Protecting The Company

A few notes I came up with when thinking what could a company do to protect itself from aggressive threats that are a byproduct of a geopolitical turmoil.
It’s hard to decide what could be done fast as it depends on the complexity of the infrastructure, human resources and how hard it is to introduce new services to the infrastructure.

Most common attacks:

• E-mail phishing targeting employees - common themes are e-mails with the recent info about the current event (covid, crisis) with an attachment that lead to compromise (disk wiper, ransomware or spyware), or with a link to a phishing site.
• Supply chain attacks by taking over some 3rd party library used by the company infrastructure.
• Exploitation of a publicly accessible system that have a known vulnerability (using Shodan dorks, nuclei vulnerability scanner, …).
• DDoS attack directly on the provided services, or on services hosted on the infrastructure.
• BGP route hijacking that leads to redirection of the network traffic through the attacker infrastructure.

Fastest (partial) remediation:

• Identify your most valuable assets which you cannot lose in any scenario.
• Create back-of-the-envelope strategy for backups, disaster recovery and business continuity.
• Prepare and execute an information campaign on all employees, informing them about the probability of phishing (and other types of) attacks.
• Use e-mail attachment filtering & quarantine.
• Enroll two-factor authentication for internal and third party services used in a daily work. Passwords are not enough. Enroll it also for a network appliance, if possible.
• Scan the whole autonomous system under your control using vulnerability scanner, collect the results and notify the service owners about the problems. If you are not ASN owner, scan your IP ranges.
• Create an asset inventory for all the exposed services and rescan the infrastructure periodically. If You’re Not Doing Continuous Asset Management You’re Not Doing Security

Nontrivial long-term tasks:

• Have a procedure for incident response, who should be contacted, who knows what, have some forensic investigator/company contracted if you don’t have required knowledge available internally.
• Collect the logs and funnel them to a log management system (Graylog or commercial one).
• Have alerts when TOR onion router IP address or address obtained from Shadowserver and similar feeds is spotted in the logs.
• Have thresholds if multiple events occur in a short time, like login, connection attempts from a suspicious IP address, etc. Define and monitor events that employee accounts should never ever do (run Powershell, scan the network).
• Check if your internet provider is using cryptographic signatures for BGP https://isbgpsafeyet.com/. If not, start a discussion.
• Use vulnerability assessment system (OpenVAS, Zed Attack Proxy, Nexpose), follow-up on the findings with relevant stakeholders.
• Apply least-privilege if possible, so that compromised accounts have limited impact on the company.
• Implant intrusion detection system on the network (IPS/IDS like Snort, Surricata).
• Really hard step - implement file integrity monitoring on all critical systems. Introducing daemons with elevated privileges to an infrastructure comes with a new attack surface, so it’s worth to reconsider how to implement this functionality.

Noteworthy sources

A good step that should be done in the long term cybersecurity program, is to check SOC2 or similar certifications, as those shows what protection mechanisms are required in multiple domains:
https://blog.rsisecurity.com/what-are-the-soc-2-compliance-requirements/
https://www.imperva.com/learn/data-security/soc-2-compliance/

Another source is the NIST cybersecurity framework
https://www.nist.gov/cyberframework