By Ivan Vinogradov, Security analyst, Logpoint, and Jan Quach, Global Director of
Customer Success Engineering, Logpoint
With recent events in Ukraine, it is to be expected that the types of cyberattacks organizations face will become more aggressive, advanced, and persistent, due to the involvement of state actors and organized crime groups who have the means to perform and sustain such acts over prolonged periods.
One such group, Conti, has gone public with the intent to engage in retributive actions against governments that introduce sanctions against Russia, its host state.
This is a matter that should not be taken lightly as anyone can become a victim of these cyberattacks — both directly and indirectly.
Call-to-action – Practical steps for increasing your security posture
In the situation we find ourselves in, the threat largely seems to apply to industries that are utilitarian, relevant to government or social function – or simply large enterprises that are high-profile and would thus garner media attention.
Given our ecosystem and supply chain, even if organizations may not directly be a target, it has been seen in the past that organizations can still indirectly be affected by the cyberattacks of companies they interact or subcontract with.
Though it sounds daunting, there are actions available to strengthen an organization’s cybersecurity posture.
Below are our five recommendations:
1. Contextualize and analyze a potential threat
Threat intelligence is an important knowledge base of cyber threats, and their modus operandi. It is valuable in the sense that it enables organizations to analyze identified threats and evaluate their validity and potential impact on your organization.
It is essential to have high-quality threat intelligence feeds and suppliers, such as Recorded Future, Crowd Strike, or Mandiant to name a few, that have proven themselves in the past with relevant threat intel related to state-focused attacks. There are also free and publicly available threat intelligence offerings that can be utilized. Some of these sources might generate a significant amount of false positives, which would require further analysis or automation.
Government CERTs, industry-specific cyber-related-publications, and vendor reports are reliable sources for threat intelligence and protective measures, though some might be insufficient for novel attacks.
Most SIEM vendors, endpoint management, and other higher-level security solutions integrate with threat intelligence sources whether through STIX/TAXII or directly.
2. Detective capability
A good defense requires an effective detective mechanism, usually performed by the SIEM, based on the foundational mechanism of Sysmon, allowing detection of a wide range of attacks. One of these is ransomware, a mainstay amongst instigators perpetrating advanced and persistent cyberattacks. An example would be PowerShell activity, which is common to almost all types of malware in the wild.
We recommend that you start with the Sysmon configuration template hosted here. Sysmon can be downloaded from the dedicated Microsoft Page and deployed through Group Policy and we recommend that IT and security managers deploy it on endpoints as well as servers.
3. Protective capability
Account control is the most important aspect of an organization’s security. All entities, whether petty criminals or governments, utilize the strategy of gaining control of valid credentials.
Most security solutions are equipped to deal with account takeover. For example, LogPoint SIEM+SOAR has MITRE ATT&CK-based detection rules and automation playbooks to detect, investigate, and respond automatically, while LogPoint UEBA solution would automatically alert of a behavior change in a certain account. However, it is not necessary to own a sophisticated and automated solution to secure your organization’s accounts. Restricting privileges and setting up password requirements in Active Directory is the first essential step towards account security.
This is also doable with orchestration solutions such as Puppet if your environment is mixed or Linux-based, or if your business requires a wide fleet of virtual machines.
This, in turn, provides a counter measure to some of the most destructive strains of malware, such as Conti’s ransomware attacks. Regular security best practices are just as important; for example, regular periodic backups, MFA, etc.
However, in the situation of Conti, the actors announced malicious intent as opposed to pure financial benefit. In this case, we recommend that you also look at less explored controls – such as segmenting away your most valuable infrastructure, and primarily data, given the aggressive nature of the adversary, as well as implementing at the very least a basic honeypot.
The latter would be important for rapid detection as even a single server not accessed by users is easy to monitor through almost any solution – and most ransomware tactics still involve discovery and lateral movement that will eventually touch it as well.
4. Response capability
Having Threat Intelligence, Sysmon, and Access Controls are all pieces of the security puzzle. But in the modern environment it is crucial to have a centralized overview. This can be achieved by a basic log management solution, a SIEM, or a SIEM augmented with automation capabilities.
A SIEM provides the ability to contextualize, evaluate, validate, and investigate across multiple security controls, giving operations and response teams a much-needed health overview of an organization’s IT infrastructure that results in a quicker response to potential threats.
Once you have a SIEM or other aggregation/orchestration solution, it is easy to configure a much tighter feedback loop in terms of time-to-detect of a particular threat. For example, LogPoint implements this using alerting which is configured to detect wider patterns rather than a singular message.
An extended version of a SIEM would be a SIEM with automation, for example the LogPoint SIEM+SOAR. However, we recommend focusing first on implementing alerts dedicated to detecting threats and collecting logs necessary to trigger them, before redirecting efforts to automate the Incident Response process.
5. Recovery – Business continuity
From a resilience perspective, engage, test, and run drills on the business continuity plans. Expect to be impacted and ensure that staff is trained, systems have restoration capabilities, and response teams have the necessary tools to recover from an impact to their IT infrastructure. A common capability in any recovery situation involves recovery tools such as incident management, communications channels, restoration points, etc. If the IT infrastructure is unavailable due to the attack, the incident team will need separate platforms to effectively manage their incident response, communications, and access to recovery plans and data recovery points.
Making life difficult for the attacker
These steps should increase your security posture in light of the current wave of attacks – they include some standard advice as well as some lesser-known practices. It is important to realize that there is no perfect security strategy, but a defender can, with a bit of effort, make it significantly more difficult for a sophisticated attacker to succeed.