A Cyber-Readiness Checklist and Guide
With Russian military operations currently underway in Ukraine, the question of whether cyber warfare will also be employed remains unanswered. While we have seen cases of destructive cyber actions focused on Ukraine, at this point attribution is not possible.
As a result of these actions, there is a heightened sense of concern being felt by many organizations. Our focus here is to protect organizations by helping them prepare for potential cyberattacks. For that, we have put together this cyber readiness checklist. While many of these suggestions are standard cyber hygiene protocols and best practices, being reminded of doing the basics never hurts, especially when there are so many other concerns. In the same way that hand washing helps in our fight against COVID-19, simple actions can also go a long way towards fighting against cyberthreats.
Cyber-Readiness Checklist – Summary
- Patching: Ensure that all systems are fully patched and updated
- Protection Databases: Make sure your security tools have the latest databases
- Backup: Create or update offline backups for all critical systems
- Phishing: Conduct phishing awareness training and drills
- Hunt: Proactively hunt for attackers in your network using the known TTPs of Russian threat actors
- Emulate: Test your defenses to ensure they can detect the known TTPs of Russian threat actors
- Response: Test your incident response against fictitious, real-world scenarios
- Stay up to Date: Subscribe to threat intelligence feeds like Fortinet Threat Signals
Cyber-Readiness Guide – Detailed Actions
Threat actors often target unpatched vulnerabilities in a victim’s network. As a result, the first line of defense should always be patch management and running fully patched systems. For organizations interested in focusing on specific vulnerabilities, CISA maintains a list of specific CVEs used in the past by Russian threat actors. But the better approach is to simply focus on being up to date all the time. This is also true for air-gapped environments, and now is a good time to ensure that these systems have been patched as well. And remember, patching is important not only for workstations and servers but also for security and networking products.
2. Leverage Protection Databases
FortiGuard Labs continuously creates new detection rules, signatures, and behavioral models for threats that are discovered in our extensive threat intelligence framework. These are quickly propagated to all Fortinet products. Make sure that all protection databases are updated regularly.
3. Backup Critical Systems
Many attacks come in the form of ransomware or wiper malware. The best defense against the destruction of data by such malware is to keep up-to-date backups. It is equally important that these backups are kept offline since malware often tries to find backup servers to destroy backups as well. The current crisis is a good opportunity to check whether backups really exist (not just on paper) and run recovery exercises with the IT team.
Phishing attacks are still the most common entry points for attackers. Now is a good time to run a phishing awareness campaign to heighten the awareness of everybody at your organization and to ensure they know how to recognize and report malicious emails.
The sad truth is that if your organization plays any sort of role in this conflict, then adversaries may already be in your network. Running threat hunting engagements can be vital in detecting adversaries before they install spyware or cause serious destruction. For threat hunting, you can use the known Tactics, Techniques, and Procedures (TTPs) below.
The TTPs listed below can be also used to evaluate whether your security infrastructure is able to detect them. Running emulation exercises can uncover configuration problems and blind spots that attackers might leverage to move around in your network undetected.
A quick and organized incident response will be crucial when a compromise is discovered. Now is a good opportunity to review procedures for responding to an incident, including disaster recovery and business continuity strategies. If you have your own incident response team, you can run tabletop exercises or fictitious scenarios to ensure everything will run smoothly should a compromise occur.
8. Stay up to Date
It is crucial that the actions listed here are not performed just once. Staying up to date and patched, monitoring vulnerabilities, and maintaining threat awareness are actions that must be performed continuously. One way to learn about the newest threats as they are discovered is to follow the FortiGuard Threat Signals.
Cybersecurity readiness Tactics, Techniques, and Procedures
For hunting for adversaries in your networks CISA recommends the following TTPs:
|Reconnaissance [TA0043]||Active Scanning: Vulnerability Scanning [T1595.002]|
|Russian state-sponsored APT (Advanced Persistent Threat) actors have performed large-scale scans to find vulnerable servers.|
|Phishing for Information [T1598]||Russian state-sponsored APT actors have conducted spearphishing campaigns to gain credentials of target networks.|
|Resource Development [TA0042]||Develop Capabilities: Malware [T1587.001]||Russian state-sponsored APT actors have developed and deployed malware, including ICS-focused destructive malware.|
|Initial Access [TA0001]||Exploit Public Facing Applications [T1190]||Russian state-sponsored APT actors target publicly known vulnerabilities, as well as zero-days, in internet-facing systems to gain access to networks.|
|Supply Chain Compromise: Compromise Software Supply Chain [T1195.002]||Russian state-sponsored APT actors have gained initial access to victim organizations by compromising trusted third-party software. Notable incidents include M.E.Doc accounting software and SolarWinds Orion.|
|Execution [TA0002]||Command and Scripting Interpreter: PowerShell [T1059.003] and Windows Command Shell [T1059.003]||Russian state-sponsored APT actors have used cmd.exe to execute commands on remote machines. They have also used PowerShell to create new tasks on remote machines, identify configuration settings, exfiltrate data, and execute other commands.|
|Persistence [TA0003]||Valid Accounts [T1078]||Russian state-sponsored APT actors have used credentials of existing accounts to maintain persistent, long-term access to compromised networks.|
|Credential Access [TA0006]||Brute Force: Password Guessing [T1110.001] and Password Spraying [T1110.003]||Russian state-sponsored APT actors have conducted brute-force password guessing and password spraying campaigns.|
|OS Credential Dumping: NTDS [T1003.003]||Russian state-sponsored APT actors have exfiltrated credentials and exported copies of the Active Directory database ntds.dit.|
|Steal or Forge Kerberos Tickets: Kerberoasting [T1558.003]||Russian state-sponsored APT actors have performed “Kerberoasting,” whereby they obtained the Ticket Granting Service (TGS) Tickets for Active Directory Service Principal Names (SPN) for offline cracking.|
|Credentials from Password Stores [T1555]||Russian state-sponsored APT actors have used previously compromised account credentials to attempt to access Group Managed Service Account (gMSA) passwords.|
|Exploitation for Credential Access [T1212]||Russian state-sponsored APT actors have exploited Windows Netlogon vulnerability CVE-2020-1472 to obtain access to Windows Active Directory servers.|
|Unsecured Credentials: Private Keys [T1552.004]||Russian state-sponsored APT actors have obtained private encryption keys from the Active Directory Federation Services (ADFS) container to decrypt corresponding SAML (Security Assertion Markup Language) signing certificates.|
|Command and Control [TA0011]||Proxy: Multi-hop Proxy [T1090.003]||Russian state-sponsored APT actors have used virtual private servers (VPSs) to route traffic to targets. The actors often use VPSs with IP addresses in the home country of the victim to hide activity among legitimate user traffic.|