Cyber Security Recommendations from FBI, NSA, and CISA

Cyber Security Recommendations from FBI, NSA, and CISA

Actions to Help Protect Against Malicious Cyber Activity

NSA-CISA-Logos-Blog.jpg

On February 16, 2022 the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA) put out an advisory titled "Russion State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology".

cyber-2.png

The article details state-sponsored threat actors targeting large and small U.S. cleared defense contractors (CDCs), whom collectively support DoD and Intelligence Community contracts. While those of us in the private sector may not be immediate or direct targets of state-sponsored cyber actors, the recommendations and conclusions included in the document are solid advice, and include many areas that other organizations should consider.

The advisory details the following mitigating actions and controls:

Detection:

  • Detect Unusual Activity
    • Implement robust log collection and retention
  • Look for Evidence of Known Tactics, Techniques, and Procedures (TTPs)
    • Look for behavioral evidence or network and host-based artifacts
    • Review logs for "impossible logins"
    • Look for one IP used for multiple accounts
    • Pay attention to possible logins from IPs with significant geographic distance
    • Evaluate processes and program execution command-line arguments that could be indicative of credential dumping (especially related to the ntds.dit file from a domain controller)
    • Identify suspicious privilege account use
    • Review logs for unusual activity, especially in dormant accoutns
    • Review of unusual agent strings

Incident Response and Remediation

  • Organizations with evidence of compromise should assume full identity compromise and initiate a full reset:
    • Reset passwords for all local accounts
    • Reset all domain user, admin, and service account passwords

Mitigations

  • Implement Credential Hardening

    • Enable Multifactor Authentication (MFA)
  • Enforce Strong, Unique Passwords

    • Require accounts to have strong, unique passwords
    • Enable password management functions
  • Introduce Account Lockout and Time-Based Access Features

    • Implement time-out and lock-out features
    • Configure time-based access for accounts set at the admin level or higher
  • Reduce Credential Exposure

    • Use virtualization solutions on modern hardware and software
  • Establish Centralized Log Management

    • Create a centralized log management system
    • Enable audit logging across platforms
    • Correle]ate logs, from network and host security devices
  • Additional logging considerations

    • Ensure PowerShell logging is turn on, including for module, script block, and transcription
    • Update PowerShell to vs 5.0 or later
    • Monitor remote access/RDP logs and disable unused ports
  • Initiate Software and Patch Management Program

    • Consider a centralized patch management system
    • Sign up for CISA's Cyber hygiene services

    • Employ Antivirus Programs

    • install virus protection on all endpoints, keep definitions up to date and monitor regularly
  • Use Endpoint Detection and Response Tools

  • Maintain Rigorous Configuration Management Programs

    • Audit CM progames to ensure they are tracking and mitigating emerging threats
  • Enforce Principle of Least Privilege

    • Ensure all priveleged accounts have minimum permission needed to complete tasks
    • Assign administrators roles for role-based access control (RBAC)
    • Create non-privileged accounts for privileged users
    • Reduce domain and enterprise admin accounts and regularly audit
    • Use a group policy that disables remote interactive logins, and use Domain Protected Users Group
    • Track privileged accounts, use change control for privilege escalations and role changes, enable PrivEsc alert, and log privileged user changes
  • Review Trust Relationships

    • Review existing trust relationships with IT service providers, MSPs and CSPs
    • Remove any unnecessary relationships
    • Review contractual relationships

    • Encourage Remote Work Environment Best Practices

    • Regularly update VPNs, network infrastructure and devices used for remote work environments
    • Require MFA on all VPN connections
    • Monitor network traffic
    • Reduce potential attack surface as possible, including any unused services (especially VPN servers)
  • Establish User Awareness Best Practices

    • Employee awareness can mitigate cyber actor effectiveness, but including:
      • End-user awareness and training
      • Inform employees of the risks of social engineering attacks
      • Ensure employees are aware of what to do / whom to contact if they see something suspicious
  • Apply Additional Best Practice Mitigations

    • Deny atypical inbound activity from known anonymization sources
    • Impose listing policies for applications and remote access
    • Identify and create offline backups for critical assets
    • Implement network segmentation