With the war happening not far from us, many organizations in Europe have gone under high alert. As the world responds to Russian invasion in Ukraine by economic sanctions, organizations all around the world are bracing for retaliatory cyberattacks.
Threat landscape for an organization is always changing. Threats to an organization are based on multiple factors such as business strategies, changes in the socio-economic policies, elections, adversary capabilities, release of a zero-day, a war situation to name a few. It’s always about risk management in a given situation.
If you carefully study the history of attacks, you will see that the majority of attacks take advantage of known vulnerabilities, misconfigurations or simply compromised passwords. Therefore, working on such known techniques will already help the organization reduce the risk of a potential cyber-attack significantly. This is not the time to write down a 5 year cyber security improvement plan but work on smarter solutions to reduce your attack surface.
Actions mentioned here will definitely help organizations to improve their cyber security posture in general. Some of the actions should even be part of an organization’s day to day security hygiene. However, given the heightened threats, these actions should be prioritized. Prioritizing these will better prepare one to protect themselves from a potential cyber-attack and or respond to it.
In order to work towards such an ambitious goal will not be possible without proper buy-in from the leadership team. Therefore, this is the time to ensure that you have their blessings and proper awareness and alignment is created so that they can support you accordingly.
1. Patch Patch Patch
Although this might sound basic, it is often crucial. Ensure that you are patched. This includes not only OS but also third party applications such as browsers, DBs, firmware etc. One can start with internet facing devices followed by organization’s crown jewels.
2. Access management
Ensure that passwords are complex. If not changed in a long time, they are changed with strong passwords. This applies to employees, systems, privileged accounts etc. Furthermore, implement MFA if not already implemented.
3. Protection against Denial-of-Service attacks
One of the effective weapons used by adversaries is Denial of Service (DoS) attacks. Therefore obtaining a protection against it will help.
4. Configuration & Log Management
Ensure that critical network components and security applications such as firewalls, network devices, domain controllers, AVs are configured with the right and secure settings. Furthermore ensure that proper and auditable logging is available. Review what are the retention times.
AD holds keys to the kingdom and hence is critical to support and is treated as one of the Crown Jewel of the organization. Contact us to perform an AD scan which will provide you with a list of misconfigurations and advise on how to improve it.
5. Review Back-ups
Ensure that back-ups are implemented and working. Test back-up and restore process.
Most importantly ensure that offline back-ups are available and they are usable. Back-ups of important (Crown Jewel) systems should be verified. You can always make use of sampling mechanisms to ensure completeness.
6. Check your internet presence
Review organization’s internet presence. This way you can understand your attack surface and you are prepared to protect it. This includes externally facing IP addresses, domain registrations, mail servers etc. Perform an external vulnerability scan to detect the vulnerabilities. The point is to close down paths for adversaries to enter your environment or compromise your data on the internet.
7. Phishing response
Ensure that your employees know how to report phishing emails. Ensure that you have a process in place to review reported phishing emails effectively.
8. Security awareness
This is one of the important aspects of cyber security which is often undervalued. It’s important to create appropriate awareness among different layers within your organization. In the heightened situation, find a way to talk to your employees by sharing the newsletters or inviting them to virtual meetings. Provide them insights on what is happening and reiterate that everyone has a role to play in protecting themselves and the organization and how they can help.
9. Third party security & supply chain attacks
Review third party access to your organization. Remove third party connections and remove those that are no longer required or which cannot be certified on a short notice. Please note that during the high alert it’s a good idea to close down uncertified connections by risking a possible business process disruption which can be restored rather than getting compromised.
Furthermore, attackers are increasingly making use of supply chain attacks. Therefore, it would be useful to ensure that your repositories are getting scanned and are updated only from a certified/ known source. If you do not have monitoring & scanning controls implemented, this is the high time to start investigating.
10. Incident response and disaster recovery
We all hope that it never comes to this. However, in case of an incident, one should be prepared to contain the damage. Therefore, it is important to ensure that proper response plans are available. Roles and responsibilities are clearly identified and informed.
Finally, here is the BONUS tip. That is to step-up the threat hunting capabilities. Threat hunting can mean a lot of things depending upon who you ask. But in simple words, it’s a continuous process of searching through an organization’s environment for signs of compromise.
You may or may not have a process to perform threat hunting or the team to perform such activities or simply lack tools to execute a proper hunt. Nevertheless, during the high alert, smartly using the available resources, a process of hunting can be established. All you need is the right knowledge and unified approach and you can establish hybrid & multidisciplinary teams to perform required hunting or simply perform good old monitoring activities against the indicators of compromise.
If you need help with any of the topics described above or specifically to perform a vulnerability scan, penetration testing, establish a vulnerability management process, or perform a quick scan for your internet presence or AD security scan, please feel free to contact us at Sukalp.Bhople@Cyber-Resolve.com.
