It may sound like something out of a Tom Clancy novel, but the situation is all too real. Russian hackers have targeted United States government agencies as well as companies in the infrastructural space such as those in “the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors,” according to the United States Computer Emergency Readiness Team (CERT).
CERT’s announcement contains comprehensive data on the extent of the attacks which, even more disturbing, were conducted by the Russian government itself rather than mere lone hackers. Most troubling of all is the fact that these activities could have resulting in the Russians deliberately shutting down power plants if they had chosen to do so.
Regardless of whether you work in the affected industries, it’s important to understand the details of the attack and what advice has been provided by CERT to help organizations better secure their perimeters. Yesterday they might have targeted the energy industry, but tomorrow it could be finance, education, healthcare, or other sectors.
SEE: IT leader’s guide to cyberattack recovery (Tech Pro Research)
Any organization with assets may fall prey to this or other endeavors. It doesn’t necessarily have to be the Russians behind such potential threats; it could be any hackers with similar knowledge as to how these operations work – and the techniques involved are often shared and improved upon around the globe.
What tactics they used
The Russians utilized an array of malevolent technological techniques in order to successfully compromise their targets, whom were chosen deliberately rather than at random.
- Open-source and network reconnaissance to obtain information about the targets
- Targeted phishing emails (spear-phishing) from compromised email accounts intended to obtain account information
- “Watering hole” domains whereby sites accessed by the target were compromised in order to then obtain confidential data when targeted individuals connected to those sites
- Theft of user credentials via exploited network traffic
- Host compromisation via exploitation techniques
What you should do to protect your organizationCERT provides a full and comprehensive list of steps you can take, but here is a summary. They advise that organizations should “review the IP addresses, domain names, file hashes, and YARA and Snort signatures [provided in the CERT link] and add the IPs to their watch list [as well as review network perimeter traffic] to determine whether malicious activity is occurring within their organization.” CERT also provides the filenames of applications used by the attackers.
In addition, this information can be searched for in system logs of all kinds (file or web servers, workstations IDS/IPS devices, firewalls, routers, email systems, etc.) to detect malicious activity.
Here are some other suggestions for keeping your company secure:
1. Focus on your accounts
Reduce the number of domain and enterprise administrator accounts. For both administrators and users you should restrict access rights to the minimum needed to perform work. Administrators should use standard user accounts for regular daily activity (such as email or utilizing Microsoft Office apps)
Utilize a password policy to require complex passwords for all users. If there is a suspected compromise, immediately reset all account passwords.
Two-factor authentication is highly recommended for securing accounts, especially when it comes to external-facing accounts or when working with highly confidential systems/networks.
Validate all new email accounts, particularly those which can be accessed externally. Utilize email scanning with anti-virus protection.
2. Work with your access controls
CERT says you should “Prevent external communication of all versions of SMB and related protocols at the network boundary by blocking TCP ports 139 and 445 with related UDP port 137. See the NCCIC/US-CERT publication on SMB Security Best Practices for more information.”
Configure firewalls to block the web-based distributed authoring and versioning (WebDAV) protocol from coming in or going out of the network.Separate critical networks or systems on different segments away from day-to-day business systems – especially user workstations. Only permit necessary traffic and block all else.
Utilize application or application directory whitelisting to permit only authorized programs or programs to run only from specific locations. Also consider the implementation of controls which prevent unauthorized code execution.
SEE: Information security policy (Tech Pro Research)
3. Take control of your logging and alerting
Get staff assigned to comprehensive logging duties which encompass the entire environment. Ensure system logs for critical systems are stored in a centralized location for at least a year.
Monitor for and identify the deletion of log files, unauthorized administrator accounts, unauthorized or unusual internal access, unauthorized applications, downloads from sites without domain names, unusual firewall activity, activities conducted by privileged accounts, access to known bad external systems, and privilege escalations or role changes.
Implement application logging where possible, including that PowerShell (version 5 required for this feature).
4. Ensure your documentation is top-notch
All networks and systems should be thoroughly documented and kept up to date, as this helps in responding to security incidents. The documentation should include network diagrams, identify assets by type as well as owner. Build an incident response plan and review it regularly.
5. Work the loose ends
Controls are important, but user education can be equally critical. Develop training plans to guide users on proper activities and how to spot threats such as phishing emails. A notification system to alert administrators of suspicious activity is also important.
Finally, review public information on a routine basis to make sure nothing confidential has been inadvertently disclosed.