Dragos, indicates that his team has “observed threat groups that have been attributed to the Russian government by US government agencies performing reconnaissance against US industrial infrastructure, including key electric and natural gas sites in recent months.”
Some of Avalon Cyber’s clients have reached out to us asking what’s going on with the Russian cyber threat landscape and what things they should be on the lookout for. I thought it would be important to curate a list of recommendations/suggestions you may want to consider as you continue to monitor your systems and networks for indicators of badness.
- Let’s start with the basics. When was the last time you performed a vulnerability assessment of your systems and networks? Poor patch and configuration management processes are low hanging fruit for adversaries. If you haven’t had one recently, it’s absolutely worth your time to do it again. Focus on remediating the critical and high vulnerabilities with known exploits first and then work your way down from there.
- Are you using multifactor authentication (MFA) on every authentication portal within your enterprise? If not, why not?! This is a fundamental security control that needs to be mandatory and implemented yesterday. Tools like Duo, Microsoft Authenticator, Authy, and Google Authenticator are all great products that are easy to implement. SMS for MFA is not a reliable method for validating authentication attempts.
- These days, having a security awareness program is critical. Make sure your users have been trained in identifying social engineering attacks, such as phishing, spear phishing, etc. Attackers generally target users to gain a foothold into internal domains. Teach users to identify malicious links by hovering over the link in a suspicious email to verify that the site is legitimate.
- Endpoint protection is a must-have, of course. However, the introduction of tools like endpoint detection and response (EDR) will give you enhanced visibility into what’s happening on your endpoints.
- Monitor egress on your firewalls. Looking for outbound established connections over protocols like http(s) and DNS is a great place to start. These protocols are typically used to communicate with command and control (C2) servers. Execution instructions and data exfiltration are commonly used here. Specifically, be on the lookout for anomalous DNS requests that have pseudo-random hexadecimal, binary, or Base64 characters.
- Yes, you will have legitimate business services and applications with established outbound connections. This includes file transfer systems, mail servers, and some web applications. However, the exception to this rule should be a small sample set. If you don’t know what those are today, a network discovery process could be in order.
- Geographical IP blocking is not always the way to go. Nation-states are certainly capable of spoofing your IP address. However, simply putting a block on one country won’t stop the bad guys from infiltrating your networks. Start implementing basic firewall hygiene and treat everything on the internet as hostile and trust what you know.
- Know what normal executables are on your systems. Running applications within your enterprise is an important element to understanding your vulnerability landscape. This can be accomplished through numerous applications and technology processes. Using asset inventory tools, EDR technologies, and vulnerability scanners are great tools to help you determine what is on your systems. If none of these options are available to you, there are open-source tools that should be considered. Valuable details can be obtained from Windows System Resource Utilization Monitor (SRUM) as well. Here are two tools that may be helpful when interacting with Windows SRUM:
- Use AuditD or Sysmon for Linux if you don’t have EDR on your Linux systems. Here is a resource that will help you use Sysmon on Linux systems: https://t.co/wYoxNukrrd
- Dust off that incident response (IR) Do a refresh and make sure your team is prepared to respond quickly. Also, is your insurance company prepared to assist in the event you need support ASAP? What about your digital forensics and incident response (DFIR) vendor or breach coach (outside counsel)? Make sure you have all these folks on speed dial!
- Improve the verbosity of your logs. For instance, by default, certain meaningful events are not tracked through logging. Evaluating best practices to ensure those events are being generated would be a helpful exercise.
- Perform threat hunting using whatever tools you have. Keep a close eye on threat intelligence through open-source forums. Look for behaviors, IPs, hashes, and applications consistent with behaviors identified by other security experts, known as indicators of compromise (IoC).
- If there are budget concerns, the Cybersecurity & Infrastructure Security Agency (CISA) has released a list of free services and tools to help bolster your defense-in-depth posture: https://www.cisa.gov/free-cybersecurity-services-and-tools
If you have any questions, contact the experts at Avalon Cyber. If you need immediate assistance, call our Incident Response line at 1.877.216.2511.