With tensions high because of war in Ukraine, infosec leaders in countries supporting sanctions against Russia are more worried than ever about the possibility of a retaliatory cyber attack.
It’s too late to buy new hardware or software, install end-to-end encryption or start similar large projects. But, say two instructors at the SANS Institute, there are six quick defensive tactics any IT department can use now to lower the odds of a successful nation-state attack.
Mick Douglas and Jon Gorenflo, who both have their own cybersecurity firms, gave that advice this week at a SANS-sponsored webinar.
Number one on the list: Effective patching.
”Patch in the order attackers are likely to take” when they start an attack, said Gorenflo.
That means pay attention first to internet-accessible systems such as network security appliances, web servers, web apps and their host operating systems.
There’s no rule on which to patch first. Be pragmatic, but a guide might be each vulnerability’s CSS score, or the impact of a particular vulnerability on your environment.
Remember, Gorenflo said, the adversary has already scanned and knows what systems you have.
Patches still have to be tested, Gorenflo and Douglas added, but don’t spend time on perfection. If possible, test a patch on a few off-line systems and if it looks OK, roll it out to a couple of production machines. Then to more production machines.
The second group to be patched are clients: Desktop computers and their applications (Microsoft Office, Adobe PDF products, browsers, mobile apps, host OSes and mobile devices).
Last on the priority list are internal servers and software, including databases servers, applications, file servers and IoT devices.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has a list of 383 vulnerabilities being actively exploited by threat actors. All but one, Douglas pointed out, can be patched now. (The other one is an end-of-life product.)
One tip: Make the effort easier by turning on automatic patching. It’s risky but if your organization has determined it may be in the cross-hairs of a nation-state threat actor, that risk may have to be taken, Douglas said.
Scan for vulnerable systems after a round of patching has been done to see if anything’s been missed. “This is a common mistake I see my clients make,” Douglas said. “They’ll assume they’ve patched everything because they look at their inventory software and see everything is green.”
And it may be – if their inventory of hardware and software is accurate. If there’s an old server/router/application/whatever on the network, attackers will discover and leverage it.
2. Better logging
“Don’t just gather logs for the sake of gathering logs,” said Douglas. Logs need to be tailored. “Use your logs to tell stories.”
A lot of logging has to be done for compliance purposes, he acknowledged. But that doesn’t mean log data has to be kept for long periods of time. Every data logging framework says materially important things need to be logged, he added – for example, business-critical transactions. But DNS logs, which he said age like milk, don’t have to be kept as long.
Don’t be afraid of logging the activity on desktop computers; they don’t generate a lot of data. If tuned right, Douglas said, each can get down to 1 MB of data a day. As for servers, focus on the ones that hold important data. What you want to know are things like who is accessing that data and how are they touching it.
3. Monitor outbound traffic
Attackers need internet connectivity to deliver payloads and send commands, noted Gorenflo. The goal of defenders is to disrupt or prevent that traffic through four tools: Firewall rules (to deny traffic going to IP addresses in certain countries); web content filtering to prevent traffic from going to known malicious sites (next gen firewalls and web proxies have databases of categorized domains to stop traffic going to known malicious sites. You may have to buy/licence lists of malicious sites from a vendor, or find an open source list); DNS content filtering and network monitoring (to look for odd outbound traffic).
4. Find ways to act faster
Business process rules get in the way of rapid containment of an attack. “A lot of organizations have well-meaning but wrong policies,” said Douglas, such as if IT sees an attack they must contact the line of business and get approval for an emergency change before they can request a firewall change to block the attack. What that ends up meaning, he said is, “when every second counts, help is only an hour or so away.“
IT should have written pre-authorization to take systems and networks offline, lock out accounts or force password resets when necessary, he said.
5. Application control/whitelisting
The goal, said Douglas, is to stop unapproved applications from executing. Take advantage of every resource you have, including Endpoint Detection and Response (EDR) and Managed Detection and Response (MDR) applications. Windows System Resource Usage Monitor (SRUM) compiles a rolling list of every application that has run on a system for the last 30 days (a special tool is needed to read the database). Through Active Directory you can push a group policy that only allows those applications to run.
One tip: Be suspicious of any user looking to see if application control is running in enforcement mode.
6. Create a sustainable workflow
Implementing robust security controls is a marathon, not a sprint. Pace yourself. Many organizations will attempt to suddenly “get serious about security” and try to fix everything all at once. Not only is this disruptive to ongoing activities, it rarely works well. As with any personal fitness program, you tend to get better results by making small impactful changes that result in incremental progress over time.
”A lot of people have a defeatist attitude” about cyber defence, said Douglas, “but you’ve got to change your thinking. “If you lower the attacker success rate you’ll get fewer alerts, which means the alerts will be more targeted, which means your responses will be focused responses.”
SANS also offers this Ukraine-Russia cyber resource centre.