The recent Russian -Ukraine conflict arises a high possibility of increasing cyber-attacks. Destructive cyber-attacks can be a powerful means to achieve strategic or tactical objectives; however, the risk of reprisal is likely to limit the frequency of use to very select incidents. Destructive cyber-attacks can include destructive malware, wipers, or modified ransomware.
In this circumstances its quiet possible for organization to have a panic as the threat that looms ahead may have a long term effect and remaining extra vigilant in such circumstance to avoid any mishap is perhaps best. As situation evolves closely monitoring of cyber security risks both internal and external becomes essential.
Mandiant has created a task force and initiated a global event to track the crisis and have laid out key pointers in its White Paper titled Proactive Preparation and Hardening to Protect Against Destructive Attacks.(https://www.mandiant.com/media/14506/download)
Key points highlighted here to remain secure for organizations from Mandiant
Critical Assets Protection
Domain Controller and Critical Asset Backups Organizations should verify that backups for domain controllers and critical assets are available and protected against unauthorized access or modification. Backup processes and procedures should be exercised on a continual basis. Backups should be protected and stored within secured enclaves that include both network and identity segmentation.
If an organization’s Active Directory (AD) were to become corrupted or unavailable due to ransomware or a potentially destructive attack, restoring Active Directory from domain controller backups may be the only viable option to reconstitute domain services.
The following domain controller recovery and reconstitution best practices should be proactively reviewed by organizations: • Verify that there is a known good backup of domain controllers and SYSVOL shares (e.g., from a domain controller – backup C:\Windows\SYSVOL). – For domain controllers, a system state backup is preferred. Note: For a system state backup to occur, Windows Server Backup must be installed as a feature on a domain controller. – The following command can be run from an elevated command prompt to initiate a system state backup of a domain controller.
Offline backups: Ensure offline domain controller backups are secured and stored separately from online backups.
• Encryption: Backup data should be encrypted both during transit (over the wire) and when at rest or mirrored for offsite storage.
• DSRM Password validation: Ensure that the Directory Services Restore Mode (DSRM) password is set to a known value for each domain controller. This password is required when performing an authoritative or nonauthoritative domain controller restoration.
• Configure alerting for backup operations: Backup products and technologies should be configured to detect and provide alerting for operations critical to the availability and integrity of backup data (e.g., deletion of backup data, purging of backup metadata, restoration events, media errors).
Enforce role-based access control (RBAC): Access to backup media and the applications that govern and manage data backups should use RBAC to restrict the scope of accounts that have access to the stored data and configuration parameters.
• Testing and verification: Both authoritative and non-authoritative domain controller restoration processes should be documented and tested on a regular basis. The same testing and verification processes should be enforced for critical assets and data.
Business Continuity Planning Critical asset recovery is dependent upon in-depth planning and preparation, which is often included within an organization’s Business Continuity Plan (BCP). Planning and recovery preparation should include the following core competencies:
• A well-defined understanding of crown jewels data and supporting applications that align to backup, failover, and restoration tasks that prioritize mission-critical business operations.
• Clearly defined asset prioritization and recovery sequencing.
• Thoroughly documented recovery processes for critical systems and data. • Trained personnel to support recovery efforts. (Training and verification of manual control processes, including isolation and reliability verification for safety systems).
• Validation of recovery processes to ensure successful execution.
• Clear delineation of responsibility for managing and verifying data and application backups.
• Online and offline data backup retention policies, including initiation, frequency, verification, and testing (for both on-premises and cloud-based data).
• Established service-level agreements (SLAs) with vendors to prioritize application and infrastructure-focused support. Prioritizing evaluations, continuous training, and recovery validation exercises will enable an organization to be better prepared in the event of a disaster.
IT and OT Segmentation Organizations should ensure that there is both physical and logical segmentation between corporate information technology (IT) domains, identities, networks, and assets and those used in direct support of operational technology (OT) processes and control.
- By enforcing IT and OT segmentation, organizations can inhibit a threat actor’s ability to pivot from corporate environments to mission-critical OT assets using compromised accounts and existing network access paths.
- Incoming access from corporate (IT) into OT must terminate within a segmented OT demilitarized zone (DMZ). The OT DMZ must require that a separate level of authentication and access be granted (outside of leveraging an account or endpoint that resides within the corporate IT domain).
• Explicit firewall rules should restrict both incoming traffic from the corporate environment and outgoing traffic from the OT environment.
• Firewalls should be configured using the principle of deny by default, with only approved and authorized traffic flows permitted. Egress (Internet) traffic flows for all assets that support OT should also follow the deny-by-default model.
• Secured enclaves for storing backups, programming logic, and logistical diagrams for systems and devices that comprise the OT infrastructure. • The default usernames and passwords associated with OT devices should always be changed from the default vendor configuration(s).
Egress Restrictions Servers and assets that are infrequently rebooted are highly targeted by threat actors for establishing backdoors to create persistent beacons to command and control (C2) infrastructure. By blocking or severely limiting Internet access for these types of assets, an organization can effectively reduce the risk of a threat actor compromising servers, extracting data, or installing backdoors that leverage egress communications.
(Image Courtesy: www.belfercenter.org)