July 14, 2022
On March 24, 2022, CISA, the FBI, and the Department of Energy released a joint Cybersecurity Advisory. From 2011 to 2018, Russian-sponsored threat actors targeted U.S. and international energy sector organizations. The advisory highlights historical tactics, techniques, and procedures — as well as mitigations — organizations should take now to protect their networks. In part one of our series, we’ll be outlining some mitigations specifically tailored for enterprise environments.
Cybersecurity Mitigations for Enterprise Environments
According to CISA, the FBI, and the DOE, energy sector and other critical infrastructure organizations should implement the following mitigations immediately to harden their corporate enterprise network. These mitigations are tailored to combat multiple enterprise techniques observed in the 2011-2018 Russian campaigns.
Privileged Account Management
Manage the creation of, modification of, use of — and permissions associated with — privileged accounts, including SYSTEM and root.
Set and enforce secure password policies for accounts.
Disable or Remove Features or Programs
Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc., to identify potential weaknesses.
Operating System Configuration
Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.
Enforce multi-factor authentication (MFA) by requiring users to provide two or more pieces of information (such as username and password plus a token, e.g., a physical smart card or token generator) to authenticate to a system.
Filter Network Traffic
Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.
Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a demilitarized zone (DMZ) to contain any internet-facing services that should not be exposed from the internal network.
Limit Access to Resources over the Network
Prevent access to file shares, remote access to systems, and unnecessary services. Mechanisms to limit access may include use of network concentrators, remote desktop protocol (RDP) gateways, etc.
Block execution of code on a system through application control and/or script blocking.
As we continue to monitor the situation, we’ll keep providing important information and relaying advisories from government agencies, both on our blog and on our social media channels. Sign up for our newsletters and follow us on Facebook, Twitter, and LinkedIn to stay up to date on what’s happening.
Throughout this, we will of course continue helping organizations achieve and retain cybersecurity compliance with government agencies — especially as regulations and recommendations are in flux. Contact us today for your free consultation.