Cyber Check-List: Ukrainian Crisis

10158988062?profile=RESIZE_400xSeveral days ago, our friends at FortiGuard Labs shared a valuable check list considering the current Ukrainian crisis.  We would like to share with our readers and thank Fortinet.   With Russian military operations currently underway in Ukraine, the question of whether cyber warfare will also be employed remains unanswered.  While researchers have seen cases of destructive cyber actions focused on Ukraine, at this point specific attribution is not possible. 

As a result of these actions, there is a heightened sense of concern being felt by many organizations, both public and private.  Cyber security firms, such as Fortinet, are focusing to protect organizations by helping them prepare for potential cyberattacks.  For that, Fortinet has put together a cyber readiness checklist.  While many of these suggestions are standard cyber hygiene protocols and best practices, being reminded of doing the basics never hurts, especially when there are so many other concerns.  In the same way that hand washing helps in our fight against COVID-19, simple actions can also go a long way towards fighting against cyberthreats. 

Key Takeaways

  1.  Patching: Ensure that all systems are fully patched and updated
  2.  Protection Databases: Make sure your security tools have the latest databases 
  3.  Backup: Create or update offline backups for all critical systems
  4.  Phishing: Conduct phishing awareness training and drills 
  5.  Hunt: Proactively hunt for attackers in your network using the known TTPs of Russian threat actors
  6.  Emulate: Test your defenses to ensure they can detect the known TTPs of Russian threat actors 
  7.  Response: Test your incident response against fictitious, real-world scenarios
  8.  Stay up to Date: Subscribe to threat intelligence feeds like Fortinet Threat Signals 

Detailed Actions

  1. Patching: Threat actors often target unpatched vulnerabilities in a victim’s network.  As a result, the first line of defense should always be patch management and running fully patched systems.   For organizations interested in focusing on specific vulnerabilities, CISA maintains a list of specific CVEs used in the past by Russian threat actors.  But the better approach is to simply focus on being up to date all the time.  This is also true for air-gapped environments, and now is a good time to ensure that these systems have been patched as well. And remember, patching is important not only for workstations and servers but also for security and networking products.
  2. Leverage Protection Databases: FortiGuard Labs continuously creates new detection rules, signatures, and behavioral models for threats that are discovered in our extensive threat intelligence framework. These are quickly propagated to all Fortinet products. Make sure that all protection databases are updated regularly.
  3. Backup Critical Systems: Many attacks come in the form of ransomware or wiper malware. The best defense against the destruction of data by such malware is to keep up-to-date backups. It is equally important that these backups are kept offline since malware often tries to find backup servers to destroy backups as well. The current crisis is a good opportunity to check whether backups really exist (not just on paper) and run recovery exercises with the IT team.
  4. Phishing: Phishing attacks are still the most common entry points for attackers. Now is a good time to run a phishing awareness campaign to heighten the awareness of everybody at your organization and to ensure they know how to recognize and report malicious emails.
  5. Hunt: The sad truth is that if your organization plays any sort of role in this conflict, then adversaries may already be in your network. Running threat hunting engagements can be vital in detecting adversaries before they install spyware or cause serious destruction. For threat hunting, you can use the known Tactics, Techniques, and Procedures (TTPs) below. 
  6. Emulate: The TTPs listed below can be also used to evaluate whether your security infrastructure is able to detect them. Running emulation exercises can uncover configuration problems and blind spots that attackers might leverage to move around in your network undetected.
  7. Response: A quick and organized incident response will be crucial when a compromise is discovered. Now is a good opportunity to review procedures for responding to an incident, including disaster recovery and business continuity strategies. If you have your own incident response team, you can run tabletop exercises or fictitious scenarios to ensure everything will run smoothly should a compromise occur.
  8. Stay up to Date: it is crucial that the actions listed here are not performed just once. Staying up to date and patched, monitoring vulnerabilities, and maintaining threat awareness are actions that must be performed continuously. One way to learn about the newest threats as they are discovered is to follow the FortiGuard Threat Signals.

Tactics, Techniques, and Procedures

For hunting for adversaries in your networks CISA recommends the following TTPs:

Tactic

Technique

Procedure

Reconnaissance [TA0043]

Active Scanning: Vulnerability Scanning [T1595.002]

 

Russian state-sponsored APT (Advanced Persistent Threat) actors have performed large-scale scans to find vulnerable servers.

Phishing for Information [T1598]

Russian state-sponsored APT actors have conducted spearphishing campaigns to gain credentials of target networks.

Resource Development [TA0042]

Develop Capabilities: Malware [T1587.001]

Russian state-sponsored APT actors have developed and deployed malware, including ICS-focused destructive malware.

Initial Access [TA0001]

Exploit Public Facing Applications [T1190]

Russian state-sponsored APT actors target publicly known vulnerabilities, as well as zero-days, in internet-facing systems to gain access to networks.

Supply Chain Compromise: Compromise Software Supply Chain [T1195.002]

Russian state-sponsored APT actors have gained initial access to victim organizations by compromising trusted third-party software. Notable incidents include M.E.Doc accounting software and SolarWinds Orion.

Execution [TA0002]

Command and Scripting Interpreter: PowerShell [T1059.003] and Windows Command Shell [T1059.003]

Russian state-sponsored APT actors have used cmd.exe to execute commands on remote machines. They have also used PowerShell to create new tasks on remote machines, identify configuration settings, exfiltrate data, and execute other commands.

Persistence [TA0003]

Valid Accounts [T1078]

Russian state-sponsored APT actors have used credentials of existing accounts to maintain persistent, long-term access to compromised networks.

Credential Access [TA0006]

Brute Force: Password Guessing [T1110.001] and Password Spraying [T1110.003]

Russian state-sponsored APT actors have conducted brute-force password guessing and password spraying campaigns.

OS Credential Dumping: NTDS [T1003.003]

Russian state-sponsored APT actors have exfiltrated credentials and exported copies of the Active Directory database ntds.dit.

Steal or Forge Kerberos Tickets: Kerberoasting [T1558.003]

Russian state-sponsored APT actors have performed “Kerberoasting,” whereby they obtained the Ticket Granting Service (TGS) Tickets for Active Directory Service Principal Names (SPN) for offline cracking.

Credentials from Password Stores [T1555]

Russian state-sponsored APT actors have used previously compromised account credentials to attempt to access Group Managed Service Account (gMSA) passwords.

Exploitation for Credential Access [T1212]

Russian state-sponsored APT actors have exploited Windows Netlogon vulnerability CVE-2020-1472 to obtain access to Windows Active Directory servers.

Unsecured Credentials: Private Keys [T1552.004]

Russian state-sponsored APT actors have obtained private encryption keys from the Active Directory Federation Services (ADFS) container to decrypt corresponding SAML (Security Assertion Markup Language) signing certificates.

Command and Control [TA0011]

Proxy: Multi-hop Proxy [T1090.003]

Russian state-sponsored APT actors have used virtual private servers (VPSs) to route traffic to targets. The actors often use VPSs with IP addresses in the home country of the victim to hide activity among legitimate user traffic.

For Additional TTPs Review These Known Actors

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization who has long collected and analyzed cyber indicators.  In close cooperation with other private cyber security companies and various governments, we stand to make the global networks safer for all allies.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com     

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989

 

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!