As a result of international tensions that have arisen surrounding the Russia/Ukraine conflict, the Cybersecurity and Infrastructure Security Agency (CISA) has released the Shields Up Advisory, recommending that organizations of all sizes be on heightened alert.
What exactly does this mean? What actions should we take? Where do we start? After reading the numerous advisory notices posted over the past couple of weeks, getting started down a path towards actually applying this information to your environment can feel a bit overwhelming. And taking that first step, if you don’t exactly know what the road looks like, can be stressful.
Not to worry – we can call upon one of our favorite industry terms: Actionable Intelligence.
We need to take the general advice being given and expand on it, so we can do something with it. The best place to begin when interpreting the CISA advisory (and, indeed, most other general security advisories) is to start with the basics and build a plan of action from there. Once we break the environment down into broad categories, and then break those categories down into smaller areas of focus, we’ll have the framework we need to build an action plan.
Below is high-level guidance on areas to consider, as you review the advisory and your overall security posture. This is not an exhaustive list, but it calls out critical areas we feel organizations should be focused on:
Incident Response Handling
Develop an Incident Response Plan
When creating and maintaining an Incident Response plan, include your security and IT teams as well as senior business leadership to ensure familiarity with how your organization will manage a major incident. Both NIST and SANS have standardized frameworks for the Incident Response Handling workflow, which is summarized in the steps below with some high-level examples:
- Preparation
- Assemble teams, analyze risk, categorize assets, implement controls, adopt lessons learned, develop a communications plan
- Identification (Detection & Analysis)
- View and analyze anomaly logs, track down sources, identify breach ingress/egress points, implement a communications plan
- Containment
- Implement DEFCON segmentation controls, quarantine the impacted endpoints and infrastructure
- Eradication
- Remove malicious data, block identified source entry/exit points
- Recovery
- Verify backups, assess recovery time, assess impact and damage, restore systems from backup
- Lessons Learned
- Produce RCA, analyze and improve security controls, assess the efficacy of IRH procedures and compile new lessons learned, implement a communications plan
Incident Response Handling References:
Having an action plan in place will reduce your need to pivot during times of crisis, ensure your strategy is aligned to the highest cybersecurity standards, and significantly improve the availability and integrity of your data and services.
Incident response handling is a time-consuming process, requiring detailed operational analysis, full-time staff, and ongoing adjustments. Leveraging a Managed Detection and Response solution may be considered to reduce operational overhead and accelerate response times. You can also check out the free Aqueduct Ransomware Playbook (2022 edition coming soon) for more information on what to do before, during, and after a cybersecurity incident.
Authentication and Identity Management
- Leverage MFA across the board
- Multi-factor Authentication mechanisms should be in place for all services possible: Remote VPN, SaaS applications, RDP/VDI, device administration, etc.
- Audit AD accounts and MFA policies
- Ensure that terminated employee accounts are disabled, password change and complexity requirements are enforced, and Logon restrictions are enabled where applicable
- Ensure that MFA access from restricted Geographies is blocked and leverage source IP address and device version restrictions when possible
- Audit cloud service provider Identity and Access Management (IAM) ruleset
- Applications and services deployed within cloud Services Provider (CSP) platforms, particularly IaaS platforms such as AWS/Azure/GCP/OCI, should be audited to ensure Principle of Least Privilege is being enforced for platform users
- Use of a Cloud Access Security Broker (CASB) solution should be considered to provide visibility and control over cloud data movement
- Implement network segmentation and containment controls with Cisco ISE
- Implementing network segmentation controls allows ZTA to be enforced as well as security system interoperability to provide rapid threat containment features and DEFCON network service lockdown permissions in the event of a breach or other security incident
Network and Infrastructure Security Controls
- Audit firewall ruleset
- Firewall rules which are not in use should be disabled and removed from the ruleset to reduce processing overhead and analysis time during incident response
- Firewall rules should always follow the Principle of Least Privilege (Principle of Least Privilege) and allow only the required networks, ports, and protocols for applications to function
- Align firewall ruleset with Next-Generation Firewall (NGFW) architecture
- Firewall rules based on “5-tuple” (src/dst IP, port, and protocol) filtering should be rewritten, whenever possible, to use application-based filtering
- NGFW technologies like IPS/IDS, File Scanning, and cloud-based malware analysis should be leveraged for all traffic flows whenever possible
- Leverage firewall rulesets based on contextual user and endpoint identity information whenever possible
- Align VPN topologies to modern cryptographic standards
- Depreciated encryption and integrity algorithms like 3DES, MD5, SHA1, DH group 2/5, etc. should be avoided
- Excessive key lifetimes should be avoided
- Wildcard certificate use should be minimized
- Use of TLS1.0/1.1 should be minimized and avoided where possible
- Additional information can be found in the following NIST VPN Publications:
- Audit cloud workflows
- Network traffic flowing inside of and between CSP environments is often omitted from standard SIEM and Netflow reporting – flow monitoring and logging should be enabled whenever possible
- Traffic should be inspected with network and/or edge security solutions to provide visibility (NGFW/Network-as-a-Sensor/distributed IPS)
- Leverage SIEM and Netflow logging and traffic monitoring
- Access Control Entries and other firewall ruleset logs should point to a SIEM solution
- Netflow/sFlow/etc. should be enabled on routed services infrastructure whenever possible to provide insight into traffic flows, application usage, and user activity
- Infrastructure should be configured for alerting to syslog/SIEM systems as well as SMTP when appropriate to ensure administrators are notified of anomalous network activity in a timely manner
- Block browser-based encrypted DNS services
- QUIC/DoH should be blocked by the edge firewalls to force the use of the corporate DNS solution
- Leverage SaaS tenant controls
- Cisco Umbrella provides the ability to limit the use of non-corporate SaaS solutions like Google cloud, MS365, etc, so only corporate-owned SaaS tenants are able to be used by corporate systems, reducing the risk of data exfiltration
- Maintain up-to-date software versions across the organization
- On infrastructure as well as endpoints, software should always be updated to the latest patch to resolve security vulnerabilities
- Conduct regular penetration testing
- Regular 3rd party penetration testing should be performed, and considered for a higher frequency during heightened security states such as current events dictate
- Internal and external penetration testing should be performed to all critical systems and edge infrastructure, both on-premises and in cloud-hosted IaaS/PaaS provider environments
- Conduct regular DR testing
- Regular DR testing should be performed, including restoration of backups
- Conduct regular backups and ensure tiered 3-2-1 backup hierarchy:
- 3 copies of the data (production data and two backups)
- 2 different formats (one on backup SAN and one on archive disk, for example)
- 1 copy stored offsite and offline
- Online replication/backup of data to a CSP environment or using online file storage services does not satisfy this requirement!
Endpoint Protection and Content Filtering
- Audit Antivirus/Antimalware solution
- Ensure that endpoints are onboarded into the correct level of protection
- Ensure that endpoints have up to date versions and definitions
- Ensure that quarantine/containment/triage groups exist to quickly contain impacted endpoints and test this functionality regularly
- Block traffic to/from high-threat geographies
- Block traffic at all layers available – NGFW, DNS protection, Antimalware, etc. – to and from countries and regions you have no business presence in
- Block proxy and anonymizer services
- Disallow the user of personal VPNs, TOR, and similar services which may allow attackers to tunnel traffic through the security infrastructure
- Leverage URL and content filtering
- Block access to known-bad domains and suspicious/unnecessary web applications
- Leverage endpoint disk encryption
- Endpoint disks should be encrypted whenever possible leveraging tools such as BitLocker, FileVault, etc., with encryption keying material stored in TPM
- Leverage email encryption and security
- Email encryption, scanning, and phishing/spam protection services can help protect users from malicious inbound messages as well as data exfiltration
- Perform routine end-user educational training
- Regularly educate users on security-conscious email, web, and application habits and access methods
While not an exhaustive list, working through many of the items noted here and continuing to apply the same logic to other areas in your environment will help ensure you are on the right path.
Cybersecurity is a journey, an ever-evolving strategy that must dynamically adapt to the changing landscape to remain effective. With the right approach, you can ensure your environment’s security is held to a high standard at all times, not just in times of crisis, helping you to remain ahead of the curve and focused on what’s next.